Skip to content

SECURITY-OVERRIDES.md

Latest commit

 

History

History
155 lines (108 loc) · 7.56 KB

SECURITY-OVERRIDES.md

File metadata and controls

155 lines (108 loc) · 7.56 KB

Security Overrides

The overrides block in package.json pins 18 transitive dependencies to versions that clear known CVEs. Each entry is debt — when the underlying ecosystem moves on, the corresponding entry should be removed.

This file documents the provenance and exit condition for each override. When adding or removing an override, update this file in the same commit.

Conventions

  • Class: runtime if the package ends up in the published dist/ runtime path; dev if it's used only by tooling (eslint, mocha, nyc, babel, prettier, etc.). The .npmignore excludes everything except dist/, thrift/, LICENSE, NOTICE, package.json, README.md — so dev-tooling overrides do not ship to consumers but DO surface in customer-side scanners (Dependabot, Snyk, OSV) that scan our lockfile.
  • Exit condition: the smallest change that would let us drop the override entry. Usually "upstream bump", sometimes "upstream takes the patched version as a dep range".

Entries

basic-ftp: ^5.3.1

  • Class: runtime
  • Path: proxy-agent → pac-proxy-agent → get-uri → basic-ftp
  • CVEs cleared: GHSA-5rq4-664w-9x2c (HIGH 9.1), GHSA-6v7q-wjvx-w8wg (HIGH 8.2), GHSA-rp42-5vxx-qpwr (HIGH 7.5), GHSA-rpmf-866q-6p89 (HIGH 7.5)
  • Exit: get-uri bumps its basic-ftp dep range to include ^5.3.1. Currently declares ^5.0.2.

@75lb/deep-merge: ^1.1.2

  • Class: dev (transitive of apache-arrow's CLI tooling — not in runtime path)
  • Path: apache-arrow → command-line-usage → table-layout → @75lb/deep-merge
  • CVEs cleared: GHSA-28mc-g557-92m7 (HIGH 8.7)
  • Exit: table-layout bumps its dep. Note apache-arrow@13 itself ships unused CLI tooling — bumping arrow to 15.x+ drops this dep entirely.

braces: ^3.0.3

  • Class: dev (via mocha's chokidar + eslint's micromatch)
  • Path: mocha → chokidar → braces AND @typescript-eslint/parser → ... → micromatch → braces
  • CVEs cleared: GHSA-grv7-fg5c-xmjg (HIGH 7.5)
  • Exit: chokidar bumps its braces dep range. Currently declares ~3.0.2.

picomatch: ^2.3.2

  • Class: dev (chokidar + micromatch transitive)
  • Path: mocha → chokidar → readdirp → picomatch AND ... → micromatch → picomatch
  • CVEs cleared: GHSA-c2c7-rcm5-vvqj (HIGH 7.5)
  • Exit: chokidar and micromatch bump their picomatch dep ranges.

flatted: ^3.4.2

  • Class: dev (eslint's file-entry-cache)
  • Path: eslint → file-entry-cache → flat-cache → flatted
  • CVEs cleared: GHSA-rf6f-7fwh-wjgh (HIGH 8.9), GHSA-25h7-pfq9-p65f (HIGH 7.5)
  • Exit: flat-cache bumps. Or move to eslint 9 (drops file-entry-cache dep tree shape).

minimatch: ^3.1.3

  • Class: dev (eslint plugins)
  • Path: eslint-plugin-import / -jsx-a11y / -react → minimatch
  • CVEs cleared: GHSA-3ppc-4f35-3m26 (HIGH 8.7), GHSA-23c5-xmqv-rm74 (HIGH 7.5), GHSA-7r86-cg39-jmmj (HIGH 7.5)
  • Exit: eslint plugins bump to use minimatch 9.x+ (most have done so on newer majors).

ws: ^8.18.0

  • Class: runtime (thrift's WebSocket transport)
  • Path: thrift → ws AND thrift → isomorphic-ws → ws
  • CVEs cleared: GHSA-3h5v-q93c-6h6q (HIGH 8.7 — ws@5.x DoS)
  • Exit: thrift bumps its declared ws: ^5.2.3 to ^8.x. Without the override, thrift@0.23.0 would pull the vulnerable ws@5.x.

cross-spawn: ^7.0.6

  • Class: dev (eslint + nyc)
  • Path: eslint → cross-spawn, nyc → foreground-child → cross-spawn, nyc → istanbul-lib-processinfo → cross-spawn
  • CVEs cleared: GHSA-3xgq-45jj-v275 (HIGH 7.7 — ReDoS)
  • Exit: eslint and nyc bump. Currently declare ^7.0.2.

