security: remediate Snyk SCA findings (7 fixed, 0 documented)#2
Open
papalialuigi wants to merge 1 commit into
Open
security: remediate Snyk SCA findings (7 fixed, 0 documented)#2papalialuigi wants to merge 1 commit into
papalialuigi wants to merge 1 commit into
Conversation
Remediate all 7 production-dependency vulnerabilities reported by Snyk SCA (baseline: 1 critical, 2 high, 4 medium; 0 license issues). Direct dependency bumps: - uuid ^11.1.0 -> ^11.1.1 (SNYK-JS-UUID-16133035) - yaml ^2.7.1 -> ^2.8.3 (SNYK-JS-YAML-15765520; resolves to 2.9.0) Transitive pins via npm "overrides": - form-data ^4.0.6 (SNYK-JS-FORMDATA-10841150 critical + SNYK-JS-FORMDATA-17337015 medium; via openai > @types/node-fetch) - jws ^4.0.1 (SNYK-JS-JWS-14188253 high; via @google/genai > google-auth-library) - ws ^8.21.0 (SNYK-JS-WS-17344547 high + SNYK-JS-WS-16722635 medium; via @google/genai) - uuid@9 ^11.1.1 (SNYK-JS-UUID-16133035 medium; transitive 9.0.1 via gaxios; major-scoped because uuid 9.x and 11.x coexist) Result: snyk test reports no vulnerable paths (92 deps tested). Only package.json / package-lock.json changed; no application source touched. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: a89068a1-ce52-4fd1-a754-f714ba16eaf7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates all production-dependency (Snyk SCA) vulnerabilities in
agentnet.Scope: production dependencies only (
snyk test, no--dev). Onlypackage.jsonandpackage-lock.jsonwere changed — no application source.Final
snyk test: no vulnerable paths found (92 dependencies tested). 7 unique findings fixed, 0 ignored, 0 documented residuals.Fixed
^4.0.6^4.0.1^8.21.0^4.0.6^8.21.0^11.1.1uuid@9->^11.1.1^2.8.3overridesadded topackage.json:uuid@9is major-scoped because uuid 9.x (transitive via gaxios) and 11.x (direct) coexist in the lockfile; the direct dep is bumped to^11.1.1and the scoped override lifts the stale 9.x transitive to the same fixed line, unifying all uuid to 11.1.1..snyk ignores
None.
SECURITY.md (documented, unfixed)
None — every finding had a reachable fix.
Reviewer notes
uuid ^11.1.0 -> ^11.1.1,yaml ^2.7.1 -> ^2.8.3(resolves 2.9.0).uuidlifted across a major (9 -> 11) forgaxios(under@google/genai). uuid's named exports (v4,v1, etc.) are stable across v9->v11; the v10/v11 breaking changes were dropped deep import paths and Node baseline, whichgaxiosdoes not use. Validate in CI.ws 8.18.2 -> 8.21.0,form-data 4.0.2 -> 4.0.6,jws 4.0.0 -> 4.0.1are same-major transitive bumps under@google/genaiandopenai; low risk.test(jest) script is already broken onmasterindependent of this PR — on a pristineorigin/mastercheckoutnpm testfails to run withTypeError: Cannot read properties of undefined (reading 'prototype')(a jest ESM--experimental-vm-modulesmock-harness issue), so it cannot serve as a smoke gate. No application source is touched by this PR; correctness is validated by the clean Snyk re-scan. Please rely on CI.Do not merge without CI validation.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: a89068a1-ce52-4fd1-a754-f714ba16eaf7