Remove @azure/functions-old + bump @azure/identity to scrub prod uuid@8 (MSRC 115880)#1498
Open
JacksonWeber wants to merge 10 commits into
Open
Remove @azure/functions-old + bump @azure/identity to scrub prod uuid@8 (MSRC 115880)#1498JacksonWeber wants to merge 10 commits into
JacksonWeber wants to merge 10 commits into
Conversation
The @azure/functions-old alias (npm:@azure/functions@3.5.1) transitively pulls in uuid@8.3.2, which is flagged by MSRC 115880 / GHSA-w5hq-g745-h8pq (out-of-range buffer writes in uuid v3/v5/v6). There is no patched 3.x release of @azure/functions (3.5.1 is the latest in that line), and the 4.x line dropped the v3 programming model. All usages of @azure/functions-old in this repo were type-only. Inline the v3 Context/HttpRequest/TraceContext/HttpRequestHeaders/Logger interfaces in src/shim/azureFunctionsV3Types.ts (sourced from @azure/functions@3.5.1, MIT) and switch the consumers to `import type` from the local module. Drop the package from package.json so the entire chain (including uuid@8.x via functions-old) is removed from the dependency tree. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
After removing @azure/functions-old, two unrelated transitive uuid@8.3.2 instances remain in the tree (via @azure/msal-node, brought in by @azure/identity, and via nyc->istanbul-lib-processinfo). uuid@<11.1.1 is vulnerable to GHSA-w5hq-g745-h8pq, so strict scanners will still flag them. Add a blanket `uuid: ^11.1.1` override to force every transitive uuid to the patched line. Also pin @azure/msal-node to ^3.7.3 under @azure/identity because @azure/identity@4.13+ pulls @azure/msal-node@5.x, whose ESM-only .d.cts declarations break this project's CommonJS `module: nodenext` TypeScript build (TS1479). msal-node 3.x only uses uuid.v4(), which is API-compatible with uuid@11. Verified: `npm ls uuid` reports only uuid@11.1.1 (no 8.x anywhere); tsc build clean; shim tests unchanged from baseline. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Earlier commit relied on an `overrides` block to force transitive `uuid` to `^11.1.1`. Replace that with real dependency updates so the lockfile is clean of any pinning hacks: - Bump `@azure/identity` `^4.6.0` -> `^4.13.1` so it brings in `@azure/msal-node@5.x`, which dropped its `uuid@8.x` dependency entirely. - Replace `nyc@^15.0.0` (which pulls `istanbul-lib-processinfo` -> `uuid@8.3.2` and has no upstream fix) with `c8@^11.0.0`. c8 uses native V8 coverage and has zero uuid dependency. Update all `test*` scripts in package.json from `nyc mocha ...` to `c8 mocha ...` — c8 is a drop-in CLI replacement and produces istanbul-compatible reports. - Add `skipLibCheck: true` to `tsconfig.json`. Required because `@azure/msal-node@5.x` ships ESM-only `.d.cts` declarations that trigger TS1479 under this project's `module: nodenext` CJS build. - Drop the `overrides` block from package.json. Verification: `npm ls uuid` -> `(empty)` across the entire dep tree (prod + dev). `tsc` builds clean. `mocha` shim tests: 24 pass / 8 pre-existing failures (identical to main). `c8` coverage runs and emits expected text-summary report. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JacksonWeber
changed the title
JacksonWeber
changed the title
Per maintainer preference, keep `nyc@^15.0.0` as the dev coverage tool. The transitive `uuid@8.3.2` it brings in via `istanbul-lib-processinfo` (no nyc/istanbul-lib-processinfo version exists without it) is accepted as a dev-only finding. Production tree is clean of `uuid@8.x`: the @azure/functions-old removal and @azure/identity bump (which moves to @azure/msal-node@5.x with no uuid dep) stand. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JacksonWeber
changed the title
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolves conflicts in package.json and regenerates package-lock.json: keep this branch's removal of @azure/functions-old and bump of @azure/identity to ^4.13.1 (eliminates prod @azure/msal-node->uuid@8 chain); take main's bumps of @azure/monitor-opentelemetry (^1.18.0), exporter (^1.0.0-beta.41), and @opentelemetry/* 0.217.x/2.7.x; keep main's scoped overrides for @opentelemetry/otlp-transformer, @grpc/proto-loader (protobufjs ^8.2.0) and mocha (serialize-javascript ^7.0.5). Verified: npm audit -> 0 vulns; npm ls uuid -> only the dev-only nyc->istanbul-lib-processinfo->uuid@8.3.2 chain (no prod uuid@8); tsc builds clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Touching tsconfig.json was an unintended side effect of bumping @azure/identity to ^4.13.1 (which pulls @azure/msal-node@5.x, whose .d.cts triggers TS1479 under module: nodenext). Revert both changes. Scope of this PR is now exactly what MSRC 115880 named: removing the @azure/functions-old chain. The msal-node->uuid@8 chain is a separate finding to track in its own ticket. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
|
Remaining uuid@8 in production tree via @azure/identity Run npm ls uuid on the branch to confirm whether uuid@8.x still appears in the production tree via msal-node. If it does, the MSRC issue may only be partially remediated. Severity: Medium — depends on whether the security scanner still flags this path. We should enable copilot reviews in this repository as well |
Contributor
Author
I'll try to update that dep as well, looks like there was some trouble with updating before. |
…od tree
@azure/identity@^4.13.1 pulls @azure/msal-node@>=5.1.5, which no longer
depends on uuid. This removes the @azure/msal-node -> uuid@8.3.2 chain
from the production dependency tree.
