Bumping deps to avoid CVE (11/11/2026)

[liranmauda]

Explain the Changes

• Bumping deps to avoid CVE (11/11/2026)

Summary by CodeRabbit

• Chores
  • Routine dependency updates across cloud SDKs, storage clients, web framework, auth libraries, LDAP tooling, DB utilities, native bindings, messaging client, YAML parser, and TypeScript typings.
  • Added utilities for monitoring, runtime/process management, ping checks, and testing frameworks.
  • No changes to public APIs, exports, project structure, or user-facing behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates only to package.json dependency and devDependency versions; no source code, exports, or project structure changed.

Changes

Cohort / File(s)	Change Summary
Dependency / devDependency updates package.json	Bumped multiple packages (runtime and dev): @google-cloud/storage, @smithy/node-http-handler, express, jsonwebtoken, ldapts, mongo-query-to-postgres-jsonb, nan, ws, yaml, optional node-rdkafka, plus typing/test deps (@types/lodash, @types/node, @types/pg, sinon) and added ping, prom-client, ps-node, jest, mocha. No code changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Bumping deps to avoid CVE (13/11/2025) (part 2) #9305 — Modifies same dependency entries (@google-cloud/storage, @smithy/node-http-handler).
• Bumping deps to avoid CVE (13/11/2025) #9273 — Overlapping changes to type/test packages (@types/node, @types/pg, jest, mocha, ping).
• Bumping deps to avoid CVE (21/09/2025) #9224 — Similar dependency bumps including ldapts and Smithy node HTTP handler.

Suggested labels

size/M

Suggested reviewers

• nimrod-becker
• jackyalbo
• dannyzaken

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: updating dependency versions to address CVE vulnerabilities, which matches the package.json modifications in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0123bbd and 52ddb4d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b676c6 and 1d5fad2.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9229
File: .github/workflows/ibm-nightly-provision-dispatcher.yaml:13-13
Timestamp: 2025-09-30T08:56:55.478Z
Learning: In the noobaa-core repository, PR #9229 (nightly IBM VM provision dispatcher) has a dependency on `.github/ibm-warp-runner-config.yaml` which is provided in PR #9230, requiring PR #9230 to be merged first.

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (3)

package.json (3)

111-113: Verify native addon build compatibility.

The update to nan@2.24.0 and node-rdkafka@3.6.1 (native modules requiring compilation) should be tested to ensure:

1. The npm run build:native process completes successfully
2. No ABI incompatibilities are introduced with the Node.js version in use
3. node-rdkafka's system-level Kafka dependencies remain compatible

---

74-146: Ensure package-lock.json is updated.

When updating dependencies in package.json, package-lock.json must be regenerated to reflect the new versions and any transitive dependency changes. Please confirm:

1. That npm ci or npm install has been run to update the lockfile
2. That the lockfile changes only reflect the intended updates (no unexpected transitive dependency changes)
3. That CI/CD pipelines have validated the updated dependencies work together

---

75-135: Verify which CVEs motivated these dependency updates and confirm breaking change compatibility.

This PR bumps 15 dependencies without specifying which CVEs are being patched or which packages are affected by them. Based on available CVE data:

• AWS SDK v3 (3.948.0) shows no public security-fix entry; the Java SDK has CVE-2025-24970 (Netty), not the JavaScript SDK
• jsonwebtoken 9.0.3 addresses CVEs from 2022, not recent ones
• Express 4.22.1 reverted a disputed CVE-2024-51999 that was rejected (no actual vulnerability)
• yaml 2.8.2 and ldapts 8.0.18 have no known public CVEs

Before merging, please clarify:

1. Which specific CVE(s) triggered these bumps and which packages are affected?
2. Have you tested for breaking changes, especially in Express 4.22.1 and AWS SDK v3 compatibility?
3. Are all version bumps security-driven, or are some routine maintenance updates?

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

package.json (1)

92-92: Express 4.22.1 compatibility already verified in prior review.

The bumping of Express to 4.22.1 (line 92) was previously flagged and verified. Per the past review comment (lines 92–92), Express 4.22.1 reverts a breaking change from v4.22.0 related to the extended query parser. The concern has been addressed in commits 906b072 to ca2563c. No further action required.

🧹 Nitpick comments (1)

package.json (1)

75-79: Verify AWS SDK v3 3.948.0 compatibility with existing codebase.

