Skip to content

fix(FFESUPPORT-753): address open Dependabot vulnerabilities#125

Open
aarsilv wants to merge 1 commit into
mainfrom
aarsilv/ffesupport-753/fix-vulnerabilities
Open

fix(FFESUPPORT-753): address open Dependabot vulnerabilities#125
aarsilv wants to merge 1 commit into
mainfrom
aarsilv/ffesupport-753/fix-vulnerabilities

Conversation

@aarsilv
Copy link
Copy Markdown
Contributor

@aarsilv aarsilv commented May 29, 2026
edited
Loading

Summary

  • Removes the dev-only @google-cloud/storage test-data fallback and relies on the existing make test-data path that clones Eppo-exp/sdk-test-data.
  • Replaces the dev-only Express mock API server with a small Node http server.
  • Removes the now-unneeded @tootallnate/once, qs, and uuid security resolutions; those packages are no longer present in the dependency graph.
  • Bumps the package patch version from 4.0.1 to 4.0.2 for the SDK dependency update.
  • Updates the vulnerable brace-expansion lockfile entry used by dev tooling without forcing older incompatible minimatch chains.

Dependabot alerts addressed

  • qs GHSA-q8mj-m7cp-5q26: removed from the dependency graph by dropping dev-only Express.
  • uuid GHSA-w5hq-g745-h8pq: removed from the dependency graph by dropping dev-only @google-cloud/storage.

Verification

  • yarn install --frozen-lockfile
  • yarn lint
  • yarn typecheck
  • yarn test
  • yarn audit --level moderate
  • yarn why @tootallnate/once, yarn why qs, yarn why uuid: no matches.

🤖 Generated with Codex

@aarsilv aarsilv requested a review from Copilot May 29, 2026 02:57
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot-reported vulnerabilities by pinning vulnerable transitive packages to patched versions and refreshing the Yarn lockfile, while bumping the SDK patch version.

Changes:

  • Bumps @eppo/node-server-sdk from 4.0.1 to 4.0.2.
  • Adds Yarn resolutions for patched qs and uuid versions.
  • Updates brace-expansion, qs, and uuid lockfile entries to patched versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Bumps package version and adds vulnerability-related Yarn resolutions.
yarn.lock Refreshes resolved transitive dependency versions for patched packages.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@aarsilv aarsilv force-pushed the aarsilv/ffesupport-753/fix-vulnerabilities branch from 89c33d5 to 39733c6 Compare May 29, 2026 03:05
@aarsilv aarsilv requested a review from Copilot May 29, 2026 03:06
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

@aarsilv
Copy link
Copy Markdown
Contributor Author

aarsilv commented May 29, 2026
edited
Loading

🤖 Context from Codex: Updated after review: instead of keeping qs and uuid resolutions, this now removes the dev-only parents that pulled them in. The Express mock server is replaced with Node http, the GCS test-data fallback is removed in favor of the existing make test-data clone path, and @tootallnate/once, qs, and uuid are no longer in the dependency graph. Public SDK API surface is unchanged. Local strict install, lint, typecheck, tests, and audit passed; refreshed CI is green across Node 20/22/24 and the latest Copilot review has no new comments.

@aarsilv aarsilv force-pushed the aarsilv/ffesupport-753/fix-vulnerabilities branch from 39733c6 to 1d8eb72 Compare May 29, 2026 14:20
@aarsilv aarsilv requested a review from Copilot May 29, 2026 14:20
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 6 changed files in this pull request and generated no new comments.

@aarsilv aarsilv requested a review from Copilot May 29, 2026 15:10
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 6 changed files in this pull request and generated no new comments.

@aarsilv aarsilv requested a review from sameerank May 29, 2026 15:23
@aarsilv aarsilv requested a review from greghuels May 29, 2026 15:24
greghuels
greghuels reviewed May 29, 2026
View reviewed changes
Comment thread package.json
Comment on lines +62 to 64
"resolutionRationales": {
"@types/node": "Pinned to ^20 to keep the dev type surface aligned with engines.node >=20.x; newer @types/node would let consumer code use APIs that are not available on Node 20."
}
Copy link
Copy Markdown
Contributor

@greghuels greghuels May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@greghuels greghuels greghuels approved these changes

@sameerank sameerank Awaiting requested review from sameerank

Assignees

@sameerank sameerank

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aarsilv @greghuels @sameerank