Merge branch 'release/4.0.0' into feature/temp-master

Author: rjrudin

.copyrightconfig

@@ -0,0 +1,14 @@
+# COPYRIGHT VALIDATION CONFIG
+# ---------------------------------
+# Required start year (keep fixed; end year auto-updates in check output)
+startyear: 2015
+
+# Optional exclusions list (comma-separated). Leave commented if none.
+# Rules:
+#   - Relative paths (no leading ./)
+#   - Simple * wildcard only (no recursive **)
+#   - Use sparingly (third_party, generated, binary assets)
+#   - Dotfiles already skipped automatically
+# Enable by removing the leading '# ' from the next line and editing values.
+# filesexcluded: third_party/*, docs/generated/*.md, assets/*.png, scripts/temp_*.py, vendor/lib.js
+filesexcluded: .github/*, README.md, Jenkinsfile, test-app/*, *.md, docker-compose.yaml, test-complete-app-mlDeploy/*, *.json

.editorconfig

@@ -0,0 +1,22 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{json,yml,yaml}]
+indent_size = 2
+
+[*.{js,ts}]
+indent_size = 2
+
+[*.java]
+indent_size = 4

.env

@@ -0,0 +1,7 @@
+# Latest 12 nightly release:
+MARKLOGIC_IMAGE=ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/marklogic-server-ubi:latest-12
+
+# Latest MarkLogic release:
+# MARKLOGIC_IMAGE="progressofficial/marklogic-db:latest"
+
+MARKLOGIC_LOGS_VOLUME=./docker/marklogic/logs

.github/workflows/pr-workflow.yaml

@@ -1,4 +1,4 @@
-name: 🏷️ JIRA ID Validator
+name: PR Workflow
 
 on:
   # Using pull_request_target instead of pull_request to handle PRs from forks
@@ -14,3 +14,10 @@ jobs:
     with:
       # Pass the PR title from the event context
       pr-title: ${{ github.event.pull_request.title }}
+  copyright-validation:
+    name: © Validate Copyright Headers
+    uses: marklogic/pr-workflows/.github/workflows/copyright-check.yml@main
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write

.gitignore

@@ -7,11 +7,15 @@ tmp
 .settings
 .vscode
 .DS_Store
+.gradle
+
+docker
 test-app/build
 test-app/.gradle
 test-app/gradle-local.properties
 test-app/docker
 test-app/containerLogs
-
 test-complete-app/build
-test-complete-app/.gradle
+test-complete-app/.gradle
+test-complete-app-mlDeploy/build
+test-complete-app-mlDeploy/.gradle

.jshintrc

@@ -0,0 +1 @@
+engine-strict=true

.npmrc

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## 4.0.0
+
+This major release does not impact any client functionality, but rather raises the minimum required version of Node.js
+to 22 or higher. It also updates all dependencies to their latest version and removes unnecessary dependencies that
+were included in previous releases. 
+
 ## 3.7.1
 #### Bug Fix
 - https://github.com/marklogic/node-client-api/issues/961

CHANGELOG.md

@@ -8,7 +8,7 @@ please see the README file.
 
 To run any of the steps below, first verify that you have the following available;
 [sdkman](https://sdkman.io/) is recommended for installing and maintaining versions of Java:
-* Java 8.x
+* Java 17.x
 
 You will also need to clone this repository locally and open a CLI in the root directory of the cloned project.
 
@@ -21,7 +21,6 @@ instance available for testing.
 
 If you are able to use Docker, run the following:
 
-    cd test-app
     docker-compose up -d --build
 
 This will create a container with the MarkLogic service. The MarkLogic service will take a minute or two to initialize.
@@ -31,7 +30,9 @@ username and password are in the docker-compose.yaml file in the /test-app direc
 Once the container is finished initializing, you need to deploy the test application to the MarkLogic service.
 While still in the test-app directory run the following gradle command.
 
+    cd test-app
     ./gradlew -i mlDeploy
+    ./gradlew -i -Penv=e2e mlLoadData mlLoadModules
 
 Once the deploy has completed successfully, use "cd .." to return to the root directory of the project.
 
