chore(deps): resolve npm audit findings by bumping direct deps (no overrides)#1505
Closed
JacksonWeber wants to merge 1 commit into
Closed
chore(deps): resolve npm audit findings by bumping direct deps (no overrides)#1505JacksonWeber wants to merge 1 commit into
JacksonWeber wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates npm dependency resolution to eliminate reported npm audit vulnerabilities by tightening top-level overrides, ensuring patched versions of several transitive packages are selected during install.
Changes:
- Collapse scoped
protobufjsoverrides into a single top-level override and bump to^8.6.3. - Add new top-level overrides for
js-yaml,uuid, and@babel/coreto pick non-vulnerable versions. - Regenerate
package-lock.jsonto reflect the new override-resolved dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Adjusts overrides to force patched transitive dependency versions. |
| package-lock.json | Updates lockfile to the resolved versions produced by the new overrides. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+90
to
+94
| "overrides": { | ||
| "@opentelemetry/otlp-transformer": { | ||
| "protobufjs": "^8.2.0" | ||
| }, | ||
| "@grpc/proto-loader": { | ||
| "protobufjs": "^8.2.0" | ||
| }, | ||
| "protobufjs": "^8.6.3", | ||
| "js-yaml": "^4.2.0", | ||
| "uuid": "^11.1.1", | ||
| "@babel/core": "^7.29.7", |
…w overrides)
Resolves all open `npm audit` findings without adding any new
`overrides` pins, by bumping the direct dependencies that pull
the vulnerable transitives in:
* Bump `@opentelemetry/{api-logs,exporter-*-otlp-*,otlp-exporter-base,sdk-logs}`
from `^0.217.0` to `^0.219.0`. `@opentelemetry/otlp-transformer`
0.218+ no longer depends on `protobufjs`, so the GHSA-f38q-mgvj-vph7
family and CVE-2026-44289/44291/44293/44295 (issue microsoft#1503) are resolved
at the source. The only remaining `protobufjs` in the tree is the
`@grpc/proto-loader` transitive on the 7.x branch, which is outside
every advisory's vulnerable range.
* Replace `nyc` with `c8` for coverage. `nyc` (even on its latest
18.x line) transitively pulls `@istanbuljs/load-nyc-config@1.1.0`,
which is the only published version and depends on a vulnerable
`js-yaml@^3.13.1` (GHSA-h67p-54hq-rp68) with no upstream fix path.
`c8` is a drop-in: `c8 mocha ...` works the same as `nyc mocha ...`
for this repo (no `.nycrc` config in use). 247 unit tests still pass.
Bonus: also removes the vulnerable `uuid@8.3.2` (GHSA-w5hq-g745-h8pq)
and old `@babel/core` chain that came in via nyc's istanbul packages.
* Drop the four top-level `overrides` entries (`protobufjs`, `js-yaml`,
`uuid`, `@babel/core`) that this PR previously added, and the two
pre-existing scoped `protobufjs` overrides under
`@opentelemetry/otlp-transformer` / `@grpc/proto-loader` — none are
needed once the direct deps above are bumped.
The only remaining `overrides` entry is the pre-existing
`mocha → serialize-javascript` pin, which has no upstream fix
available: mocha 11.7.6 (latest) still depends on `serialize-javascript ^6.0.2`
and all 6.x versions are vulnerable per GHSA-5c6j-r48x-rmvq. This entry is
left as-is.
## Verification
* `npm install` — clean
* `npm audit` — **0 vulnerabilities** (was 21)
* `npm run build` — succeeds
* `npm run test:unit` — **247 passing**, exit 0
Closes microsoft#1503.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JacksonWeber
force-pushed
the
jacksonweber/fix-npm-audit-vulns
branch
from
bd76a04 to
cfcc7c0
Compare
JacksonWeber
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all open
npm auditfindings without adding any newoverridespins, by bumping the direct dependencies that pull the vulnerable transitives in.Closes #1503.
Changes
1. Bump direct OpenTelemetry deps to
^0.219.0Affected:
@opentelemetry/api-logs,@opentelemetry/exporter-{logs,metrics,trace}-otlp-{http,proto},@opentelemetry/otlp-exporter-base,@opentelemetry/sdk-logs(all^0.217.0→^0.219.0).@opentelemetry/otlp-transformer0.218+ no longer depends onprotobufjs, so the entire GHSA-f38q-mgvj-vph7 family and CVE-2026-44289/44291/44293/44295 (issue #1503) are resolved at the source. The only remainingprotobufjsin the tree is@grpc/proto-loader→protobufjs@7.6.4, which is outside every advisory's vulnerable range (8.0.0 - 8.5.0).2. Replace
nycwithc8for coveragenyc(even on its latest 18.x line) transitively pulls@istanbuljs/load-nyc-config@1.1.0, which is the only published version and depends onjs-yaml ^3.13.1(GHSA-h67p-54hq-rp68). There is no upstream fix path through the nyc dependency tree.c8is a drop-in replacement:c8 mocha ...works the same asnyc mocha ...for this repo (no.nycrcconfig in use). Bonus — it also removes the vulnerableuuid@8.3.2(GHSA-w5hq-g745-h8pq) thatnycpulled in viaistanbul-lib-processinfo, and removes the@babel/corechain that came in via the oldistanbul-lib-instrument.3. Remove
overridesentriesDropped:
overridesthis PR previously added (protobufjs,js-yaml,uuid,@babel/core)protobufjsoverrides under@opentelemetry/otlp-transformer/@grpc/proto-loader— no longer needed once the direct deps are bumpedThe only remaining
overridesentry is the pre-existingmocha → serialize-javascript ^7.0.5pin. This one has no upstream fix path: mocha 11.7.6 (latest) still depends onserialize-javascript ^6.0.2, and all published 6.x versions are vulnerable per GHSA-5c6j-r48x-rmvq.Verification
npm install— cleannpm audit— 0 vulnerabilities (was 21)npm run build— succeedsnpm run test:unit— 247 passing, exit 0Risk
Low.
c8and the OTel exporter deps are well-tested. The OTel bump is a minor (0.217 → 0.219) — same series, no major API changes for the consumed entry points.