fix(deps): bump vulnerable transitive deps to patched versions (#405)#434
Open
MarioCadenas wants to merge 7 commits into
Open
fix(deps): bump vulnerable transitive deps to patched versions (#405)#434MarioCadenas wants to merge 7 commits into
MarioCadenas wants to merge 7 commits into
Conversation
8ae2325 to
c825658
Compare
c825658 to
2d83a7d
Compare
A fresh app on @databricks/appkit / @databricks/appkit-ui tripped a clean `npm audit` because several deps were pinned under published advisories, and the OpenTelemetry/ws chain reported `fixAvailable: false` downstream. Direct bumps (propagate to downstream consumers): - OpenTelemetry cohort 0.208.0 -> 0.218.0 / stable 2.x -> 2.7.1, auto-instrumentations-node 0.67.2 -> 0.76.0, instrumentation-express 0.57.0 -> 0.66.0 (clears HIGH GHSA-q7rr-3cgh-j5r3 Prometheus exporter crash) - ws 8.18.3 -> 8.21.0 (GHSA-58qx-3vcg-4xpx) - dompurify 3.3.3 -> 3.4.8 (GHSA-39q2-94rc-95cp, GHSA-v9jr-rg53-9pgp) Transitive pins via scoped pnpm.overrides (cleans our tree + shipped SBOM): - protobufjs <7.6.2 -> 7.6.2 (in-range for @grpc/proto-loader ^7.5.3) - qs <6.15.2 -> 6.15.2 (GHSA-q8mj-m7cp-5q26; express 4.x caps qs at ~6.14.0) Verified: pnpm build, typecheck (all packages), and full test suite (2801 tests) pass. OTel cohort aligned per sdk-node@0.218.0 deps. Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
2d83a7d to
0f80174
Compare
…ages PR #405 bumped transitive deps via root pnpm.overrides, which only affect the monorepo audit and never reach the published packages or scaffolded apps. This patches the deps where they actually propagate to consumers. Template (direct pins, scaffolded verbatim into apps): - react-router 7.13.0 -> 7.18.0 (HIGH; RCE/XSS/open-redirect cluster) - vitest 4.0.14 -> 4.1.9 (CRITICAL; UI server arbitrary file read/exec) - add npm override @opentelemetry/core: 2.8.0 Published packages: - appkit-ui: dompurify 3.4.8 -> 3.4.11 - appkit: js-yaml 4.1.1 -> 4.2.0 - appkit: express 4.22.0 -> 4.22.2 (pulls patched qs 6.15.2) - appkit: bump OpenTelemetry suite to the core@2.8.0 / 0.219.0 line auto-instrumentations-node pulls framework instrumentations that pin core back to 2.7.1, so force core>=2.8.0 via override in both the root pnpm.overrides and the template overrides. api-logs@0.219.0 replaced the NOOP_LOGGER export with createNoopLogger(); update telemetry/noop.ts and its test accordingly. Verified: build, full typecheck, biome check, check-template-deps, and appkit tests (2365 passed) all green. A fresh scaffold from the new template installs core@2.8.0 only, plus patched dompurify/js-yaml/qs/ react-router/vitest/express. Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
Commit 6a26f4e bumped template/package.json (react-router 7.18.0, vitest 4.1.9, @opentelemetry/core override 2.8.0) but left the lockfile at the branch point, so the committed template still locked the vulnerable versions. Regenerate via npm install so the lock pins the patched deps: react-router 7.18.0, vitest 4.1.9, and @opentelemetry/core collapsed to 2.8.0 across the tree. Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
A fresh scaffold tripped npm audit on six template dev-tooling transitive deps, all fixable in-range. Bump them in the lock: - @babel/core 7.29.0 -> 7.29.7 (GHSA-4x5r-pxfx-6jf8) - brace-expansion -> 1.1.15 / 2.1.1 (GHSA-f886-m6hf-6m8v) - defu 6.1.4 -> 6.1.7 (GHSA-737v-mqg7-c878) - flatted 3.3.3 -> 3.4.2 (GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh) - picomatch 4.0.3 -> 4.0.4 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj) - postcss 8.5.6 -> 8.5.15 (GHSA-qx2v-qp2m-jg93) Lock-only and surgical (no @databricks/appkit subtree churn). The remaining audit findings are in the published appkit@0.41.5 subtree and clear when the template syncs to the next appkit release, which patches them at source (#405). Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
The template-artifact job runs npm install under the JFrog .npmrc (setup-jfrog-npm) on the protected runner, baking databricks.jfrog.io URLs into the scaffold's package-lock.json. Add a rewrite+validate step that extends check-template-lock-registry.ts with --rewrite/--allow-file and an optional lock path, so the shipped lock resolves from npmjs.org only and CI fails closed if any non-public registry remains. Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
The pr-template-artifact job in ci.yml runs npm install under the JFrog .npmrc (setup-jfrog-npm), baking databricks.jfrog.io URLs into the scaffold lock that PR reviewers download. Add the rewrite+validate step there (reusing check-template-lock-registry.ts --rewrite/--allow-file). Revert the same step from prepare-release.yml: only the PR artifact is consumer-downloaded, so that change was out of scope. Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
atilafassina
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #405. A fresh app on the latest
@databricks/appkit/@databricks/appkit-uitrips a cleannpm auditbecause several deps were pinned under published advisories — and the OpenTelemetry/ws chain reportedfixAvailable: falsedownstream because the pins live inside AppKit's tree.This splits the fix into direct bumps that propagate to downstream consumers and scoped
pnpm.overridesfor transitive pins that can only be cleaned in our own tree + SBOM.Direct bumps (reach downstream consumers)
api-logs,instrumentation,instrumentation-http,*-otlp-protoexporters,sdk-node,sdk-logs)0.208.0→0.218.0GHSA-q7rr-3cgh-j5r3(HIGH, Prometheus exporter crash)resources,sdk-metrics,sdk-trace-base,context-async-hooks)2.2.0–2.6.x→2.7.1auto-instrumentations-node/instrumentation-express0.67.2/0.57.0→0.76.0/0.66.0ws8.18.3→8.21.0GHSA-58qx-3vcg-4xpxdompurify(appkit-ui)3.3.3→3.4.8GHSA-39q2-94rc-95cp,GHSA-v9jr-rg53-9pgpThe OTel versions are exactly the set
sdk-node@0.218.0declares, so there are no peer-dep conflicts.Transitive overrides (scoped
pnpm.overrides)protobufjs(via@grpc/proto-loader) andqs(viaexpress) are transitive, so a direct bump can't move them:protobufjs@<7.6.2→7.6.2(in-range for proto-loader's^7.5.3)qs@<6.15.2→6.15.2Honest scope note: overrides in a published package's
package.jsondo not apply to a downstream install, so these clean our own tree and the shippedsbom.cdx.jsononly.qsstays capped at~6.14.0for consumers until anexpress5 migration (breaking, tracked separately).Verification
pnpm build✅pnpm -r typecheck✅protobufjs@7.6.2,qs@6.15.2,ws@8.21.0,dompurify@3.4.8)App built with the template from this PR reports 0 vulnerabilities now
