Skip to content

AB#139412 AB#142911 - Address security vulnerabilities (yaml, ws, form-data, langsmith)#898

Open
fabclj wants to merge 2 commits into
masterfrom
fix/139412-fix-vulnerability
Open

AB#139412 AB#142911 - Address security vulnerabilities (yaml, ws, form-data, langsmith)#898
fabclj wants to merge 2 commits into
masterfrom
fix/139412-fix-vulnerability

Conversation

@fabclj

@fabclj fabclj commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Security dependency fixes for extensions/diffbot and extensions/chuck-norris-jokes. Resolves all HIGH-severity Snyk findings in both extensions.

Extension Package Change Method
diffbot, chuck-norris-jokes yaml 2.8.1 → 2.8.3 overrides
diffbot, chuck-norris-jokes langsmith 0.3.65 → 0.6.0 (HIGH: deserialization) overrides
chuck-norris-jokes ws 8.18.3 → 8.21.0 (HIGH: amplification) lockfile (in-range)
chuck-norris-jokes form-data 4.0.4 → 4.0.6 lockfile (in-range)

ws and form-data are within their declared ranges (^8.18.0 / ^4.0.0), so they update via the lockfile only. langsmith has no in-range fix (langchain requires ^0.3.46; all langsmith fixes are ≥0.4.6), so it is pinned via a forced overrides entry — see caveat below.

How to test

  1. cd extensions/diffbot && npm ci && snyk test → no HIGH/critical (langsmith, yaml resolved).
  2. cd extensions/chuck-norris-jokes && npm ci && snyk test → no HIGH/critical (langsmith, ws, form-data, yaml resolved).
  3. npm run build in each → transpile/lint pass; diffbot test suite passes (6/6).

Security / caveat

  • No behavior change — dependency version bumps only; remediates known CVEs.
  • ⚠️ langsmith 0.6.0 is forced past langchain's ^0.3.46 range (no in-range fix exists). Validated by transpile + diffbot's test suite (6/6 pass); langsmith is tracing/telemetry, so runtime risk is low. The fully in-range alternative would be upgrading langchain itself (larger change). Flagging for reviewer awareness.
  • js-yaml 4.1.1 (medium) is intentionally left out — its fix (4.2.0) is a breaking minor and warrants separate review.

Copilot AI review requested due to automatic review settings June 5, 2026 11:27
@graymalkin77

graymalkin77 commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Jun 5, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the transitive yaml dependency to a non-vulnerable version for two npm-based extensions, addressing reported security advisories by forcing resolution to yaml@2.8.3 and regenerating lockfiles accordingly.

Changes:

  • Added overrides.yaml = 2.8.3 to extensions/diffbot/package.json and extensions/chuck-norris-jokes/package.json.
  • Regenerated both package-lock.json files so node_modules/yaml resolves to 2.8.3 with updated resolved/integrity metadata.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
extensions/diffbot/package.json Adds npm overrides to pin transitive yaml to 2.8.3.
extensions/diffbot/package-lock.json Updates the resolved yaml package entry to 2.8.3.
extensions/chuck-norris-jokes/package.json Adds npm overrides to pin transitive yaml to 2.8.3.
extensions/chuck-norris-jokes/package-lock.json Updates the resolved yaml package entry to 2.8.3 (and lockfile metadata regenerated).
Files not reviewed (2)
  • extensions/chuck-norris-jokes/package-lock.json: Language not supported
  • extensions/diffbot/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fabclj fabclj requested a review from falak-asad June 15, 2026 12:56
@fabclj @claude
AB#139412 fix: address security vulnerabilities
60b2de4 
Additional dependency fixes on top of the yaml bump:
- chuck-norris-jokes: ws 8.18.3 -> 8.21.0, form-data 4.0.4 -> 4.0.6 (in-range, lockfile only)
- diffbot + chuck-norris-jokes: langsmith 0.3.65 -> 0.6.0 (override; forced past langchain's ^0.3.46 since no in-range fix exists, validated by transpile + diffbot test suite)

Resolves the remaining HIGH-severity vulns (langsmith deserialization, ws amplification).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@fabclj fabclj changed the title AB#139412 fix: address security vulnerabilities AB#139412 fix: address security vulnerabilities (yaml, ws, form-data, langsmith) Jun 18, 2026
@fabclj fabclj changed the title AB#139412 fix: address security vulnerabilities (yaml, ws, form-data, langsmith) AB#139412 AB#142911 - Address security vulnerabilities (yaml, ws, form-data, langsmith) Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@vitaliigriaznov vitaliigriaznov vitaliigriaznov approved these changes
@falak-asad falak-asad Awaiting requested review from falak-asad

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fabclj @graymalkin77 @vitaliigriaznov