Multiple AWS SDK v3 packages are synchronized to 3.948.0 (clients, credential-providers, lib-storage, s3-request-presigner), a jump of ~11–12 patch versions from 3.936.x/3.937.x. Verify that:

1. No breaking changes in the AWS SDK changelog between current and target version.
2. Integration tests pass with the new SDK version, especially those exercising S3, STS, and IAM operations.

Also applies to: 131-131

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8343689 and 7e0d37a.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (3)

package.json (3)

137-137: Clarify @types/pg addition and its relationship to the CVE fix.

The entry "@types/pg": "8.16.0" appears to be newly added to devDependencies (line 137). Verify:

1. Whether this addition is intentional and part of the CVE fix or a separate improvement.
2. Whether pg version 8.16.3 (line 114) requires corresponding type definitions.
3. No conflicts with other TypeScript type definitions in the project.

---

75-137: Provide CVE details and confirm all tests pass before merging.

The PR title states "Bumping deps to avoid CVE (10/12/2025)" but the PR description and context provide no specific CVE identifier (e.g., CVE-2025-XXXXX) or advisory link. Additionally, no test results are shown. Before merging, ensure:

1. CVE Details: Link to the specific CVE advisory or security bulletin that these version bumps address, confirming that the chosen versions actually fix the vulnerability.
2. Test Coverage: Run and verify all test suites pass:
   • Unit tests (npm run mocha)
   • Integration tests with HTTP/S3/LDAP/PostgreSQL operations
   • Jest tests (npm run jest)
   • TypeScript compilation (npm run ts)
   • Native build (npm run build:native)
3. CI Pipeline: Ensure the PR branch passes all CI checks (linting, tests, build).

---

101-101: ldapts version 8.0.19 does not exist—pin to 8.0.18 or verify the intended version.

ldapts 8.0.19 is not published on npm or any public registry. The latest available version is 8.0.18. Update the dependency to a valid, published version.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

74-126: Document the specific CVE(s) being addressed by these dependency updates.

The dependency updates in package.json are included in this commit, and package-lock.json is also updated with a validation workflow (Validate-package-lock.yaml) configured to run on PRs. CI/CD test workflows are similarly configured to run automatically.

However, the PR description and commit message lack specific CVE identifier(s):

• Which CVE(s) do these updates address?
• Which dependency updates resolve which CVEs?
• Are there any known workarounds or configuration changes required for the updated versions?

Please update the PR description or commit message with explicit CVE ID(s) (e.g., CVE-2024-XXXXX) for each vulnerability being patched, along with references to the affected packages.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ddabbe5 and e512c4b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (3)

package.json (3)

136-136: @types/node 24.10.4 is compatible with the configured Node.js version.

The project uses Node.js 24.4.1 (specified in .nvmrc), which is compatible with @types/node 24.10.4 (types for Node.js 24.x). No version mismatch detected.

---

123-123: No security vulnerabilities are documented for yaml@2.8.2. Snyk and other vulnerability trackers show this version as not affected by any known CVEs. The update from 2.8.1 to 2.8.2 is a patch release; without confirmed security issues to address, this comment is not warranted.

Likely an incorrect or invalid review comment.

---

100-100: No CVE fix in jsonwebtoken 9.0.3—this is routine dependency maintenance.

The 9.0.3 update only bumps the jws dependency to 4.0.1. There is no security fix or behavioral change to JWT token validation/signing in this release. The previous security update (CVE-2022-25883) was addressed in 9.0.2.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

1-149: Consider documenting specific CVE identifiers.

The PR mentions addressing "a CVE noted on 01/01/2026" but doesn't specify which CVE identifier(s) are being addressed. For better change tracking and security auditing, consider:

1. Adding CVE identifiers (e.g., CVE-2026-XXXXX) to the PR description
2. Documenting which packages were updated to address specific CVEs
3. Adding a comment in the commit message listing the CVE IDs

This helps with compliance tracking and makes it easier for future developers to understand why specific versions were chosen.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e512c4b and a7056f1.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-jest-unit-tests
• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation

🔇 Additional comments (6)

package.json (6)

134-134: DevDependencies updates look reasonable.

The devDependencies updates appear to be routine maintenance:

• @types/lodash: 4.17.21 → 4.17.23 (type definitions)
• @types/node: 24.10.1 → 24.10.7 (type definitions)
• @types/pg: 8.15.6 → 8.16.0 (type definitions)
• sinon: 21.0.0 → 21.0.1 (patch)

These are lower risk since they only affect development/testing environments.

