Skip to content

[APS-19017] fix: supply-chain hygiene (mocha->devDeps, pin Semgrep image, files allowlist)#1129

Open
Rohannagariya1 wants to merge 1 commit into
masterfrom
fix/APS-19017-supply-chain-hygiene
Open

[APS-19017] fix: supply-chain hygiene (mocha->devDeps, pin Semgrep image, files allowlist)#1129
Rohannagariya1 wants to merge 1 commit into
masterfrom
fix/APS-19017-supply-chain-hygiene

Conversation

@Rohannagariya1

@Rohannagariya1 Rohannagariya1 commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Security Fix: APS-19017 (Low, supply-chain hygiene)

Applied the SAFE mechanical fixes from the ticket. The behavioral md5->sha256 change is intentionally NOT included (see below).

INF-005 — mocha in production dependencies

Removed mocha from dependencies (kept in devDependencies). The CLI loads mocha from the user's own project via requireModule(), so the production copy was unnecessary and shipped serialize-javascript (GHSA-5c6j-r48x-rmvq).
Verified: npm ls mocha --omit=dev -> (empty). mocha is dev: true in the lock.

INF-007 — unpinned Semgrep CI image

Pinned .github/workflows/Semgrep.yml from returntocorp/semgrep to returntocorp/semgrep@sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b (digest of :latest resolved via Docker Hub registry API on 2026-06-15).

INF-008 — tarball ships .github/ and CODEOWNERS

Added a files allowlist to package.json: ["bin/", "README.md", "LICENSE.md"]. (Note: the repo has LICENSE.md, not LICENSE, and has no index.js/lib/ despite main: index.js — so the allowlist lists only paths that actually exist.)
Verified: npm pack --dry-run now emits only bin/, README.md, LICENSE.md.github/, CODEOWNERS, .nycrc.yml, test/ are all excluded.

INF-001 — axios

Already ^1.15.0; no change needed.

NOT applied — needs human sign-off

  • CSL-003 (constants.js md5->sha256): This alters the upload-dedup hash algorithm. Changing it is behavioral and could invalidate the existing dedup cache. Deliberately left for human decision, not auto-applied.

Jira Ticket

https://browserstack.atlassian.net/browse/APS-19017

@claude
fix(security): supply-chain hygiene — mocha to devDeps, pin Semgrep i…
e61413b 
…mage, add files allowlist [APS-19017]

INF-005: remove mocha from dependencies (kept in devDependencies); CLI loads mocha from user project via requireModule(), prod copy unnecessary. npm ls mocha --omit=dev now empty.

INF-007: pin Semgrep CI image returntocorp/semgrep -> @sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b (latest as of 2026-06-15).

INF-008: add package.json files allowlist [bin/, README.md, LICENSE.md] so npm pack no longer ships .github/, CODEOWNERS, .nycrc.yml, test/. Verified via npm pack --dry-run.

NOT applied: CSL-003 md5->sha256 (constants.js) — behavioral change to upload-dedup hash; needs human sign-off.

Resolves: APS-19017

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Rohannagariya1 Rohannagariya1 requested a review from a team as a code owner June 15, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karanshah-browserstack karanshah-browserstack karanshah-browserstack approved these changes

@xxshubhamxx xxshubhamxx Awaiting requested review from xxshubhamxx xxshubhamxx is a code owner automatically assigned from browserstack/sdk-dev

@osho-20 osho-20 Awaiting requested review from osho-20 osho-20 is a code owner automatically assigned from browserstack/sdk-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Rohannagariya1 @karanshah-browserstack