fix: address dependency CVEs (handlebars, hbs, tar, serialize-javascript)#8543
Open
hectormmg wants to merge 12 commits into
Open
fix: address dependency CVEs (handlebars, hbs, tar, serialize-javascript)#8543hectormmg wants to merge 12 commits into
hectormmg wants to merge 12 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the root workspace configuration to mitigate transitive dependency CVEs (notably tar) by excluding certain sample packages from workspaces and forcing a safer tar version via npm overrides.
Changes:
- Remove
extensions/samples/*from root workspaces and replacesamples/msal-node-samples/*with an explicit allowlist of node sample workspaces. - Add an npm
overridesentry to forcetarto a non-vulnerable 7.x version.
hectormmg
force-pushed
the
dependency-updates
branch
from
ef952dc to
e6e8c1a
Compare
hectormmg
changed the title
hectormmg
force-pushed
the
dependency-updates
branch
3 times, most recently
from
8313d0b to
cc7372f
Compare
hectormmg
changed the title
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… overriding tar to ^7.5.3 - Remove ElectronSystemBrowserTestApp from msal-node-samples workspace glob (explicit list) - Remove extensions/samples/* wildcard (electron-webpack also used @electron-forge) - Add overrides.tar = ^7.5.3 to fix remaining tar@6.2.1 via @angular/cli 19 -> pacote chain (Angular CLI 19.x will not receive an official fix per angular/angular-cli#32324) - Regenerate package-lock.json: tar now resolves to 7.5.13 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ipt CVE Upgrade @rollup/plugin-terser from ^0.4.0 to ^1.0.0 in msal-browser. v1.0.0 uses serialize-javascript@^7.0.3 (fixed version for RCE via RegExp.flags/Date.toISOString injection, GHSA-5c6j-r48x-rmvq). Note: serialize-javascript@6.0.2 remains for copy-webpack-plugin@12.0.2, which is pinned by @angular-devkit/build-angular. Exploitation is infeasible there as no user input flows through serialize() in that path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…workspace globs
Move ElectronSystemBrowserTestApp and electron-webpack one level deeper
into an electron/ subdirectory so the open-ended workspace globs
(samples/msal-node-samples/* and extensions/samples/*) can be restored
without including the electron samples in the npm workspace.
Since npm workspaces do not support negation patterns, this structural
change is the cleanest way to exclude specific samples from a glob while
keeping the list open-ended for future additions.
- samples/msal-node-samples/ElectronSystemBrowserTestApp
-> samples/msal-node-samples/electron/ElectronSystemBrowserTestApp
- extensions/samples/electron-webpack
-> extensions/samples/electron/electron-webpack
Update all doc links pointing to the old paths.
Regenerate package-lock.json.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Version 1.3.2 does not exist on the npm registry (latest is 1.3.1). The lockfile was incorrectly resolving to this non-existent version during regeneration on Node 24. Pin to the existing 1.3.1. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The e2e-tests.yml template is pulled from the 1P repo. Hardcoding ref: dev means CI on this branch never picks up template changes on dependency-updates. Change to dependency-updates so CI uses the corrected prewarm script path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Revert .pipelines/1p-e2e.yml 1P resource ref back to dev (temp dependency-updates ref was only needed during active branch work) - Fix changefile comment to use conventional commit prefix and match the actual package-level change (@rollup/plugin-terser upgrade) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hectormmg
force-pushed
the
dependency-updates
branch
from
cc7372f to
920482f
Compare
Contributor
|
Reminder: This PR appears to be stale. If this PR is still a work in progress please mark as draft. |
microsoft-github-policy-service
Bot
added
the
Needs: Attention 👋
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses multiple dependency vulnerabilities:
overrides.tar = \"7.5.13\"to fix the path via@angular/cli 19->pacote.tarnow resolves to exactly7.5.13across all transitive consumers.@rollup/plugin-terserfrom^0.4.0->^1.0.0, which pulls inserialize-javascript@7.0.5(fixed). The remainingserialize-javascript@6.0.2nested undercopy-webpack-pluginis a dev-only build tool with no user-controlled input paths -- accepted as low risk.@microsoft/api-extractor@7.58.6now pulls inminimatch@10.2.3(fixed version).Electron sample restructuring
To keep workspace glob patterns open-ended (matching
dev) while avoidingtar@6.xfrom@electron-forgeentering the workspace lockfile, the two electron samples have been moved one level deeper into anelectron/subdirectory:extensions/samples/electron-webpack/->extensions/samples/electron/electron-webpack/\n-samples/msal-node-samples/ElectronSystemBrowserTestApp/->samples/msal-node-samples/electron/ElectronSystemBrowserTestApp/\nThe
electron/container directories have nopackage.json, so they are not picked up by theextensions/samples/*andsamples/msal-node-samples/*workspace globs. This keeps the workspace configuration identical todevwith no brittle allowlists. Doc links in 4 files updated to reflect the new paths.Notes
@electron-forgestill pulls intar@6.xtransitively and has no upstream fix; the electron samples remain installable standalone but are excluded from the workspace lockfile by directory structure.