From c8453a4b568bd3d5ed2b5b5fad77db17a4a587e0 Mon Sep 17 00:00:00 2001 From: radovanjorgic Date: Tue, 14 Jul 2026 13:12:46 +0200 Subject: [PATCH 1/3] fix: bump transitive protobufjs to 7.6.5 to resolve Snyk vuln Resolves SNYK-JS-PROTOBUFJS-17900550 (infinite loop, high severity) via @devrev/typescript-sdk. Fetched from public npmjs since the internal registry mirror had not yet synced 7.6.5. --- code/package-lock.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code/package-lock.json b/code/package-lock.json index 018df0e..6492fcf 100644 --- a/code/package-lock.json +++ b/code/package-lock.json @@ -7259,7 +7259,9 @@ } }, "node_modules/protobufjs": { - "version": "7.6.4", + "version": "7.6.5", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.5.tgz", + "integrity": "sha512-/FPD0nUc9jH6rfFjji9IBqOz4pcSE3CsT1m7Ep6Mdb0LxSUMj8hgl6GomOvZzpNpAqqGaXA0P3VSrZLFzIhQrw==", "hasInstallScript": true, "license": "BSD-3-Clause", "dependencies": { From ff245c0e7fa75e4c657d111c7a407114dc59b8cc Mon Sep 17 00:00:00 2001 From: radovanjorgic Date: Tue, 14 Jul 2026 13:31:04 +0200 Subject: [PATCH 2/3] fix: bump body-parser and dev-only deps to resolve remaining snyk vulns body-parser 1.20.5 -> 1.20.6 (SNYK-JS-BODYPARSER-17906397, medium) brace-expansion 1.1.15/2.1.1/5.0.6 -> 1.1.16/2.1.2/5.0.7 via nodemon, eslint, typescript-eslint, rimraf transitive chains (SNYK-JS-BRACEEXPANSION-17706650, high) js-yaml 4.2.0 -> 4.3.0 via eslint (SNYK-JS-JSYAML-17900054, high) js-yaml 3.14.2 -> 3.15.0 via babel-jest > @istanbuljs/load-nyc-config (partial fix for SNYK-JS-JSYAML-17342520; that CVE's real fix needs js-yaml 4.2.0+ but load-nyc-config pins ^3.13.1, so a clean bump past 3.x isn't possible without an overrides block) Not fixed: inflight@1.0.6 (SNYK-JS-INFLIGHT-6095116) has no available fix, abandoned package via babel-jest > ... > glob > inflight --- code/package-lock.json | 52 ++++++++++++++++++++++++++++++------------ code/package.json | 2 +- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/code/package-lock.json b/code/package-lock.json index 6492fcf..6faf907 100644 --- a/code/package-lock.json +++ b/code/package-lock.json @@ -30,7 +30,7 @@ "@typescript-eslint/eslint-plugin": "^8.32.0", "@typescript-eslint/parser": "^8.32.0", "babel-jest": "^29.4.2", - "body-parser": "^1.20.3", + "body-parser": "^1.20.6", "dotenv": "^16.0.3", "eslint": "9.32.0", "eslint-config-prettier": "^9.0.0", @@ -1723,7 +1723,9 @@ "license": "MIT" }, "node_modules/@eslint/config-array/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -1789,7 +1791,9 @@ "license": "MIT" }, "node_modules/@eslint/eslintrc/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -1940,9 +1944,9 @@ } }, "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://npm.infra.devrev-eng.ai/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", + "version": "3.15.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.15.0.tgz", + "integrity": "sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==", "dev": true, "license": "MIT", "dependencies": { @@ -3270,7 +3274,9 @@ } }, "node_modules/body-parser": { - "version": "1.20.5", + "version": "1.20.6", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.6.tgz", + "integrity": "sha512-p5tAzS57i5MV9fZFDj9LeIiTZEufbSe2eDozP+ElheSUq1m74CRq1jI4mYNDdVs9vQztXFLuk/Gd6BWTdwRJ5g==", "dev": true, "license": "MIT", "dependencies": { @@ -3306,7 +3312,9 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "5.0.6", + "version": "5.0.7", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.7.tgz", + "integrity": "sha512-7oFy703dxfY3/NLxC1fh2SUCQ0H9rmAY+5EpDVfXjUTTs+HEwR2nYaqLv+GWcTsumwxPfiz6CzCNkwXwBUwqCA==", "dev": true, "license": "MIT", "dependencies": { @@ -4254,7 +4262,9 @@ "license": "MIT" }, "node_modules/eslint-plugin-import/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -4401,7 +4411,9 @@ "license": "MIT" }, "node_modules/eslint/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -5054,7 +5066,9 @@ "license": "MIT" }, "node_modules/glob/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -6390,7 +6404,9 @@ "license": "MIT" }, "node_modules/js-yaml": { - "version": "4.2.0", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz", + "integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==", "dev": true, "funding": [ { @@ -7581,7 +7597,9 @@ "license": "MIT" }, "node_modules/rimraf/node_modules/brace-expansion": { - "version": "2.1.1", + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.2.tgz", + "integrity": "sha512-w5JZcKgdhDOgOwm8H+KgbosopHMuGcl6qbulwjtz3SM7I7P3yW1eAjzMPLrIE+NQ9vjgANKHWeMHnrT0OXW1oA==", "dev": true, "license": "MIT", "dependencies": { @@ -8165,7 +8183,9 @@ "license": "MIT" }, "node_modules/test-exclude/node_modules/brace-expansion": { - "version": "1.1.15", + "version": "1.1.16", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.16.tgz", + "integrity": "sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==", "dev": true, "license": "MIT", "dependencies": { @@ -8766,7 +8786,9 @@ "license": "MIT" }, "node_modules/typescript-eslint/node_modules/brace-expansion": { - "version": "2.1.1", + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.2.tgz", + "integrity": "sha512-w5JZcKgdhDOgOwm8H+KgbosopHMuGcl6qbulwjtz3SM7I7P3yW1eAjzMPLrIE+NQ9vjgANKHWeMHnrT0OXW1oA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/code/package.json b/code/package.json index 056dc89..2a4ebbb 100644 --- a/code/package.json +++ b/code/package.json @@ -35,7 +35,7 @@ "@typescript-eslint/eslint-plugin": "^8.32.0", "@typescript-eslint/parser": "^8.32.0", "babel-jest": "^29.4.2", - "body-parser": "^1.20.3", + "body-parser": "^1.20.6", "dotenv": "^16.0.3", "eslint": "9.32.0", "eslint-config-prettier": "^9.0.0", From 9730ce4994d1f2d630560bacac89ef3f2dcc5fcb Mon Sep 17 00:00:00 2001 From: radovanjorgic Date: Tue, 14 Jul 2026 14:00:16 +0200 Subject: [PATCH 3/3] fix: repoint lockfile deps to public npmjs to fix CI E401 CI runners have no Verdaccio credentials for npm.infra.devrev-eng.ai, so npm ci would fail with E401 on 3 pre-existing deps (argparse, esprima, sprintf-js) whose "resolved" URL had been pinned to the internal mirror. Repoint to registry.npmjs.org; integrity hashes are unchanged since tarballs are byte-identical on both registries. --- code/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code/package-lock.json b/code/package-lock.json index 6faf907..bb0ecd7 100644 --- a/code/package-lock.json +++ b/code/package-lock.json @@ -1935,7 +1935,7 @@ }, "node_modules/@istanbuljs/load-nyc-config/node_modules/argparse": { "version": "1.0.10", - "resolved": "https://npm.infra.devrev-eng.ai/argparse/-/argparse-1.0.10.tgz", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", "dev": true, "license": "MIT", @@ -4523,7 +4523,7 @@ }, "node_modules/esprima": { "version": "4.0.1", - "resolved": "https://npm.infra.devrev-eng.ai/esprima/-/esprima-4.0.1.tgz", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", "dev": true, "license": "BSD-2-Clause", @@ -7984,7 +7984,7 @@ }, "node_modules/sprintf-js": { "version": "1.0.3", - "resolved": "https://npm.infra.devrev-eng.ai/sprintf-js/-/sprintf-js-1.0.3.tgz", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", "dev": true, "license": "BSD-3-Clause"