Skip to content

fix: resolve npm audit vulnerabilities in action/ and replace dead gitpkg dependency#691

Merged
Zee2413 merged 1 commit into
aws-cloudformation:mainfrom
Zee2413:fix/action-npm-audit-tier1
Mar 30, 2026
Merged

fix: resolve npm audit vulnerabilities in action/ and replace dead gitpkg dependency#691
Zee2413 merged 1 commit into
aws-cloudformation:mainfrom
Zee2413:fix/action-npm-audit-tier1

Conversation

@Zee2413
Copy link
Copy Markdown
Contributor

@Zee2413 Zee2413 commented Mar 27, 2026
edited
Loading

Summary

Two fixes in one:

  1. Replace dead gitpkg.vercel.app dependency — the third-party service used to serve cfn-guard as an npm package is permanently down (402 DEPLOYMENT_DISABLED). Replaced with a local file reference to ../guard/ts-lib, which works because CI checks out the full repo.

  2. Resolve 9 npm audit vulnerabilities — adds overrides in package.json to pin minimum safe versions for transitive dependencies, ensuring fixes persist across lockfile regeneration.

Changes

Dependency source fix:

- "cfn-guard": "https://gitpkg.now.sh/aws-cloudformation/cloudformation-guard/guard/ts-lib?33d9931"
+ "cfn-guard": "file:../guard/ts-lib"

New overrides:

Override Version Vulnerability Type
flatted 3.4.2 Prototype pollution, unbounded recursion DoS
ajv 6.14.0 ReDoS with $data option
micromatch 4.0.8 ReDoS
js-yaml >=3.14.2 Prototype pollution in merge
brace-expansion >=1.1.13 ReDoS, zero-step sequence hang
picomatch >=2.3.2 Method injection, ReDoS
minimatch >=3.1.5 ReDoS (partial — prettier-eslint copy remains)
@babel/helpers >=7.26.10 Inefficient RegExp in generated code
@eslint/plugin-kit >=0.3.4 ReDoS in ConfigCommentParser

Remaining Vulnerabilities

  • undici (production, 6 CVEs) — requires @actions/github 6.x → 9.x breaking change
  • minimatch 9.0.3 via prettier-eslint (dev-only) — requires breaking prettier-eslint upgrade

Verification

  • npm run lint
  • npm test ✅ (20/20 tests passed)

@Zee2413
Copy link
Copy Markdown
Contributor Author

Zee2413 commented Mar 27, 2026

CI failure is unrelated to this change — the cfn-guard dependency is fetched from gitpkg.vercel.app, which is currently returning 402 Payment Required. This is a pre-existing issue affecting all action/ CI runs (e.g., Dependabot's flatted PR also fails the same way). Needs a re-run once the service recovers.

@Zee2413 Zee2413 force-pushed the fix/action-npm-audit-tier1 branch from 06fd017 to 4ff3e14 Compare March 27, 2026 19:41
@Zee2413 Zee2413 closed this Mar 30, 2026
@Zee2413 Zee2413 reopened this Mar 30, 2026
@Zee2413 Zee2413 force-pushed the fix/action-npm-audit-tier1 branch from 4ff3e14 to ab8cf0b Compare March 30, 2026 16:09
@Zee2413 Zee2413 changed the title fix: resolve 9 npm audit vulnerabilities in action/ dev dependencies fix: resolve npm audit vulnerabilities in action/ and replace dead gitpkg dependency Mar 30, 2026
@Zee2413
fix: resolve npm audit vulnerabilities in action/ and replace dead gi…
e5dad00 
…tpkg dependency

Replace cfn-guard dependency from gitpkg.vercel.app (which is permanently
returning 402 DEPLOYMENT_DISABLED) with a local file reference to
../guard/ts-lib. This works because CI checks out the full repo.

Add overrides in package.json to pin minimum safe versions for transitive
dependencies, ensuring fixes persist across lockfile regeneration:
- flatted: 3.4.2 (prototype pollution, DoS)
- ajv: 6.14.0 (ReDoS)
- micromatch: 4.0.8 (ReDoS)
- js-yaml: >=3.14.2 (prototype pollution)
- brace-expansion: >=1.1.13 (ReDoS)
- picomatch: >=2.3.2 (method injection, ReDoS)
- minimatch: >=3.1.5 (ReDoS, partial — prettier-eslint copy remains)
- @babel/helpers: >=7.26.10 (regex complexity)
- @eslint/plugin-kit: >=0.3.4 (ReDoS)

Remaining alerts:
- undici (production, via @actions/github) — requires breaking major bump
- minimatch 9.0.3 via prettier-eslint — requires breaking upgrade

Verified: npm run lint ✅, npm test ✅ (20/20 tests passed)
@Zee2413 Zee2413 force-pushed the fix/action-npm-audit-tier1 branch from ab8cf0b to e5dad00 Compare March 30, 2026 16:15
Zee2413
Zee2413 commented Mar 30, 2026
View reviewed changes
Comment thread action/package.json
"@actions/core": "^1.11.1",
"@actions/exec": "^1.1.1",
"@actions/github": "^6.0.0",
"cfn-guard": "https://gitpkg.now.sh/aws-cloudformation/cloudformation-guard/guard/ts-lib?33d9931"
Copy link
Copy Markdown
Contributor Author

@Zee2413 Zee2413 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change to free tier throwing 402 Payment Required from gitpkg.vercel.app since Jan 19th.

@Zee2413 Zee2413 merged commit b5fb3df into aws-cloudformation:main Mar 30, 2026
16 checks passed
This was referenced Mar 31, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kddejong kddejong kddejong approved these changes

@satyakigh satyakigh satyakigh approved these changes

@chrisqm-dev chrisqm-dev chrisqm-dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Zee2413 @kddejong @satyakigh @chrisqm-dev