Conversation
fdevans
changed the title
There was a problem hiding this comment.
Pull request overview
This PR updates Node.js dependencies for the docker/client/rundeck-cli/ Docker client to remediate Snyk-reported CVE findings by bumping direct dependencies and pinning vulnerable transitive dependencies.
Changes:
- Bump direct deps
js-yamlandyaml. - Add/expand npm
overridesto pin transitive packages (axios, tough-cookie, xml-js, diff) and regeneratepackage-lock.json. - Ignore the rundeck-cli
node_modulesdirectory via.gitignore.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
docker/client/rundeck-cli/package.json |
Updates direct deps and introduces additional overrides pins for transitive CVE remediation. |
docker/client/rundeck-cli/package-lock.json |
Regenerated lockfile reflecting overridden/pinned transitive versions. |
.gitignore |
Prevents committing docker/client/rundeck-cli/node_modules. |
Files not reviewed (1)
- docker/client/rundeck-cli/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "overrides": { | ||
| "axios": "1.12.0" | ||
| "axios": "1.15.0", | ||
| "tough-cookie": "4.1.3", | ||
| "xml-js": "0.5.1", | ||
| "diff": "4.0.4" |
There was a problem hiding this comment.
The new overrides rely on npm support for overrides (and the accompanying package-lock.json is lockfileVersion: 3). However, the client Docker image currently uses Node 12 (npm 6), which doesn’t apply overrides and may not faithfully honor a v3 lockfile, meaning the intended CVE remediation may not take effect (or installs may drift/rewrite the lockfile). Consider either (a) updating the Docker build/runtime to a Node/npm version that supports overrides + lockfile v3, or (b) regenerating the lockfile in a format compatible with the currently supported npm and using a different mechanism for pinning vulnerable transitives.
| "node_modules/axios": { | ||
| "version": "1.11.0", | ||
| "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz", | ||
| "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==", | ||
| "version": "1.15.0", | ||
| "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz", | ||
| "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "follow-redirects": "^1.15.6", | ||
| "form-data": "^4.0.4", | ||
| "proxy-from-env": "^1.1.0" | ||
| "follow-redirects": "^1.15.11", | ||
| "form-data": "^4.0.5", | ||
| "proxy-from-env": "^2.1.0" | ||
| } |
There was a problem hiding this comment.
ts-rundeck declares axios: ^0.18.0 (see the ts-rundeck package entry later in this lockfile), but this lockfile now forces axios@1.15.0 via overrides. Because this is outside the declared semver range, it can introduce subtle runtime incompatibilities in ts-rundeck/@azure/ms-rest-js HTTP behavior. If the override is required for CVE remediation, consider upgrading to a ts-rundeck (and/or underlying Azure client) version that officially supports axios 1.x, or add a smoke test in the container build to exercise the CLI against a live Rundeck endpoint to catch breakage early.
| "version": "4.1.3", | ||
| "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz", | ||
| "integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==", | ||
| "license": "BSD-3-Clause", | ||
| "dependencies": { | ||
| "psl": "^1.1.33", | ||
| "punycode": "^2.1.1", | ||
| "universalify": "^0.2.0", | ||
| "url-parse": "^1.5.3" | ||
| }, | ||
| "engines": { | ||
| "node": ">=6" |
There was a problem hiding this comment.
This lockfile removes the nested tough-cookie@2.5.0 under ts-rundeck’s dependency chain and replaces it with a top-level tough-cookie@4.1.3 (via overrides). Since @azure/ms-rest-js within ts-rundeck declares tough-cookie: ^2.4.3, this forces a major version outside the supported range and may break cookie handling/auth flows at runtime. If this pin is necessary for CVE remediation, consider updating the dependency that requires tough-cookie@2.x to a version compatible with tough-cookie@4, or validate behavior with an integration/smoke test that exercises authenticated Rundeck API calls.
| "version": "4.1.3", | |
| "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz", | |
| "integrity": "sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==", | |
| "license": "BSD-3-Clause", | |
| "dependencies": { | |
| "psl": "^1.1.33", | |
| "punycode": "^2.1.1", | |
| "universalify": "^0.2.0", | |
| "url-parse": "^1.5.3" | |
| }, | |
| "engines": { | |
| "node": ">=6" | |
| "version": "2.5.0", | |
| "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", | |
| "dependencies": { | |
| "psl": "^1.1.28", | |
| "punycode": "^2.1.1" | |
| }, | |
| "engines": { | |
| "node": ">=0.8" |
Release Notes
This update refreshes JavaScript dependencies used by the Docker Rundeck CLI helper client so known security issues reported in those packages are addressed, reducing risk when building or running that tooling alongside the plugin.
PR Details
This branch updates the Node dependencies under
docker/client/rundeck-cli/to address findings from Snyk (CVE-related).Changes
js-yamlto ^3.13.2 andyamlto ^1.10.3.overrides:axios1.15.0,tough-cookie4.1.3,xml-js0.5.1,diff4.0.4 (replacing the previous axios-only override).package-lock.jsonregenerated to match./docker/client/rundeck-cli/node_modulesto.gitignore.