Resolve npm security vulnerabilities via dependency overrides (#980)

mirror of https://github.com/gradle/actions.git synced 2026-06-10 05:37:39 +00:00

## What

Adds `overrides` to `sources/package.json` to force patched versions of
transitively-pulled packages flagged by Dependabot, plus one moderate
issue surfaced by `npm audit`:

| Package | Severity | Patched to | Pulled in via |
|---|---|---|---|
| `shell-quote` | Critical | 1.8.4 | `npm-run-all` |
| `fast-xml-builder` | High | 1.2.0 | `@actions/artifact` →
`@azure/storage-blob` → `@azure/core-xml` → `fast-xml-parser` |
| `fast-xml-parser` | Medium | 5.8.0 | `@actions/artifact` →
`@azure/storage-blob` → `@azure/core-xml` |
| `brace-expansion` | Moderate | 5.0.6 | `eslint` |

## Notes

- All four are **transitive** dependencies, so they're pinned via the
existing `overrides` block rather than direct version bumps.
- The patched versions satisfy the parents' declared ranges (e.g.
`@azure/core-xml` requires `fast-xml-parser ^5.0.7`; `fast-xml-parser`
5.8.0 requires `fast-xml-builder ^1.2.0`), so nothing is
force-downgraded or broken.
- `brace-expansion` is **scoped under `eslint`** rather than a blanket
override — most copies in the tree were already on the patched 5.0.6,
and only `eslint`'s was stuck at the vulnerable 5.0.5. A global override
would have forced unrelated 1.x/2.x copies up a major version.

## Verification

- `npm audit` → **0 vulnerabilities**
- `npm ci` → clean install, 0 vulnerabilities
- `npm test` → **352 passed, 14 suites**

The root `dist/` directory is intentionally left for the CI workflow to
update.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

This commit is contained in:

Daz DeBoer

2026-06-09 19:06:38 -06:00

committed by

GitHub

parent 657f690528

commit 9e2c1cc01d

2 changed files with 163 additions and 1427 deletions

sources/package-lock.json

Generated

+156 -1426

View File

File diff suppressed because it is too large Load Diff

									
										sources/package.json
									
		+7
		-1
	
												View File
												
				@@ -73,6 +73,12 @@

				    "@azure/logger": "1.1.4",

				    "@octokit/request": "8.4.1",

				    "@octokit/request-error": "5.1.1",

				    "@octokit/plugin-paginate-rest": "9.2.2"

				    "@octokit/plugin-paginate-rest": "9.2.2",

				    "shell-quote": "1.8.4",

				    "fast-xml-parser": "5.8.0",

				    "fast-xml-builder": "1.2.0",

				    "eslint": {

				      "brace-expansion": "5.0.6"

				    }

				  }

				}