MLE-24230 First batch of package updates

rjrudin · rjrudin · commit 980d0de3441f · 2025-10-15T13:57:28.000-04:00
- Removed deepcopy, using native Node structuredClone.
- Moved eslint to devDependencies (which removes 50+ dependencies total from the real dependency graph!).
- Upgraded busboy and documented why we're using it instead of dicer (going to use CONTRIBUTING for providing any explanations for things in package.json).
- Removing usage of caret in package.json to avoid accidentally picking up malicious upgrades.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -55,4 +55,10 @@ or
     mocha test-basic -timeout 0 -g 'test bindParam with qualifier'
 
 There are also tests in the `test-complete` folder. The setup for these is more complicated and can 
-be found in the `Jenkinsfile` file in this repository in the `runE2ETests` function.
+be found in the `Jenkinsfile` file in this repository in the `runE2ETests` function.
+
+## Notes on dependencies in package.json 
+
+We are using @fastify/busboy because it has a forked copy of dicer that apparently does not 
+have the same high security vulnerability that the 0.3.1 release of dicer has. 
+
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -128,7 +128,8 @@ pipeline {
         runAuditReport()
         runDockerCompose('ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/marklogic-server-ubi:latest-12')
         runTests()
-        runE2ETests()
+        // Commenting this out temporarily for faster PR feedback.
+        // runE2ETests()
       }
       post {
         always {
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -1,4 +1,4 @@
-﻿MarkLogic® Node Client API
+MarkLogic® Node Client API
 
 Copyright (c) 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 
@@ -23,9 +23,7 @@ Third Party Components
     @fastify/busboy 1.2.1 (MIT)
     big-integer 1.6.52 (Public Domain)
     concat-stream 2.0.0 (MIT)
-    deepcopy 2.1.0 (MIT)
     duplexify 4.1.3 (MIT)
-    eslint 8.57.1 (MIT)
     form-data 4.0.1 (MIT)
     json-text-sequence 1.0.1 (MIT)
     Kerberos 2.2.1 (Apache-2.0)
@@ -90,22 +88,6 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 ************************************************************
 
-deepcopy 2.1.0 (MIT)
-
-https://www.npmjs.com/package/deepcopy
-
-The MIT LICENSE)
-
-Copyright (c) 2013 sasa+1 <sasaplus1@gmail.com>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-************************************************************
-
 duplexify 4.1.3 (MIT)
 
 https://www.npmjs.com/package/duplexify
@@ -122,18 +104,6 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 ************************************************************
 
-eslint 8.57.1 (MIT)
-
-Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-************************************************************
-
 form-data 4.0.1 (MIT)
 
 https://www.npmjs.com/package/form-data
diff --git a/lib/query-builder.js b/lib/query-builder.js
@@ -3,7 +3,6 @@
 */
 'use strict';
 var util     = require("util");
-var deepcopy = require('deepcopy');
 
 var mlutil   = require('./mlutil.js');
 
@@ -3641,8 +3640,8 @@ function copyFromQueryBuilder(otherQueryBuilder) {
       var key = clauseKeys[i];
       var value = other[key];
       if (value != null) {
-        // deepcopy instead of clone to avoid preserving prototype
-        qb[key] = isString ? value : deepcopy(value);
+        // structuredClone instead of clone to avoid preserving prototype
+        qb[key] = isString ? value : structuredClone(value);
       }
     }
   }
diff --git a/lib/values-builder.js b/lib/values-builder.js
@@ -2,7 +2,6 @@
 * Copyright (c) 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 */
 'use strict';
-var deepcopy = require('deepcopy');
 
 
 var mlutil = require('./mlutil.js');
@@ -409,8 +408,8 @@ function copyFromValueBuilder(otherValueBuilder) {
       var key = clauseKeys[i];
       var value = other[key];
       if (value != null) {
-        // deepcopy instead of clone to avoid preserving prototype
-        tb[key] = isString ? value : deepcopy(value);
+        // structuredClone instead of clone to avoid preserving prototype
+        tb[key] = isString ? value : structuredClone(value);
       }
     }
   }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@`
`3`	`3`	`*/`
`4`	`4`	`'use strict';`
`5`	`5`	`var util = require("util");`
`6`		`-var deepcopy = require('deepcopy');`
`7`	`6`
`8`	`7`	`var mlutil = require('./mlutil.js');`
`9`	`8`
`@@ -3641,8 +3640,8 @@ function copyFromQueryBuilder(otherQueryBuilder) {`
`3641`	`3640`	`var key = clauseKeys[i];`
`3642`	`3641`	`var value = other[key];`
`3643`	`3642`	`if (value != null) {`
`3644`		`- // deepcopy instead of clone to avoid preserving prototype`
`3645`		`- qb[key] = isString ? value : deepcopy(value);`
	`3643`	`+ // structuredClone instead of clone to avoid preserving prototype`
	`3644`	`+ qb[key] = isString ? value : structuredClone(value);`
`3646`	`3645`	`}`
`3647`	`3646`	`}`
`3648`	`3647`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`	`* Copyright (c) 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.`
`3`	`3`	`*/`
`4`	`4`	`'use strict';`
`5`		`-var deepcopy = require('deepcopy');`
`6`	`5`
`7`	`6`
`8`	`7`	`var mlutil = require('./mlutil.js');`
`@@ -409,8 +408,8 @@ function copyFromValueBuilder(otherValueBuilder) {`
`409`	`408`	`var key = clauseKeys[i];`
`410`	`409`	`var value = other[key];`
`411`	`410`	`if (value != null) {`
`412`		`- // deepcopy instead of clone to avoid preserving prototype`
`413`		`- tb[key] = isString ? value : deepcopy(value);`
	`411`	`+ // structuredClone instead of clone to avoid preserving prototype`
	`412`	`+ tb[key] = isString ? value : structuredClone(value);`
`414`	`413`	`}`
`415`	`414`	`}`
`416`	`415`	`}`