Fix security vulnerabilities in dependencies#437
Fix security vulnerabilities in dependencies#437Apoorv Munshi (ap00rv) merged 1 commit intomasterfrom
Conversation
Update direct dependencies to resolve security vulnerabilities: Root package.json: - @mapbox/node-pre-gyp: ^1.0.11 → ^2.0.3 (fixes tar vulnerability) - node-gyp: ^9.3.1 → ^11.0.0 (fixes tar vulnerability) schemaregistry/package.json: - @aws-sdk/client-kms: ^3.637.0 → ^3.975.0 (fixes @smithy/config-resolver) - @aws-sdk/credential-providers: ^3.637.0 → ^3.975.0 (fixes @smithy/config-resolver) - @azure/identity: ^4.4.1 → ^4.13.0 (fixes jws vulnerability) - @google-cloud/kms: ^4.5.0 → ^5.2.1 (fixes jws vulnerability) - node-gyp: ^9.3.1 → ^11.0.0 (fixes tar vulnerability) - node-vault: ^0.10.2 → ^0.10.9 (latest version) Vulnerabilities fixed: - tar (CVE high severity) - arbitrary file overwrite - jws (CVE high severity) - improper HMAC signature verification - @smithy/config-resolver (low severity) - defense in depth enhancement - qs (high severity) - DoS via memory exhaustion - form-data (critical severity) - unsafe random function - tough-cookie (moderate severity) - prototype pollution - lodash (moderate severity) - prototype pollution - js-yaml (moderate severity) - prototype pollution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates project dependencies to remediate reported security vulnerabilities (tar/jws/smithy-related) by bumping several direct packages and build tooling versions.
Changes:
- Bump
node-gyp(devDependency) to a newer major version. - Bump AWS SDK, Azure Identity, Google KMS libraries to newer versions.
- Bump
@mapbox/node-pre-gypandnode-vaultto newer versions.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| schemaregistry/package.json | Updates crypto/KMS-related SDK dependencies and node-gyp/node-vault to patched versions. |
| package.json | Updates native-build tooling dependencies (node-gyp, @mapbox/node-pre-gyp) to address tar-related vulnerabilities. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "jsdoc": "^4.0.2", | ||
| "mocha": "^10.7.0", | ||
| "node-gyp": "^9.3.1", | ||
| "node-gyp": "^11.0.0", |
There was a problem hiding this comment.
These are major-version bumps and currently use caret ranges, which can introduce additional unreviewed behavior changes on future npm install (outside the lockfile). For build tooling / native-binary tooling, consider pinning to an exact version (or at least using ~) to keep builds more reproducible and upgrades more deliberate.
| "node-gyp": "^11.0.0", | |
| "node-gyp": "11.0.0", |
| }, | ||
| "dependencies": { | ||
| "@mapbox/node-pre-gyp": "^1.0.11", | ||
| "@mapbox/node-pre-gyp": "^2.0.3", |
There was a problem hiding this comment.
These are major-version bumps and currently use caret ranges, which can introduce additional unreviewed behavior changes on future npm install (outside the lockfile). For build tooling / native-binary tooling, consider pinning to an exact version (or at least using ~) to keep builds more reproducible and upgrades more deliberate.
| "@mapbox/node-pre-gyp": "^2.0.3", | |
| "@mapbox/node-pre-gyp": "2.0.3", |
| "jsdoc": "^4.0.2", | ||
| "mocha": "^10.7.0", | ||
| "node-gyp": "^9.3.1", | ||
| "node-gyp": "^11.0.0", |
There was a problem hiding this comment.
node-gyp is now declared in both the repo root and this package. In a monorepo/workspace setup this duplication can drift over time (version skew, inconsistent build behavior). Consider centralizing shared build tooling like node-gyp at the workspace root (and removing it from leaf packages) or enforcing a single version via overrides so all packages use the same node-gyp.
| "node-gyp": "^11.0.0", |
| "@aws-sdk/client-kms": "^3.975.0", | ||
| "@aws-sdk/credential-providers": "^3.975.0", | ||
| "@azure/identity": "^4.13.0", |
There was a problem hiding this comment.
node-gyp is now declared in both the repo root and this package. In a monorepo/workspace setup this duplication can drift over time (version skew, inconsistent build behavior). Consider centralizing shared build tooling like node-gyp at the workspace root (and removing it from leaf packages) or enforcing a single version via overrides so all packages use the same node-gyp.
| "@criteria/json-schema": "^0.10.0", | ||
| "@criteria/json-schema-validation": "^0.10.0", | ||
| "@google-cloud/kms": "^4.5.0", | ||
| "@google-cloud/kms": "^5.2.1", |
There was a problem hiding this comment.
node-gyp is now declared in both the repo root and this package. In a monorepo/workspace setup this duplication can drift over time (version skew, inconsistent build behavior). Consider centralizing shared build tooling like node-gyp at the workspace root (and removing it from leaf packages) or enforcing a single version via overrides so all packages use the same node-gyp.
| "jsonata": "^2.0.5", | ||
| "lru-cache": "^10.4.3", | ||
| "node-vault": "^0.10.2", | ||
| "node-vault": "^0.10.9", |
There was a problem hiding this comment.
node-gyp is now declared in both the repo root and this package. In a monorepo/workspace setup this duplication can drift over time (version skew, inconsistent build behavior). Consider centralizing shared build tooling like node-gyp at the workspace root (and removing it from leaf packages) or enforcing a single version via overrides so all packages use the same node-gyp.
|
Thanks for putting this up! A new vuln has emerged, requiring an even later version of This PR: The Vuln: |
Robert Yokota (rayokota)
left a comment
There was a problem hiding this comment.
Thanks Apoorv Munshi (@ap00rv) , LGTM
|
10x for the fix. can you release a new version with it? |
Summary
Test plan
npm auditshows no vulnerabilities🤖 Generated with Claude Code