Skip to content

Commit 8fb192a

Browse files
vikrantpuppalavikrantpuppala
committed
Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides
Surfaced by OSV-Scanner against package-lock.json. The pre-change scan reported 22 HIGH / 15 MED / 5 LOW (42 total). After this PR a clean scan against the new lockfile reports 0 HIGH / 0 MED / 1 LOW (the single remaining LOW is GHSA-73rr-hh4g-fpgx on diff@7.0.0, pinned by sinon@19.0.5 — not overridable without breaking sinon's peer ranges, and is reachable only via assertion-error rendering in test code). Top-level bumps (runtime): thrift 0.16.0 -> 0.23.0 GHSA-r67j-r569-jrwp, GHSA-526f-jxpj-jmg2 (both HIGH) Top-level bumps (devDependencies): mocha 10.2.0 -> 10.8.2 eslint 8.22.0 -> 8.57.1 eslint-plugin-import 2.26.0 -> 2.32.0 sinon 17.0.1 -> 19.0.5 @types/node-fetch 2.6.4 -> 2.6.13 `overrides` block added for deep transitives that can't be reached by top-level bumps (basic-ftp via proxy-agent chain; @75lb/deep-merge via apache-arrow chain; ws pinned inside thrift; cross-spawn pinned inside eslint; etc.). Each override is set to the lowest version that clears its CVEs to minimize unintended behavior changes. Test-stub follow-ups (required by the dev-dep bumps' newer types): - OAuthCallbackServerStub: add Symbol.asyncDispose stub method (newer @types/node added it to http.Server). - Issuer stub in OAuthManager.test: add FAPI2Client property (openid-client >= 5.5 widened the interface). - AuthorizationCode.test: cast sinon.spy result to `as any` for the private-field assignment (the stub intentionally doesn't fully mirror http.Server; runtime is identical). Net OSV-Scanner result after this PR: HIGH: 22 -> 0 MED: 15 -> 0 LOW: 5 -> 1 (sinon-pinned, documented in PR description) Verified locally: npm run build -- clean npm run type-check -- clean (no errors in lib/ or tests/) npm run lint -- 3 pre-existing warnings, no errors Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
1 parent 6a4a7c4 commit 8fb192a

5 files changed

Lines changed: 3384 additions & 1740 deletions

File tree

0 commit comments

Comments
 (0)