Skip to content

Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides#390

Open
vikrantpuppala wants to merge 1 commit into
mainfrom
vp/security-bump-runtime-and-dev
Open

Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides#390
vikrantpuppala wants to merge 1 commit into
mainfrom
vp/security-bump-runtime-and-dev

Conversation

@vikrantpuppala
Copy link
Copy Markdown
Collaborator

@vikrantpuppala vikrantpuppala commented May 21, 2026

Summary

Bumps deps and adds package.json overrides to clear all HIGH and MED OSV-Scanner findings against the current package-lock.json. Companion to #388 (the security workflow PR).

Top-level bumps

Type Package From To
runtime thrift 0.16.0 0.23.0
dev mocha 10.2.0 10.8.2
dev eslint 8.22.0 8.57.1
dev eslint-plugin-import 2.26.0 2.32.0
dev sinon 17.0.1 19.0.5
dev @types/node-fetch 2.6.4 2.6.13

overrides for deep transitives

Packages reachable only via deep dependency chains where no top-level bump applies. Each is pinned to the lowest version that clears its CVEs:

"overrides": {
  "basic-ftp": "^5.3.1",
  "@75lb/deep-merge": "^1.1.2",
  "braces": "^3.0.3",
  "picomatch": "^2.3.2",
  "flatted": "^3.4.2",
  "minimatch": "^3.1.3",
  "ws": "^8.18.0",
  "cross-spawn": "^7.0.6",
  "serialize-javascript": "^7.0.5",
  "follow-redirects": "^1.16.0",
  "brace-expansion": "^1.1.13",
  "@babel/helpers": "^7.26.10",
  "@babel/runtime": "^7.26.10",
  "@babel/runtime-corejs3": "^7.26.10",
  "ip-address": "^10.1.1",
  "js-yaml": "^4.1.1",
  "micromatch": "^4.0.8"
}

Net OSV-Scanner result

HIGH:  22 -> 0
MED:   15 -> 0
LOW:    5 -> 1

The single remaining LOW is GHSA-73rr-hh4g-fpgx on diff@7.0.0, pinned by sinon@19.0.5. Can't be overridden without breaking sinon's peer ranges (sinon requires diff@^7 and the fix is in diff@8.0.3+ which sinon hasn't accepted yet). Reachable only via sinon's assertion-error rendering in test code — never runtime. Recommended to add a documented [[IgnoredVulns]] entry for it in osv-scanner.toml (this happens in #388's scope, not here).

Test-stub follow-ups required by the bumps

A few test stubs needed updates because @types/node and openid-client interfaces grew in the newer versions transitively pulled in by the dev-dep bumps:

  • tests/unit/.stubs/OAuth.ts: added [Symbol.asyncDispose]() stub on OAuthCallbackServerStub@types/node ≥ 18.19 added it to http.Server.
  • OAuthManager.test.ts: added FAPI2Client to the issuer stub — openid-client ≥ 5.5 widened the Issuer interface.
  • AuthorizationCode.test.ts: cast the sinon.spy assignment to as any for the private-field write. The stub intentionally doesn't fully mirror http.Server; runtime is identical.

No Node.js engine bump

Despite eslint/typescript-eslint declaring >=16 ranges, all of them ship versions that accept Node 14.17+. The repo's CI matrix [14, 16, 18, 20] continues to work without changes. package.json engines.node: ">=14.0.0" is also unchanged.

Test plan

  • npm run build clean
  • npm run type-check clean (no errors in lib/ or tests/)
  • npm run lint — 3 pre-existing warnings, no errors
  • OSV-Scanner v2.3.8 confirms the predicted drop
  • CI runs unit tests on Node 14/16/18/20 (this PR's first run)
  • Sanity-check on e2e if available

This pull request was AI-assisted by Isaac.

@vikrantpuppala
Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides
8fb192a 
Surfaced by OSV-Scanner against package-lock.json. The pre-change scan
reported 22 HIGH / 15 MED / 5 LOW (42 total). After this PR a clean
scan against the new lockfile reports 0 HIGH / 0 MED / 1 LOW (the
single remaining LOW is GHSA-73rr-hh4g-fpgx on diff@7.0.0, pinned by
sinon@19.0.5 — not overridable without breaking sinon's peer ranges,
and is reachable only via assertion-error rendering in test code).

Top-level bumps (runtime):
  thrift  0.16.0 -> 0.23.0
    GHSA-r67j-r569-jrwp, GHSA-526f-jxpj-jmg2 (both HIGH)

Top-level bumps (devDependencies):
  mocha                  10.2.0   -> 10.8.2
  eslint                 8.22.0   -> 8.57.1
  eslint-plugin-import   2.26.0   -> 2.32.0
  sinon                  17.0.1   -> 19.0.5
  @types/node-fetch      2.6.4    -> 2.6.13

`overrides` block added for deep transitives that can't be reached by
top-level bumps (basic-ftp via proxy-agent chain; @75lb/deep-merge
via apache-arrow chain; ws pinned inside thrift; cross-spawn pinned
inside eslint; etc.). Each override is set to the lowest version that
clears its CVEs to minimize unintended behavior changes.

Test-stub follow-ups (required by the dev-dep bumps' newer types):
  - OAuthCallbackServerStub: add Symbol.asyncDispose stub method
    (newer @types/node added it to http.Server).
  - Issuer stub in OAuthManager.test: add FAPI2Client property
    (openid-client >= 5.5 widened the interface).
  - AuthorizationCode.test: cast sinon.spy result to `as any` for the
    private-field assignment (the stub intentionally doesn't fully
    mirror http.Server; runtime is identical).

Net OSV-Scanner result after this PR:
  HIGH:  22 -> 0
  MED:   15 -> 0
  LOW:    5 -> 1  (sinon-pinned, documented in PR description)

Verified locally:
  npm run build       -- clean
  npm run type-check  -- clean (no errors in lib/ or tests/)
  npm run lint        -- 3 pre-existing warnings, no errors

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vikrantpuppala