Skip to content

fix(deps): bump vulnerable transitive deps to patched versions (#405)#434

Open
MarioCadenas wants to merge 7 commits into
mainfrom
fix/405-bump-vulnerable-deps
Open

fix(deps): bump vulnerable transitive deps to patched versions (#405)#434
MarioCadenas wants to merge 7 commits into
mainfrom
fix/405-bump-vulnerable-deps

Conversation

@MarioCadenas

@MarioCadenas MarioCadenas commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Closes #405. A fresh app on the latest @databricks/appkit / @databricks/appkit-ui trips a clean npm audit because several deps were pinned under published advisories — and the OpenTelemetry/ws chain reported fixAvailable: false downstream because the pins live inside AppKit's tree.

This splits the fix into direct bumps that propagate to downstream consumers and scoped pnpm.overrides for transitive pins that can only be cleaned in our own tree + SBOM.

Direct bumps (reach downstream consumers)

Dependency Change Advisory
OpenTelemetry cohort (api-logs, instrumentation, instrumentation-http, *-otlp-proto exporters, sdk-node, sdk-logs) 0.208.00.218.0 GHSA-q7rr-3cgh-j5r3 (HIGH, Prometheus exporter crash)
OTel stable (resources, sdk-metrics, sdk-trace-base, context-async-hooks) 2.2.02.6.x2.7.1 cohort alignment
auto-instrumentations-node / instrumentation-express 0.67.2 / 0.57.00.76.0 / 0.66.0 cohort alignment
ws 8.18.38.21.0 GHSA-58qx-3vcg-4xpx
dompurify (appkit-ui) 3.3.33.4.8 GHSA-39q2-94rc-95cp, GHSA-v9jr-rg53-9pgp

The OTel versions are exactly the set sdk-node@0.218.0 declares, so there are no peer-dep conflicts.

Transitive overrides (scoped pnpm.overrides)

protobufjs (via @grpc/proto-loader) and qs (via express) are transitive, so a direct bump can't move them:

  • protobufjs@<7.6.27.6.2 (in-range for proto-loader's ^7.5.3)
  • qs@<6.15.26.15.2

Honest scope note: overrides in a published package's package.json do not apply to a downstream install, so these clean our own tree and the shipped sbom.cdx.json only. qs stays capped at ~6.14.0 for consumers until an express 5 migration (breaking, tracked separately).

Verification

  • pnpm build
  • pnpm -r typecheck
  • Full test suite — 2801 tests
  • Telemetry tests (exercise OTel) — 61 tests
  • Lockfile resolves to the patched versions (protobufjs@7.6.2, qs@6.15.2, ws@8.21.0, dompurify@3.4.8)

App built with the template from this PR reports 0 vulnerabilities now
image

@MarioCadenas MarioCadenas requested a review from a team as a code owner June 11, 2026 10:44
@MarioCadenas MarioCadenas requested a review from calvarjorge June 11, 2026 10:44
@MarioCadenas MarioCadenas force-pushed the fix/405-bump-vulnerable-deps branch from 8ae2325 to c825658 Compare June 11, 2026 11:30
@MarioCadenas MarioCadenas force-pushed the fix/405-bump-vulnerable-deps branch from c825658 to 2d83a7d Compare June 24, 2026 10:00
A fresh app on @databricks/appkit / @databricks/appkit-ui tripped a clean
`npm audit` because several deps were pinned under published advisories,
and the OpenTelemetry/ws chain reported `fixAvailable: false` downstream.

Direct bumps (propagate to downstream consumers):
- OpenTelemetry cohort 0.208.0 -> 0.218.0 / stable 2.x -> 2.7.1,
  auto-instrumentations-node 0.67.2 -> 0.76.0,
  instrumentation-express 0.57.0 -> 0.66.0
  (clears HIGH GHSA-q7rr-3cgh-j5r3 Prometheus exporter crash)
- ws 8.18.3 -> 8.21.0 (GHSA-58qx-3vcg-4xpx)
- dompurify 3.3.3 -> 3.4.8 (GHSA-39q2-94rc-95cp, GHSA-v9jr-rg53-9pgp)

