chore(deps): security modernization of dev toolchain and transitive pins#489
Open
prisis wants to merge 1 commit into
Open
chore(deps): security modernization of dev toolchain and transitive pins#489prisis wants to merge 1 commit into
prisis wants to merge 1 commit into
Conversation
Reduce audit findings without changing the runtime behaviour of the action. - Upgrade the Jest test toolchain (jest, jest-circus 27 -> 30; ts-jest 27 -> 29; @types/jest 27 -> 30) and eslint-plugin-jest 26 -> 29. This clears the bulk of the high/critical advisories that came from the old jest 27 dependency tree (@babel/traverse, braces, json5, lodash, micromatch, semver, tmpl, ws, cross-spawn, ...). - Add a yarn "resolutions" block to force patched versions of transitive packages that only old dev tooling pulled in (semver, lodash, braces, micromatch, cross-spawn, json5, form-data, tmpl, moment, brace-expansion, minimatch, minimist, chrono-node) plus scoped pins for the nested ReDoS-vulnerable copies (anymatch/picomatch, strip-ansi/ansi-regex, wrap-ansi/ansi-regex). Audit (yarn audit): 55 critical / 204 high / 116 moderate / 19 low (394) -> 0 critical / 5 high / 13 moderate / 2 low (20). Build and tests are unchanged versus the pre-existing baseline (both were already failing on this branch for reasons unrelated to dependencies: the tests import from a never-generated lib/ directory because tsconfig sets noEmit, and tsc fails on pre-existing @octokit/core typing in github-manager.ts). No runtime dependency majors were bumped. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reduces
yarn auditfindings on thealphabranch as far as can be done safely without touching the action's runtime behaviour. The strategy was: upgrade the old Jest-era dev toolchain to current majors, and add a yarnresolutionsblock to force patched versions of vulnerable transitive packages. No production/runtime dependency majors were bumped (see "Remaining advisories" for why).Audit results (yarn audit)
Dependency count dropped from 2033 to ~1659.
What changed
Dev dependency upgrades (clears the bulk of the old jest 27 tree:
@babel/traverse,braces,json5,lodash,micromatch,semver,tmpl,ws,cross-spawn,form-data, ...):jest27 -> 30jest-circus27 -> 30ts-jest27 -> 29@types/jest27 -> 30eslint-plugin-jest26 -> 29Yarn
resolutionsto force patched transitive versions:semver,lodash,braces,micromatch,cross-spawn,json5,form-data,tmpl,moment,brace-expansion(2.0.3),minimatch(9.0.9),minimist(1.2.8),chrono-node,ip(latest available)anymatch/picomatch-> 2.3.2,strip-ansi/ansi-regex-> 5.0.1,wrap-ansi/ansi-regex-> 5.0.1Build & tests
Both
buildandtestwere already failing onalphabefore this PR, for reasons unrelated to dependencies, and they fail identically after this change (no regression):yarn build(tsc) fails with 7 pre-existingTS2339errors insrc/github-manager.ts(octokit.git/octokit.repos/octokit.pullsdo not exist on the bare@octokit/coreOctokittype).yarn test(jest) fails because the test files import from../lib/*, which is never produced (tsconfig.jsonsetsnoEmit: true). Jest 30 + ts-jest 29 themselves load and run correctly.This PR does not attempt to fix those pre-existing failures; it only ensures the dependency changes do not make them worse.
Remaining advisories and why they cannot be fixed here
All remaining findings are pinned by the runtime
@octokit/action@3and@actions/*chains. Fixing them requires major runtime upgrades that change the action's behaviour and cannot be verified end-to-end in this environment, so they were deliberately left alone:ip(high, 1 path, via@octokit/action) — abandoned package, no patched version exists (advisorypatched: <0.0.0). Would only disappear by upgrading@octokit/actionto v8 (which drops theproxy-agent/pac-resolverchain).@octokit/request,@octokit/request-error,@octokit/plugin-paginate-rest(moderate, via@octokit/action) — structurally tied to@octokit/action@3/@octokit/core@3. The patched versions require@octokit/core@5+, i.e.@octokit/action@8. That upgrade was rejected because v8's@octokit/actionauto-authenticates from the Actions environment and ignores the explicitauthoption the code passes from thegithub_tokeninput — a behavioural regression for users supplying a custom token, which cannot be validated here.undici(moderate, via@actions/core/@actions/tool-cache) — pulled by@actions/http-client@2, which is built for undici 5.x. The patched undici (>=6.23) only ships with@actions/http-client@4; forcing it is an unverifiable runtime major bump. These run inside trusted GitHub Actions runners against api.github.com, so real-world exploitability is low.uuid(moderate, via@actions/tool-cache) —tool-cache@1.7.2pinsuuid@^3; forcing uuid 11 changes the module's API (default vs named export) and would break tool-cache.@tootallnate/once(low, via@octokit/action) — part of the same@octokit/action@3proxy chain; disappears only with the rejected v8 upgrade.Note:
vm2(previously the largest critical cluster, via@octokit/action@3'spac-resolver) is no longer reported by the audit feed and no longer surfaces as critical. It remains on disk via the same@octokit/action@3chain and would be fully removed by the (deliberately deferred)@octokit/action@8upgrade.Chosen strategy
Stayed on yarn classic with upgrades + resolutions. A pnpm migration was considered but rejected: it would not change the dependency surface (the remaining advisories are pinned by runtime majors, not the package manager), while adding a large, risky, unverifiable change.
🤖 Generated with Claude Code