Also applies to: 136-137, 146-146

---

121-121: No action needed — ws 8.19.0 is secure.

ws 8.19.0 has no known security vulnerabilities. The library's significant CVE (CVE-2024-37890, a DoS via excessive headers) was fixed in 8.17.1 (June 2024), well before this update. Version 8.19.0 is a routine maintenance release adding the closeTimeout option and Node.js compatibility fixes, not a security patch. Safe to use.

---

100-100: jsonwebtoken 9.0.3 has no known security vulnerabilities. Previous CVEs (CVE-2022-23539, CVE-2022-23540, CVE-2022-23541, CVE-2022-23529) affecting versions ≤8.5.1 were addressed in v9.0.0. The patch update from 9.0.2 to 9.0.3 is secure.

---

92-92: Express 4.22.1 is the latest stable version but does not address any CVEs.

Express has been updated from 4.21.2 to 4.22.1, which is the latest stable version in the 4.x series. However, 4.22.1 does not address any CVEs. Version 4.22.0 (released the same day) attempted to address a withdrawn CVE (GHSA-pj86-cfqh-vqx6 / CVE-2024-51999), but that advisory was rejected as describing a correctness issue rather than a real security vulnerability. Version 4.22.1 reverts the erroneous change from 4.22.0 to restore prior behavior.

Likely an incorrect or invalid review comment.

---

75-79: AWS SDK v3 versions exist; verify this addresses the intended CVE and check for breaking changes.

All AWS SDK v3 packages at version 3.966.0 are valid and exist on npm. However, no specific CVE fixes are documented for this version. Ensure the PR description identifies which CVE(s) are being addressed, and verify that this version jump (~30 minor versions) does not introduce breaking changes before merging.

---

83-84: No public CVEs found for any of the listed dependency updates.

Web search of Snyk, NVD, and GitHub Advisory databases shows no publicly recorded security vulnerabilities for:

• @google-cloud/storage 7.18.0
• @smithy/node-http-handler 4.4.7
• aws-sdk 2.1693.0
• mongo-query-to-postgres-jsonb 0.2.18
• nan 2.24.0
• yaml 2.8.2
• node-rdkafka 3.6.1

However, the commit message states "Bumping deps to avoid CVE," suggesting either: (1) vulnerabilities exist in transitive dependencies rather than these packages directly, (2) CVEs have not yet been publicly disclosed, or (3) the version numbers are from a private registry.

Additionally, ldapts version 8.1.3 in the package.json does not appear to exist in the public npm registry (latest published is 8.0.9). Confirm this version is available or correct the version number.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

74-126: Specify the CVE identifier and clarify the security fix rationale.

The PR description references addressing a CVE but provides no CVE identifier or details about which package(s) were vulnerable. While the updated versions themselves are secure (express@4.22.1, jsonwebtoken@9.0.3, and ws@8.19.0 contain no known vulnerabilities), the PR rationale remains unclear.

For security audit and traceability:

1. Specify the CVE identifier(s) being addressed
2. Identify which package(s) contained the vulnerability
3. Note: The date reference "11/11/2026" appears to be a typo

The current npm audit shows unrelated vulnerabilities in aws-sdk, ip, and pkg that are not addressed by these updates. Clarifying the specific CVE target will help determine if these updates fully resolve the intended security issue.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7056f1 and 0123bbd.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (2)

package.json (2)

92-92: No breaking changes; upgrade is safe.

Express 4.22.1 is a safe upgrade from 4.21.2. Version 4.22.1 specifically reverted a breaking change introduced in 4.22.0 related to the extended query parser. The claimed CVE-2024-51999 was rejected and is not a valid security vulnerability.

Minor deprecation notices have been added (e.g., for redirect arguments being undefined and use of the deprecated req.connection property), but these do not affect existing functionality and can be addressed proactively during future maintenance.

---

100-100: Both jsonwebtoken and ws are security-sensitive packages, but the version updates here are routine maintenance releases rather than security patches. The previous versions (9.0.2 and 8.18.3) are already patched against known CVEs: jsonwebtoken 9.0.2 includes fixes for CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, and CVE-2022-23541 (all fixed in 9.0.0), and ws 8.18.3 includes the fix for CVE-2024-37890 (fixed in 8.17.1). The updates to 9.0.3 and 8.19.0 appear to be minor version bumps without addressing additional security vulnerabilities.

Likely an incorrect or invalid review comment.