Transitive pins via scoped pnpm.overrides (cleans our tree + shipped SBOM):
- protobufjs <7.6.2 -> 7.6.2 (in-range for @grpc/proto-loader ^7.5.3)
- qs <6.15.2 -> 6.15.2 (GHSA-q8mj-m7cp-5q26; express 4.x caps qs at ~6.14.0)

Verified: pnpm build, typecheck (all packages), and full test suite
(2801 tests) pass. OTel cohort aligned per sdk-node@0.218.0 deps.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
@MarioCadenas MarioCadenas force-pushed the fix/405-bump-vulnerable-deps branch from 2d83a7d to 0f80174 Compare June 24, 2026 13:37
MarioCadenas and others added 6 commits June 26, 2026 10:50
…ages

PR #405 bumped transitive deps via root pnpm.overrides, which only affect
the monorepo audit and never reach the published packages or scaffolded
apps. This patches the deps where they actually propagate to consumers.

Template (direct pins, scaffolded verbatim into apps):
- react-router 7.13.0 -> 7.18.0 (HIGH; RCE/XSS/open-redirect cluster)
- vitest 4.0.14 -> 4.1.9 (CRITICAL; UI server arbitrary file read/exec)
- add npm override @opentelemetry/core: 2.8.0

Published packages:
- appkit-ui: dompurify 3.4.8 -> 3.4.11
- appkit: js-yaml 4.1.1 -> 4.2.0
- appkit: express 4.22.0 -> 4.22.2 (pulls patched qs 6.15.2)
- appkit: bump OpenTelemetry suite to the core@2.8.0 / 0.219.0 line

auto-instrumentations-node pulls framework instrumentations that pin
core back to 2.7.1, so force core>=2.8.0 via override in both the root
pnpm.overrides and the template overrides. api-logs@0.219.0 replaced the
NOOP_LOGGER export with createNoopLogger(); update telemetry/noop.ts and
its test accordingly.

Verified: build, full typecheck, biome check, check-template-deps, and
appkit tests (2365 passed) all green. A fresh scaffold from the new
template installs core@2.8.0 only, plus patched dompurify/js-yaml/qs/
react-router/vitest/express.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
Commit 6a26f4e bumped template/package.json (react-router 7.18.0,
vitest 4.1.9, @opentelemetry/core override 2.8.0) but left the
lockfile at the branch point, so the committed template still locked
the vulnerable versions. Regenerate via npm install so the lock pins
the patched deps: react-router 7.18.0, vitest 4.1.9, and
@opentelemetry/core collapsed to 2.8.0 across the tree.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
A fresh scaffold tripped npm audit on six template dev-tooling
transitive deps, all fixable in-range. Bump them in the lock:
- @babel/core 7.29.0 -> 7.29.7 (GHSA-4x5r-pxfx-6jf8)
- brace-expansion -> 1.1.15 / 2.1.1 (GHSA-f886-m6hf-6m8v)
- defu 6.1.4 -> 6.1.7 (GHSA-737v-mqg7-c878)
- flatted 3.3.3 -> 3.4.2 (GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh)
- picomatch 4.0.3 -> 4.0.4 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj)
- postcss 8.5.6 -> 8.5.15 (GHSA-qx2v-qp2m-jg93)

Lock-only and surgical (no @databricks/appkit subtree churn). The
remaining audit findings are in the published appkit@0.41.5 subtree
and clear when the template syncs to the next appkit release, which
patches them at source (#405).

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
The template-artifact job runs npm install under the JFrog .npmrc
(setup-jfrog-npm) on the protected runner, baking databricks.jfrog.io
URLs into the scaffold's package-lock.json. Add a rewrite+validate step
that extends check-template-lock-registry.ts with --rewrite/--allow-file
and an optional lock path, so the shipped lock resolves from npmjs.org
only and CI fails closed if any non-public registry remains.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
The pr-template-artifact job in ci.yml runs npm install under the JFrog
.npmrc (setup-jfrog-npm), baking databricks.jfrog.io URLs into the
scaffold lock that PR reviewers download. Add the rewrite+validate step
there (reusing check-template-lock-registry.ts --rewrite/--allow-file).

Revert the same step from prepare-release.yml: only the PR artifact is
consumer-downloaded, so that change was out of scope.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Transitive deps pin known-vulnerable versions (OpenTelemetry, ws, express/qs, dompurify) — downstream apps can't remediate via npm audit fix

2 participants