Skip to content

MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client. #934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 25, 2025
Merged

MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client. #934

merged 1 commit into from
Jun 25, 2025

Conversation

@anu3990
Copy link
Contributor

@anu3990 anu3990 commented Jun 24, 2025

This commit includes fixes for -

  • Inflight Vulnerable to Denial-of-Service (DoS) via Memory Leak
  • 'brace-expansion' Package Vulnerable to Regular Expression Denial-of-Service (ReDoS)
  • GHSA-8cj5-5rvv-wf4v

Copilot AI reviewed Jun 24, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses BlackDuck-reported vulnerabilities in the Node client by updating dependency versions and adding overrides for known issues.

  • Upgrades bunyan to v2.0.5
  • Adds overrides entries for brace-expansion, glob, and tar-fs
Comments suppressed due to low confidence (2)

package.json:56

  • Upgrading from bunyan v1.x to v2.x is a major version bump that may include breaking changes. Please ensure existing logging behavior is covered by tests and update any initialization calls if needed.
    "bunyan": "2.0.5",

package.json:80

  • The PR description mentions an inflight memory-leak vulnerability, but there's no override for inflight. Consider adding an override to a patched version of inflight to fully address that issue.
    "brace-expansion": "2.0.2",

package.json
"overrides": {
"braces": "3.0.3",
"brace-expansion": "2.0.2",
"cross-spawn":"7.0.6",

This comment was marked as off-topic.

Sign in to view

@anu3990
MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client.
0ed6a31 
This commit includes fixes for -
- Inflight Vulnerable to Denial-of-Service (DoS) via Memory Leak
- 'brace-expansion' Package Vulnerable to Regular Expression Denial-of-Service (ReDoS)
-  GHSA-8cj5-5rvv-wf4v
@anu3990 anu3990 requested a review from stevebio June 25, 2025 16:14
stevebio
stevebio approved these changes Jun 25, 2025
View reviewed changes
Copy link
Collaborator

@stevebio stevebio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, blackduck suggestions.

@anu3990 anu3990 merged commit ba8ac14 into marklogic:develop Jun 25, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stevebio stevebio stevebio approved these changes

@rjrudin rjrudin Awaiting requested review from rjrudin rjrudin is a code owner

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anu3990 @stevebio