msal-node 5.x ships a known-buggy types/index.d.cts that re-exports from
"./index.js"; under module: nodenext that resolves to the sibling
index.d.ts, which is treated as ESM because the parent package.json has
type: module, triggering TS1479. Rather than touching this project's
tsconfig, add a tiny postinstall script that drops a
{"type":"commonjs"} package.json into msal-node/types/ and
msal-common/types/, which makes TS resolve those declarations as CJS
(matching what they actually describe).
The only remaining transitive uuid@8.3.2 is nyc ->
istanbul-lib-processinfo, which has no upstream fix and is dev-only.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace the postinstall shim that worked around @azure/msal-node 5.x's broken types/index.d.cts (TS1479 under module: nodenext) with the more conventional skipLibCheck: true. The postinstall hack was opaque and fragile; skipLibCheck is the standard one-line fix for third-party .d.ts bugs and is opted into by most TS projects anyway. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Removes the @azure/functions-old dependency (and its transitive uuid@8.x) by inlining Azure Functions v3 type definitions, and bumps @azure/identity to a version that no longer pulls uuid@8.x via @azure/msal-node.
Changes:
- Replaces
@azure/functions-oldtype imports with local v3 type definitions (azureFunctionsV3Types.ts). - Bumps
@azure/identityto^4.13.1. - Adds a
postinstallscript to patch@azure/msal-*typings innode_modules.
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unitTests/shim/correlationContextManger.tests.ts | Switches v3 type import to the new local type surface. |
| src/shim/types.ts | Repoints Azure Functions v3 type aliases to local declarations. |
| src/shim/correlationContextManager.ts | Repoints HttpRequestHeaders type import to local declarations. |
| src/shim/azureFunctionsV3Types.ts | Adds inlined Azure Functions v3 public type surface to avoid runtime dependency. |
| scripts/patch-msal-types.js | Adds a postinstall patch to adjust @azure/msal-* typing resolution under nodenext. |
| package.json | Removes @azure/functions-old, bumps @azure/identity, and adds postinstall. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates MSRC 115880 / GHSA-w5hq-g745-h8pq (
uuidout-of-range buffer writes in v3/v5/v6, fixed inuuid@11.1.1) by scrubbing the affecteduuid@8.3.2instances from the production dependency tree.Changes
1. Drop
@azure/functions-old(the chain MSRC named)@azure/functions-old@3.5.1was an alias for@azure/functions@3.5.1, used purely for v3 programming model types (Context,HttpRequest,TraceContext,HttpRequestHeaders,Logger). It transitively pulleduuid@8.3.2.src/shim/azureFunctionsV3Types.tsand switched imports toimport typefrom that file.@azure/functions-oldfromdependencies.2. Bump
@azure/identityto^4.13.1@azure/msal-node@3.7.3, which depends onuuid@^8.3.0.@azure/identity@^4.13.1pulls@azure/msal-node@>=5.1.5, which dropped theuuiddependency entirely.uuid@8.xtransitive.3. Add
"skipLibCheck": truetotsconfig.json@azure/msal-node@5.xships a buggytypes/index.d.ctsthat doesexport * from "./index.js". Undermodule: nodenext, TypeScript resolves that to the siblingindex.d.ts, which is treated as ESM because the parentpackage.jsonhas"type": "module"— triggering TS1479 when compiling undermodule: nodenext(this project's setting).skipLibCheck: trueis the canonical, one-line fix for third-party.d.tsbugs and is opted into by most TypeScript projects.microsoft-authentication-library-for-jsside; when they ship a fixed.d.cts(or atypes/package.jsonwith{"type":"commonjs"}) this can be reconsidered.Verification
npm audit→ 0 vulnerabilities.npm ls uuid→ only one remaining instance:nyc → istanbul-lib-processinfo → uuid@8.3.2. This is dev-only, never ships to consumers, and has no upstream fix on anynycversion (15.x → 18.0.0 all depend onistanbul-lib-processinfo, every published version of which declaresuuid: ^8.3.2). Out of scope.tsc --project ./tsconfig.jsonbuilds clean.main(not introduced by this PR).Files touched
package.json— drop@azure/functions-old; bump@azure/identity.package-lock.json— regenerated.tsconfig.json— addskipLibCheck: true(rationale above).src/shim/azureFunctionsV3Types.ts— new; inlined v3 types from@azure/functions@3.5.1(MIT).src/shim/types.ts,src/shim/correlationContextManager.ts,test/unitTests/shim/correlationContextManger.tests.ts— switched toimport typefrom the local types file.Closes work item 38016574.