Remove unused dependencies and refresh lockfile to clear vulnerable transitive packages by fniephaus · Pull Request #210 · graalvm/setup-graalvm

fniephaus · 2026-03-16T11:45:47Z

Summary 🤖

This PR updates package-lock.json to remove the vulnerable transitive undici and minimatch paths reported by GitHub.

Changes

removed unused @github/dependency-submission-toolkit from dependencies
removed unused prettier-eslint from devDependencies
regenerated package-lock.json
refreshed the remaining root undici resolution to 6.24.1

Verification

ran npm audit --package-lock-only --json
audit now reports 0 vulnerabilities

Notes

the lockfile was regenerated in a local environment running Node 18.19.1
the project declares node >=24.0.0, so npm emitted engine warnings during the update

github-actions · 2026-03-16T11:46:51Z

GraalVM Native Image Build Report

helloworld generated in 40.3s as part of the 'test-action-native-image-musl' job in run #369.

Environment

Java version	21.0.10+8-LTS	Vendor version	Oracle GraalVM 21.0.10+8.1
Graal compiler	optimization level: 2, target machine: x86-64-v3, PGO: ML-inferred
C compiler	x86_64-linux-musl-gcc (linux, x86_64, 10.3.0)
Garbage collector	G1 GC

Analysis Results

Category	Types	in %	Fields	in %	Methods	in %
Reachable	2,030	60.041%	1,896	44.918%	8,312	35.032%
Reflection	732	21.650%	37	0.877%	287	1.210%
JNI	49	1.449%	33	0.782%	48	0.202%
Loaded	3,381	100.000%	4,221	100.000%	23,727	100.000%

Image Details

Category	Size	in %	Details
Code area	3.36MB	33.984%	3,837 compilation units
Image heap	3.64MB	36.850%	52,385 objects, 0.00B for 29 resources
Other data	2.88MB	29.166%
Total	9.89MB	100.000%

Resource Usage

Garbage collection	2.36s (5.852% of total time) in 430 GCs
Peak RSS	731.06MB (4.572% of 15.62GB system memory)
CPU load	3.625 (90.635% of 4 CPU cores)

Report generated by setup-graalvm.

github-actions · 2026-03-16T11:47:05Z

GraalVM Native Image Build Report

helloworld generated in 49.3s as part of the 'test-action-native-image-musl' job in run #369.

Environment

Java version	25.0.2+10-LTS	Vendor version	Oracle GraalVM 25.0.2+10.1
Graal compiler	optimization level: 2, target machine: x86-64-v3, PGO: ML-inferred
C compiler	x86_64-linux-musl-gcc (linux, x86_64, 10.3.0)
Garbage collector	G1 GC

Analysis Results

Category	Types	in %	Fields	in %	Methods	in %
Reachable	2,043	55.774%	1,840	36.486%	8,213	32.651%
Reflection	753	20.557%	35	0.694%	284	1.129%
JNI	49	1.338%	35	0.694%	48	0.191%
Loaded	3,663	100.000%	5,043	100.000%	25,154	100.000%

Image Details

Category	Size	in %	Details
Code area	3.13MB	30.709%	3,832 compilation units
Image heap	4.11MB	40.323%	59,276 objects, 0.00B for 52 resources
Other data	2.95MB	28.968%
Total	10.18MB	100.000%

Resource Usage

Garbage collection	2.13s (4.327% of total time) in 527 GCs
Peak RSS	1012.04MB (6.327% of 15.62GB system memory)
CPU load	3.611 (90.284% of 4 CPU cores)

Report generated by setup-graalvm.

github-actions · 2026-03-16T11:47:20Z

GraalVM Native Image Build Report

helloworld.exe generated in 1m 1s as part of the 'test-action-native-image-windows' job in run #369.

Environment

Java version	25.0.2+10	Vendor version	GraalVM CE 25.1.0-dev+10.1
Graal compiler	optimization level: 2, target machine: x86-64-v3
C compiler	cl.exe (microsoft, x64, 19.44.35223)
Garbage collector	Serial GC

Analysis Results

Category	Types	in %	Fields	in %	Methods	in %
Reachable	3,335	66.144%	3,756	39.847%	15,497	41.754%
Reflection	1,106	21.936%	36	0.382%	329	0.886%
JNI	62	1.230%	52	0.552%	52	0.140%
Loaded	5,042	100.000%	9,426	100.000%	37,115	100.000%

Image Details

Category	Size	in %	Details
Code area	4.63MB	34.702%	8,911 compilation units
Image heap	8.31MB	62.259%	111,949 objects, 171.38KB for 4 resources
Other data	415.56KB	3.040%
Total	13.35MB	100.000%

Resource Usage

Garbage collection	2.98s (4.806% of total time) in 455 GCs
Peak RSS	1.04GB (6.506% of 15.99GB system memory)
CPU load	3.263 (81.578% of 4 CPU cores)

Report generated by setup-graalvm.

github-actions · 2026-03-16T11:47:23Z

GraalVM Native Image Build Report

helloworld generated in 52.7s as part of the 'test-action-native-image-windows-msvc' job in run #369.