@@ -53,3 +54,110 @@ contained in either the "it" function or the "describe" function, respectively.
 or
 
     mocha test-basic -timeout 0 -g 'test bindParam with qualifier'
+
+There are also tests in the `test-complete` folder. The setup for these is more complicated and can 
+be found in the `Jenkinsfile` file in this repository in the `runE2ETests` function.
+
+## Generating documentation
+
+After installing the project dependencies, you can build the reference documentation locally from the root
+directory of the marklogic package:
+
+    npm run doc
+
+The documentation is generated in the `./doc` gitignored directory. The documentation can also be
+accessed online at <https://docs.marklogic.com/jsdoc/index.html>.
+
+## Explanation of overrides in package.json
+
+Each override is being documented here so we have some ability in the future to remove an override as needed. 
+These explanations have been copied from a Copilot analysis. 
+
+braces: "3.0.3"
+- Purpose: Fixes ReDoS vulnerability in brace expansion
+- Affects: mocha, gulp, and test infrastructure
+- Why needed: Older braces versions vulnerable to regex attacks
+- CVE/Issue: CVE-2024-4068 - ReDoS vulnerability
+
+brace-expansion: "2.0.2"
+- Purpose: Fixes ReDoS in brace expansion patterns
+- Affects: minimatch → brace-expansion
+- Why needed: Prevents regex denial of service attacks
+- CVE/Issue: Related to minimatch vulnerabilities
+
+glob: "10.3.11"
+- Purpose: Fixes ReDoS and security issues in file globbing
+- Affects: mocha, gulp-mocha build tooling
+- Why needed: Older glob versions have pattern matching vulnerabilities
+- CVE/Issue: Multiple vulnerabilities in older glob versions
+
+glob-parent: "6.0.2"
+- Purpose: Fixes ReDoS in path parsing
+- Affects: Transitive dependency through glob
+- Why needed: Older versions vulnerable to regex attacks
+- CVE/Issue: CVE-2020-28469 - ReDoS vulnerability
+
+minimatch: "5.1.0"
+- Purpose: Fixes ReDoS (Regular Expression Denial of Service) vulnerability
+- Affects: mocha, gulp-mocha, and other build tools
+- Why needed: Older minimatch versions have catastrophic backtracking vulnerability
+- CVE/Issue: CVE-2022-3517 - ReDoS vulnerability
+
+semver: "7.5.3"
+- Purpose: Fixes ReDoS in version parsing
+- Affects: Multiple packages across dependency tree
+- Why needed: Older semver versions have regex vulnerabilities
+- CVE/Issue: CVE-2022-25883 - ReDoS vulnerability
+
+tar-fs: "2.1.4"
+- Purpose: Fixes directory traversal vulnerability
+- Affects: kerberos → prebuild-install → tar-fs
+- Why needed: Older tar-fs allows extracting files outside intended directory
+- CVE/Issue: CVE-2024-28861 - Path traversal
+
+The following are related to this npm supply chain attack - https://orca.security/resources/blog/qix-npm-attack/ . 
+
+ansi-styles: "4.3.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: chalk → ansi-styles, eslint toolchain
+
+ansi-regex: "5.0.1"
+- Purpose: Protect against supply chain attack variants
+- Affects: strip-ansi → ansi-regex
+
+chalk: "4.1.2"
+- Purpose: Avoid compromised chalk 5.6.1, maintain ESLint compatibility
+- Affects: eslint, mocha, gulp-mocha
+- Why needed: Chalk 5.6.1 was compromised in supply chain attack. ESLint 9.x requires chalk 4.x (incompatible with chalk 5.x API)
+
+color-convert: "3.1.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: ansi-styles → color-convert
+
+color-name: "2.0.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: color-convert → color-name
+
+cross-spawn: "7.0.6"
+- Purpose: Protect against supply chain attack variants
+- Affects: eslint → cross-spawn
+
+debug: "4.3.6"
+- Purpose: Protect against supply chain attack variants
+- Affects: eslint, mocha, multiple packages
+
+supports-color: "7.2.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha, chalk
+
+strip-ansi: "6.0.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha, cliui in test infrastructure
+
+wrap-ansi: "6.2.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha → cliui → wrap-ansi
+
+Also, we are using @fastify/busboy because it has a forked copy of dicer that apparently does not 
+have the same high security vulnerability that the 0.3.1 release of dicer has. 
+