Update versions to resolve security vulnerabilities in transitive dependencies#97
Draft
Update versions to resolve security vulnerabilities in transitive dependencies#97
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is required for #96 as validation checks are failing
Resolves security vulnerabilities in transitive dependencies by updating package resolutions.
Changes
Vulnerability fixes in
resolutions:fast-xml-parser→>=5.3.6(was>=5.3.4) — fixes DoS via entity expansion in DOCTYPE (advisory)@actions/artifact > @azure/storage-blob > @azure/core-xml > fast-xml-parserminimatch→>=10.2.1— fixes ReDoS via repeated wildcards with non-matching literal (advisory)@actions/artifact > archiver > archiver-utils > glob > minimatch@actions/artifact > archiver > zip-stream > archiver-utils > glob > minimatch@actions/artifact > archiver > readdir-glob > minimatchDev tooling fix in
resolutions:test-exclude→^7.0.1— required because the globalminimatchresolution forces v10.x, which changes the default export from a callable function to an object. Thetest-excludepackage (used by Jest/Istanbul for code coverage instrumentation) callsminimatch()as a direct function, which breaks with v10. Version 7.0.1 oftest-excludeuses the destructured named import (const { minimatch } = require('minimatch')) which is compatible with v10. This is a transitive dev dependency ofbabel-plugin-istanbul— it is never bundled intodist/and has zero impact on customer workflows.License cache updates:
balanced-matchandbrace-expansionlicense metadata fromothertomit— these new transitive dependencies (pulled in byminimatch10.x) have valid MIT license text but thelicensedtool could not auto-detect the SPDX identifier.Updated files:
package.json(resolutions)yarn.lock(regenerated)dist/(rebuilt viayarn run package).licenses/npm/balanced-match.dep.yml.licenses/npm/brace-expansion.dep.ymlWhy
minimatchrequired special handlingThe
minimatch10.x upgrade is a breaking API change:require('minimatch')returns an object instead of a callable function. However, the production code in the dependency chain (glob,readdir-glob) uses theMinimatchclass viaconst { Minimatch } = require('minimatch'), which still works in v10. The only breakage was intest-excludev6 (a dev-only transitive dependency) which used the oldconst minimatch = require('minimatch')default import. Upgradingtest-excludeto v7.0.1 resolves this since it was updated to use the named import.The upstream
archiverpackage is effectively unmaintained and has not updated its dependencies, which is why the resolution approach is necessary.Impact verification: minimatch 10.x API change is safe
The minimatch 10.x default export changed from a callable function to an object. Verified that this does not affect any production code:
src/,__tests__/): Zero references tominimatch. The action code does not use minimatch directly.dist/*.js): Minimatch is present as a transitive dependency inside the NCC bundles (from@actions/artifact > archiver > glob/readdir-glob). Every usage across all four bundles uses the class-based API (new Minimatch(...),const { Minimatch } = require('minimatch')), which is fully compatible with v10.x. There are zero directminimatch()function calls in any bundled file.test-excludev6 (Jest coverage instrumentation), resolved by upgrading to v7.0.1 which uses the named import.No customer-facing functionality is affected by this change.
Testing
✅ All tests passing
✅ Build, lint, and format checks passed
✅ License validation updated
✅ End-to-end validation on the branch:
jsonoutput +export_scan_result_artifact: true): passed — artifact was successfully uploaded, confirmingarchiver > glob/readdir-glob > Minimatchclass works correctly with minimatch 10.xTODO
Test container scan, other sca scan options and all and update before merging