Environment

Java version	17.0.12+8-LTS	Vendor version	Oracle GraalVM 17.0.12+8.1
Graal compiler	optimization level: 2, target machine: x86-64-v3, PGO: ML-inferred
C compiler	cl.exe (microsoft, x64, 19.44.35223)
Garbage collector	Serial GC

Analysis Results

Category	Types	in %	Fields	in %	Methods	in %
Reachable	1,809	59.311%	1,684	45.587%	7,635	35.795%
Reflection	618	20.262%	0	0.000%	282	1.322%
JNI	53	1.738%	30	0.812%	48	0.225%
Loaded	3,050	100.000%	3,694	100.000%	21,330	100.000%

Image Details

Category	Size	in %	Details
Code area	2.77MB	43.911%	3,464 compilation units
Image heap	3.45MB	54.709%	48,646 objects, 108.00B for 1 resources
Other data	89.11KB	1.380%
Total	6.30MB	100.000%

Resource Usage

Garbage collection	1.64s (3.105% of total time) in 121 GCs
Peak RSS	980.20MB (5.983% of 16.00GB system memory)
CPU load	3.110 (77.758% of 4 CPU cores)

Report generated by setup-graalvm.

github-actions · 2026-03-16T11:48:19Z

GraalVM Native Image Build Report

helloworld generated in 46.6s as part of the 'test-action-extensive' job in run #369.

Environment

Java version	17.0.8+9-LTS	Vendor version	Oracle GraalVM 17.0.8+9.1
Graal compiler	optimization level: 2, target machine: x86-64-v3, PGO: ML-inferred
C compiler	gcc (linux, x86_64, 13.3.0)
Garbage collector	Serial GC

Analysis Results

Category	Types	in %	Fields	in %	Methods	in %
Reachable	1,853	59.145%	1,737	46.369%	7,712	35.618%
Reflection	638	20.364%	0	0.000%	281	1.298%
JNI	49	1.564%	32	0.854%	48	0.222%
Loaded	3,133	100.000%	3,746	100.000%	21,652	100.000%

Image Details

Category	Size	in %	Details
Code area	2.75MB	23.182%	3,484 compilation units
Image heap	3.46MB	29.166%	48,932 objects, 108.00B for 1 resources
Debug info	5.33MB	44.902%
Other data	334.61KB	2.751%
Total	11.88MB	100.000%

Resource Usage

Garbage collection	1.81s (3.891% of total time) in 135 GCs
Peak RSS	1.06GB (6.807% of 15.62GB system memory)
CPU load	3.563 (89.086% of 4 CPU cores)

Report generated by setup-graalvm.

fniephaus · 2026-03-16T11:49:46Z

package.json

    "@actions/io": "^3.0.2",
    "@actions/tool-cache": "^4.0.0",
    "@octokit/types": "^16.0.0",
-    "@github/dependency-submission-toolkit": "^2.0.5",


@rudsberg it seems we didn't end up using this dependencies for the SBOM feature, so I'm removing it to reduce the attack surface of the action.

I did a verification pass and it's safe to remove this dependency since the SBOM feature is not using it.

rudsberg · 2026-03-16T14:09:37Z

package.json

    "@actions/io": "^3.0.2",
    "@actions/tool-cache": "^4.0.0",
    "@octokit/types": "^16.0.0",
-    "@github/dependency-submission-toolkit": "^2.0.5",


I did a verification pass and it's safe to remove this dependency since the SBOM feature is not using it.

fniephaus added 2 commits March 16, 2026 12:44

Remove unused deps and refresh lockfile

255c2f6

Regenerate dist/ files.

de495ee

fniephaus requested review from alina-yur and rudsberg March 16, 2026 11:45

fniephaus self-assigned this Mar 16, 2026

oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 16, 2026

fniephaus commented Mar 16, 2026

View reviewed changes

alina-yur approved these changes Mar 16, 2026

View reviewed changes

rudsberg approved these changes Mar 16, 2026

View reviewed changes

fniephaus merged commit 03e8abf into main Mar 16, 2026
202 checks passed

fniephaus deleted the fix/transitive-dependency-vulns branch March 16, 2026 14:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove unused dependencies and refresh lockfile to clear vulnerable transitive packages#210

Remove unused dependencies and refresh lockfile to clear vulnerable transitive packages#210
fniephaus merged 2 commits intomainfrom
fix/transitive-dependency-vulns

fniephaus commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

fniephaus Mar 16, 2026

Uh oh!

rudsberg Mar 16, 2026

Uh oh!

rudsberg Mar 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

fniephaus commented Mar 16, 2026

Summary 🤖

Changes

Verification

Notes

Uh oh!

github-actions bot commented Mar 16, 2026

GraalVM Native Image Build Report

Environment

Analysis Results

Image Details

Resource Usage

Uh oh!

github-actions bot commented Mar 16, 2026

GraalVM Native Image Build Report

Environment

Analysis Results

Image Details

Resource Usage

Uh oh!

github-actions bot commented Mar 16, 2026

GraalVM Native Image Build Report

Environment

Analysis Results

Image Details

Resource Usage

Uh oh!

github-actions bot commented Mar 16, 2026

GraalVM Native Image Build Report

Environment

Analysis Results

Image Details

Resource Usage

Uh oh!

github-actions bot commented Mar 16, 2026

GraalVM Native Image Build Report

Environment

Analysis Results

Image Details

Resource Usage

Uh oh!

fniephaus Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

rudsberg Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

rudsberg Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants