mirror of
https://github.com/gradle/actions.git
synced 2026-06-10 21:50:41 +00:00
Daz DeBoer
9901393644
Removes all `overrides` from `sources/package.json`. Two commits, each
independently verified:
## 1. Remove redundant security overrides
The `shell-quote`, `fast-xml-parser`, `fast-xml-builder` and `eslint >
brace-expansion` overrides added in #980 are **no-ops**: npm's natural
resolution already lands on the exact same patched versions, so they
upgrade nothing. The vulnerabilities were actually resolved by
regenerating the lockfile, not by the overrides.
## 2. Remove obsolete Octokit/Azure overrides
`@azure/logger`, `@octokit/request`, `@octokit/request-error` and
`@octokit/plugin-paginate-rest` were point-in-time pins added to
force-upgrade then-vulnerable transitive deps (5d947f45, #601). The
parent packages (`@actions/github`, `@actions/artifact`) have since
advanced and now resolve **newer, non-vulnerable** versions naturally —
so the overrides only pinned stale versions:
| Package | Pinned (override) | Natural |
|---|---|---|
| `@octokit/request` | 8.4.1 | 10.0.10 |
| `@octokit/request-error` | 5.1.1 | 7.1.0 |
| `@octokit/plugin-paginate-rest` | 9.2.2 | 14.0.0 |
| `@azure/logger` | 1.1.4 | 1.3.0 |
## Verification
- `npm audit` → **0 vulnerabilities**
- `./build` → passes
- `npm test` → **352/352 passing**
### Note on a flaky test
While testing I saw the `wrapper-validation` test *"fetches wrapper jar
checksums for snapshots"* intermittently fail (1–2 failures, then pass
on retry). It is a **pre-existing flaky network test** — it makes ~175
live calls to Gradle services and sits right at its 60s timeout. Its
code path imports neither Octokit nor Azure (`src/wrapper-validation/`
uses only `@actions/http-client`/`nock`/`cheerio`), so it is unrelated
to these overrides; the `nock`/`@mswjs/interceptors`/`undici` versions
are identical before and after.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>