Skip to content

RUN-4340: npm dependency overrides and weekly Snyk schedule#95

Open
fdevans wants to merge 2 commits intomainfrom
cve-fixes
Open

RUN-4340: npm dependency overrides and weekly Snyk schedule#95
fdevans wants to merge 2 commits intomainfrom
cve-fixes

Conversation

@fdevans
Copy link
Copy Markdown
Contributor

@fdevans fdevans commented Apr 16, 2026

Summary

  • rundeck-cli (npm): Mitigate transitive vulnerabilities via overrides (xml2js 0.6.2 for CVE-2023-0842), bump direct js-yaml to ^3.14.2, and pin follow-redirects to 1.16.0 for the axios chain.
  • CI: Add a weekly Snyk scan on Mondays (06:00 UTC), in addition to existing push/PR/manual triggers.

PR Details

Gradle/Bouncy Castle and net.i2p.crypto:eddsa are unchanged; BC remains on 1.79 per org constraints.

@fdevans
fix(security): address npm CVEs in rundeck-cli; schedule weekly Snyk
ff24f44 
- Pin xml2js via overrides (CVE-2023-0842)
- Bump js-yaml to 3.14.2; override follow-redirects to 1.16.0
- Run Snyk workflow weekly on Mondays (UTC)
Copilot AI review requested due to automatic review settings April 16, 2026 23:45
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to reduce known npm supply-chain vulnerabilities in the docker/client/rundeck-cli image via dependency pinning/overrides, and adds a weekly scheduled Snyk scan to complement existing CI triggers.

Changes:

  • Bump direct dependency js-yaml to ^3.14.2.
  • Add/adjust npm overrides to pin transitive dependencies (e.g., follow-redirects, xml2js) and update the lockfile accordingly.
  • Add a weekly GitHub Actions schedule (Mondays 06:00 UTC) for the reusable Snyk scan workflow.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
docker/client/rundeck-cli/package.json Updates js-yaml and adds new npm overrides intended to mitigate transitive CVEs.
docker/client/rundeck-cli/package-lock.json Reflects resolved versions for the updated pins (e.g., follow-redirects, js-yaml, xml2js).
.github/workflows/snyk-scan.yml Adds a weekly cron trigger for Snyk scanning.
Files not reviewed (1)
  • docker/client/rundeck-cli/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docker/client/rundeck-cli/package.json
"follow-redirects": "1.16.0",
"tough-cookie": "4.1.3",
"xml-js": "0.5.1",
"xml2js": "0.6.2",
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overrides force major/semver-incompatible versions for transitive deps (e.g., ts-rundeck / @azure/ms-rest-js declare axios: ^0.18.0, tough-cookie: ^2.4.3, xml2js: ^0.4.19, but overrides pin axios@1.15.0, tough-cookie@4.1.3, xml2js@0.6.2). This bypasses the dependents’ declared compatibility ranges and can cause runtime breakage. Prefer upgrading/replacing the upstream dependency to versions that support the newer transitive deps, or scope overrides as narrowly as possible and add a smoke check to validate the CLI still works with the forced versions.

Suggested change
"xml2js": "0.6.2",

Copilot uses AI. Check for mistakes.
@fdevans fdevans changed the title Security: npm dependency overrides and weekly Snyk schedule RUN-4340: npm dependency overrides and weekly Snyk schedule Apr 16, 2026
@fdevans
Copy link
Copy Markdown
Contributor Author

fdevans commented Apr 16, 2026

Team Note: BouncyCastle findings will be handled by a different ticket/project

@fdevans fdevans requested a review from a team April 17, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fdevans