marklogic · rjrudin · Oct 22, 2025 · Oct 17, 2025
@@ -57,8 +57,120 @@ or
 There are also tests in the `test-complete` folder. The setup for these is more complicated and can 
 be found in the `Jenkinsfile` file in this repository in the `runE2ETests` function.
 
-## Notes on dependencies in package.json 
-
-We are using @fastify/busboy because it has a forked copy of dicer that apparently does not 
+## Explanation of overrides in package.json
+
+Each override is being documented here so we have some ability in the future to remove an override as needed. 
+These explanations have been copied from a Copilot analysis. 
+
+braces: "3.0.3"
+- Purpose: Fixes ReDoS vulnerability in brace expansion
+- Affects: mocha, gulp, and test infrastructure
+- Why needed: Older braces versions vulnerable to regex attacks
+- CVE/Issue: CVE-2024-4068 - ReDoS vulnerability
+
+brace-expansion: "2.0.2"
+- Purpose: Fixes ReDoS in brace expansion patterns
+- Affects: minimatch → brace-expansion
+- Why needed: Prevents regex denial of service attacks
+- CVE/Issue: Related to minimatch vulnerabilities
+
+glob: "10.3.11"
+- Purpose: Fixes ReDoS and security issues in file globbing
+- Affects: mocha, gulp-mocha build tooling
+- Why needed: Older glob versions have pattern matching vulnerabilities
+- CVE/Issue: Multiple vulnerabilities in older glob versions
+
+glob-parent: "6.0.2"
+- Purpose: Fixes ReDoS in path parsing
+- Affects: Transitive dependency through glob
+- Why needed: Older versions vulnerable to regex attacks
+- CVE/Issue: CVE-2020-28469 - ReDoS vulnerability
+
+jsdoc: "4.0.0"
+- Purpose: Fixes high-severity data access vulnerability in older jsdoc versions
+- Affects: gulp-jsdoc3 → jsdoc
+- Why needed: [email protected] uses older jsdoc with known vulnerabilities
+- CVE/Issue: High severity vulnerability in taffydb (jsdoc dependency)
+
+markdown-it: "14.1.0"
+- Purpose: Use latest markdown parser for JSDoc
+- Affects: gulp-jsdoc3 → jsdoc → markdown-it
+- Why needed: Latest version (no vulnerabilities), handles RFC 7464 parsing
+- Note: No newer version available, ensures consistency
+
+minimatch: "5.1.0"
+- Purpose: Fixes ReDoS (Regular Expression Denial of Service) vulnerability
+- Affects: mocha, gulp-mocha, and other build tools
+- Why needed: Older minimatch versions have catastrophic backtracking vulnerability
+- CVE/Issue: CVE-2022-3517 - ReDoS vulnerability
+
+sanitize-html: "2.17.0"
+- Purpose: Ensure JSDoc template uses non-vulnerable HTML sanitizer
+- Affects: gulp-jsdoc3 → ink-docstrap → sanitize-html
+- Why needed: Older versions have XSS vulnerabilities
+- Note: Also in devDependencies, override ensures transitive deps use safe version
+
+semver: "7.5.3"
+- Purpose: Fixes ReDoS in version parsing
+- Affects: Multiple packages across dependency tree
+- Why needed: Older semver versions have regex vulnerabilities
+- CVE/Issue: CVE-2022-25883 - ReDoS vulnerability
+
+tar-fs: "2.1.4"
+- Purpose: Fixes directory traversal vulnerability
+- Affects: kerberos → prebuild-install → tar-fs
+- Why needed: Older tar-fs allows extracting files outside intended directory
+- CVE/Issue: CVE-2024-28861 - Path traversal
+
+tmp: "0.2.4"
+- Purpose: Fixes arbitrary file write vulnerability
+- Affects: gulp-jsdoc3 → jsdoc → tmp
+- Why needed: Older tmp versions have file system security issues
+- CVE/Issue: CVE-2024-28858 - Arbitrary file write
+
+The following are related to this npm supply chain attack - https://orca.security/resources/blog/qix-npm-attack/ . 
+
+ansi-styles: "4.3.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: chalk → ansi-styles, eslint toolchain
+
+ansi-regex: "5.0.1"
+- Purpose: Protect against supply chain attack variants
+- Affects: strip-ansi → ansi-regex
+
+chalk: "4.1.2"
+- Purpose: Avoid compromised chalk 5.6.1, maintain ESLint compatibility
+- Affects: eslint, mocha, gulp-mocha
+- Why needed: Chalk 5.6.1 was compromised in supply chain attack. ESLint 9.x requires chalk 4.x (incompatible with chalk 5.x API)
+
+color-convert: "3.1.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: ansi-styles → color-convert
+
+color-name: "2.0.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: color-convert → color-name
+
+cross-spawn: "7.0.6"
+- Purpose: Protect against supply chain attack variants
+- Affects: eslint → cross-spawn
+
+debug: "4.3.6"
+- Purpose: Protect against supply chain attack variants
+- Affects: eslint, mocha, multiple packages
+
+supports-color: "7.2.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha, chalk
+
+strip-ansi: "6.0.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha, cliui in test infrastructure
+
+wrap-ansi: "6.2.0"
+- Purpose: Protect against supply chain attack variants
+- Affects: mocha → cliui → wrap-ansi
+
+Also, we are using @fastify/busboy because it has a forked copy of dicer that apparently does not 
 have the same high security vulnerability that the 0.3.1 release of dicer has. 
 
@@ -53,7 +53,7 @@ def runAuditReport() {
 		cd node-client-api
 		npm ci
 		rm -rf $WORKSPACE/npm-audit-report.json || true
-		npm audit -json || true > $WORKSPACE/npm-audit-report.json
+		npm audit --audit-level=low --json > $WORKSPACE/npm-audit-report.json
 	'''
 }