NONJAVACLI-4353: bump axios and pin transitive deps for CVE fixes#478
NONJAVACLI-4353: bump axios and pin transitive deps for CVE fixes#478Devarsh Patel (Devarsh010) wants to merge 1 commit intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates dependency versions to address CVEs flagged by Trivy / npm audit across the monorepo, primarily by bumping axios and adding root-level npm overrides, then regenerating the lockfile.
Changes:
- Bump
axiosto^1.15.0inschemaregistryandschemaregistry-examples. - Add a root
overridesblock to force patched transitive dependency versions. - Regenerate
package-lock.jsonto reflect the patched dependency tree.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
schemaregistry/package.json |
Bumps direct axios dependency to a patched release. |
schemaregistry-examples/package.json |
Bumps dev axios dependency to a patched release. |
package.json |
Adds root npm overrides to enforce patched transitive versions. |
package-lock.json |
Lockfile regeneration reflecting the new overrides and updated transitive graph. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "overrides": { | ||
| "axios": "^1.15.0", | ||
| "follow-redirects": ">=1.16.0", | ||
| "@tootallnate/once": ">=3.0.1", | ||
| "serialize-javascript": ">=7.0.5", |
There was a problem hiding this comment.
The new overrides are described as “pinning transitive deps”, but several entries use open-ended ranges (>=... / ^...). That can allow unexpected future major upgrades to enter the tree without a repo change, and reduces reproducibility. Consider switching these overrides to exact versions or upper-bounded ranges so they’re actually pinned to a reviewed set.
What
Patches CVEs flagged by Trivy and
npm auditagainstconfluent-kafka-javascriptv1.9.0. No source code changes ,package.jsonoverrides + a direct axios bump only.Direct dep bumps
schemaregistry/package.json—axios^1.13.5→^1.15.0schemaregistry-examples/package.json—axios^1.13.5→^1.15.0Root
overridesblock added to pin vulnerable transitive deps to patched versions. Overrides live only in the rootpackage.jsonbecause npm honorsoverridesonly at the top of the project — duplicating them in workspacepackage.jsonfiles would be silently ignored.^1.15.0>=1.16.0>=3.0.1@google-cloud/kms)>=7.0.5>=7.5.10>=1.13.8>=4.18.0^7.5.5google-gaxpeer dep)>=8.0.3Lockfile regenerated against
registry.npmjs.org.Notes on deliberate omissions
fast-xml-parser(vulnerable range5.0.0–5.3.7) is not pinned. The@aws-sdk/xml-builderpeer dep naturally resolves it to5.5.8, which is past the vulnerable range. Adding an override forced version conflicts with@aws-sdk's exact peer requirement during testing — minimum-necessary-intervention.mochais not downgraded.npm audit fix --forcewould have downgraded mocha to7.2.0(a breaking change) to escape vulnerableserialize-javascript@6.x. Ourserialize-javascriptoverride pins the transitive directly while leaving mocha at10.8.2.Checklist
References
JIRA:
https://confluentinc.atlassian.net/browse/NONJAVACLI-4353
https://confluentinc.atlassian.net/browse/NONJAVACLI-4328
Test & Review
All run locally on macOS arm64 against a clean
node_modulesand lockfile regenerated againstregistry.npmjs.org:npm audit --registry=https://registry.npmjs.org/make lint(cpplint + eslint)make test(root mocha unit)cd schemaregistry && make test(jest unit)cd schemaregistry && make integtest(real Kafka + Schema Registry via docker-compose)make promisified_test(Kafka client jest e2e against real broker)538 tests run, 533 passed, 5 expected skips, 0 unexpected failures.
Open questions / Follow-ups