Fix/security/2026-04-16#152
Open
chaimleib wants to merge 21 commits intoprojectatomic:masterfrom
Open
Conversation
…rty(key) in case of proto pollution
…, instead preserving the array shell To prepare for lodash 4, first combine the yaml fields as array elements. Wait until the merge is done before normalizing the includes to an object. Aided by GPT-5.4.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
npm auditwas reporting 16 vulnerabilities (3 moderate, 8 high, 5 critical) from transitive dependencies. This PR fixes our dependencies to resolve them.The starting commit is tagged
v0.3.4, the latest release. Somehow, that wasn't merged intomasteryet.Removed/Replaced
To reduce the maintenance burden, it helps to have fewer dependencies, so some dependencies were removed.
It is also important to replace unmaintained dependencies containing known security vulnerabilities.
mocha- replaced withtest, which is built-in since Node v18.0.0.itnow has a slightly different signature. It used to befunction(done), but now it'sfunction(t, done).should- replaced withassert/strict, which is built-in since Node v9.9.0.pre-commit- replaced withhusky, which is actively-maintained.Upgrades
js-yaml3.13.1 -> 4.1.1safeLoadreplaced withloadfast-xml-parser3.17.4 -> 5.6.0validatewas moved toXMLValidator.validatedockerode2.2.9 -> 5.0.0junit-report-builder2.1.0 -> 5.1.2lodash2.4.2 -> 4.18.1lodashcalls with native calls to make debugging the upgrade easier_.mergewith_.mergeWith_.clonein lodash 4 no longer takes anisDeepargument, and clones shallow by default. To continue respectingisDeep, swap it out as needed with_.cloneDeep.required_instructionsis initialized as an array, but objects are_.merge-d into it. In lodash 2 and 3, the object replaced the array. In lodash 4, the object gets appended to the array, which made tests fail. The fix was to delay normalizingrequired_instructionsto objects until after the merge is done.Other fixes
test/integration/exec.spec.js:should validate remote (https) DockerfileEncountered during refactor: remove devDeps mocha and should
Problems
masterbranch of projectatomic/dockerfile_lint, which could get out-of-sync with the branch being tested.Fix
Spawn a temporary HTTP server which serves the specified Dockerfile, but using the current commit. No more timeouts. No more possibility of
masterhaving an incompatible version of the Dockerfile.