Skip to content

Fixing dependabot findings #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vpaiu merged 4 commits into from
Oct 10, 2025
Merged

Fixing dependabot findings #67

vpaiu merged 4 commits into from
Oct 10, 2025

Conversation

@vpaiu
Copy link
Contributor

@vpaiu vpaiu commented Oct 10, 2025
edited
Loading

Description of changes:

  • Fixing the dependabot findings. I did it by adding the override for each vulnerable package and added its direct parent package (for controlled overrides). The changes are located in patches/common/build.diff.
  • The package braces doesn't have its parent specified because while it is part of its parent package ("node_modules/findup-sync/node_modules/braces"), it isn't specified in the dependencies of findup-sync. So a global override was necessary, because npm wasn't able to recognize findup-sync as the parent package of braces.
  • Added script for refreshing the package-lock.json overrides (scripts/update-package-locks.sh). Works by: prepare src -> npm install -> refresh package-lock overrides -> regenerate OSS attribution.
  • Added small fix in update-automation.yaml so that package-lock overrides from node_modules aren't added.

Testing:

  • Built each target successfully.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@vpaiu vpaiu requested a review from a team as a code owner October 10, 2025 11:17
@vpaiu vpaiu changed the title Fix dependencies Fixing dependabot findings Oct 10, 2025
sachinh-amazon
sachinh-amazon reviewed Oct 10, 2025
View reviewed changes
patches/common/build.diff
Comment on lines +35 to +36
- "[email protected]": {
- "node-addon-api": "7.1.0"
Copy link
Contributor

@sachinh-amazon sachinh-amazon Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason for removing this over-ride?

Copy link
Contributor Author

@vpaiu vpaiu Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you look above in build.diff we remove kerberos, so the override is unnecessary.

sachinh-amazon
sachinh-amazon reviewed Oct 10, 2025
View reviewed changes
scripts/update-package-locks.sh
@@ -0,0 +1,75 @@
#!/bin/bash
Copy link
Contributor

@sachinh-amazon sachinh-amazon Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for adding this script, will make our job a lot more easier the next time we want to update package-lock.json files!

@vpaiu vpaiu merged commit f48aa80 into aws:main Oct 10, 2025
1 check passed
@vpaiu vpaiu deleted the fix-dependencies branch October 16, 2025 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sachinh-amazon sachinh-amazon sachinh-amazon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vpaiu @sachinh-amazon