serialize-javascript: ^7.0.5

  • Class: dev (mocha)
  • Path: mocha → serialize-javascript
  • CVEs cleared: GHSA-5c6j-r48x-rmvq (HIGH 8.1 — XSS via prototype pollution)
  • Exit: mocha bumps. Currently declares ^6.0.2.

follow-redirects: ^1.16.0

  • Class: dev (http-proxy testing util)
  • Path: http-proxy → follow-redirects
  • CVEs cleared: GHSA-r4q5-vmmm-2653 (MED 6.9)
  • Exit: http-proxy bumps. Currently declares ^1.15.0.

brace-expansion: ^1.1.13

  • Class: dev (transitive of overridden minimatch)
  • Path: eslint-plugin-import → minimatch → brace-expansion
  • CVEs cleared: GHSA-v6h2-p8h4-qcjw (LOW)
  • Exit: same as minimatch — when eslint plugins bump to minimatch 9+, this resolves transitively too.

@babel/helpers: ^7.26.10

  • Class: dev (nyc instrumentation)
  • Path: nyc → istanbul-lib-instrument → @babel/core → @babel/helpers
  • CVEs cleared: GHSA-968p-4wvh-cqc8 (MED 6.2 — ReDoS)
  • Exit: @babel/core bumps the @babel/helpers range. Currently the bundled version was below the patched.

@babel/runtime: ^7.26.10

  • Class: dev (eslint-config-airbnb-typescript transitive)
  • Path: eslint plugins (via core-js-pure → @babel/runtime)
  • CVEs cleared: GHSA-968p-4wvh-cqc8 (MED 6.2 — same as @babel/helpers)
  • Exit: same as @babel/helpers.

@babel/runtime-corejs3: ^7.26.10

  • Class: dev (eslint-config-airbnb)
  • Path: same as @babel/runtime
  • CVEs cleared: GHSA-968p-4wvh-cqc8 (MED 6.2)
  • Exit: same as @babel/runtime.

ip-address: ^10.1.1

  • Class: runtime (proxy-agent → socks → ip-address)
  • Path: proxy-agent → socks-proxy-agent → socks → ip-address
  • CVEs cleared: GHSA-v2v4-37r5-5v8g (MED 5.3 — IPv6 parsing DoS)
  • Exit: socks bumps to ip-address@^10.x. Note: ip-address@10 is published as CommonJS with conditional exports — verify any future bump retains CJS compat for our dist/.

js-yaml: ^4.1.1

  • Class: dev (eslint / mocha / nyc config loaders)
  • Path: eslint → @eslint/eslintrc → js-yaml, mocha → js-yaml, nyc → @istanbuljs/load-nyc-config → js-yaml
  • CVEs cleared: GHSA-mh29-5h37-fv8m (MED 5.3 — DoS on malformed YAML)
  • Exit: each consumer bumps. All three are already on the 4.x line; the override forces a patch within 4.x.

micromatch: ^4.0.8

  • Class: dev (typescript-eslint glob)
  • Path: @typescript-eslint/parser → @typescript-eslint/typescript-estree → globby → fast-glob → micromatch
  • CVEs cleared: GHSA-952p-6rrq-rcjv (MED 5.3 — ReDoS)
  • Exit: fast-glob bumps. Currently declares ^4.0.4.

uuid: ^11.1.1

  • Class: runtime — this one matters most
  • Path: declared as a top-level runtime dep AND thrift → uuid
  • CVEs cleared: GHSA-w5hq-g745-h8pq (HIGH 7.5 — buffer-bounds in v3/v5/v6; driver only uses v4 but consumer scanners flag against our lockfile)
  • Why an override is needed: thrift@0.23.0 declares uuid: ^13.0.0, but uuid@13 is ESM-only. Our driver is compiled to CJS (dist/*.js), so a top-level uuid: ^11.1.1 plus this matching override forces thrift's transitive uuid down to v11 (which dual-publishes ESM + CJS via conditional exports).
  • Exit: any of (a) we migrate dist/ to ESM, (b) thrift drops the uuid dep, (c) thrift widens its range to ^11 || ^13 and we go through whichever export shape thrift decides on. Today, removing this override would cause require('uuid') from dist/ to crash on Node ≤22.11 (which don't support require(esm)).

How to audit

# Show what depends on a specific override target:
npm ls <package-name>

# Re-run the lockfile against OSV-Scanner to verify findings are still cleared:
osv-scanner scan source --lockfile=package-lock.json

When all entries' exit conditions are met, this file should be deleted along with the corresponding overrides block.