Skip to content

Fix CI Snyk vulnerabilities in liquidjs and fast-xml-parser#3686

Open
Copilot wants to merge 13 commits intomainfrom
copilot/fix-ci-snyk-issue
Open

Fix CI Snyk vulnerabilities in liquidjs and fast-xml-parser#3686
Copilot wants to merge 13 commits intomainfrom
copilot/fix-ci-snyk-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 24, 2026
edited by itsarijitray
Loading

  • Analyze Snyk CI failure to identify new vulnerabilities
  • Fix liquidjs vulnerability (10.25.1 → 10.25.3)
    • Update package.json (^10.25.0 → ^10.25.3)
    • Update packages/actions-shared/package.json (^10.25.0 → ^10.25.3)
    • Update packages/destination-actions/package.json (^10.25.0 → ^10.25.3)
  • Fix lodash vulnerability (4.17.21 → 4.18.1)
    • Update packages/actions-shared/package.json (^4.17.21 → ^4.18.1)
    • Update packages/destination-actions/package.json (^4.17.21 → ^4.18.1)
    • Update packages/cli/package.json (^4.17.20 → ^4.18.1)
    • Add lodash resolution in root package.json to force ALL transitive dependencies to 4.18.1
  • Fix picomatch vulnerability (2.3.1 → 2.3.2+)
    • Add resolution override in root package.json
  • Fix NEW liquidjs vulnerability SNYK-JS-LIQUIDJS-16205829 (10.25.5 → 10.25.7)
    • Update package.json (^10.25.3 → ^10.25.7)
    • Update packages/actions-shared/package.json (^10.25.3 → ^10.25.7)
    • Update packages/destination-actions/package.json (^10.25.3 → ^10.25.7)
    • Add liquidjs resolution in root package.json to force 10.25.7
    • Run yarn install to update yarn.lock
  • Verify tests pass (mapping-kit tests all passing)

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

Testing

No discrepency found in liquidjs mme-e2e tests:
image

Fix Snyk vulnerabilities: upgrade liquidjs to 10.25.0 and add fast-xm…
5a646d5 
…l-parser resolution

- Update liquidjs from ^10.8.4 to ^10.25.0 in packages/actions-shared
- Update liquidjs from ^10.8.4 to ^10.25.0 in packages/destination-actions
- Update liquidjs from ^10.21.0 to ^10.25.0 in root package.json
- Add fast-xml-parser resolution to 5.5.9 for AWS SDK transitive dependency

Fixes:
- SNYK-JS-LIQUIDJS-15443434: Directory Traversal (High Severity)
- SNYK-JS-FASTXMLPARSER-15307668: XML Entity Expansion (High Severity)
- SNYK-JS-FASTXMLPARSER-15324289: Incorrect Regular Expression (High Severity)
- SNYK-JS-FASTXMLPARSER-15677840: XML Entity Expansion (High Severity)
- SNYK-JS-FASTXMLPARSER-15699647: Improper Validation (High Severity)
Copilot AI changed the title [WIP] Fix CI Snyk issue Fix CI Snyk vulnerabilities in liquidjs and fast-xml-parser Mar 24, 2026
Copilot AI requested a review from itsarijitray March 24, 2026 12:11
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.11%. Comparing base (48b53d2) to head (ce81f13).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3686   +/-   ##
=======================================
  Coverage   81.11%   81.11%           
=======================================
  Files        1656     1656           
  Lines       32120    32120           
  Branches     7102     7062   -40     
=======================================
  Hits        26055    26055           
- Misses       5092     5109   +17     
+ Partials      973      956   -17

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@itsarijitray itsarijitray marked this pull request as ready for review March 24, 2026 12:41
@itsarijitray itsarijitray requested a review from a team as a code owner March 24, 2026 12:41
mdkhan-tw
mdkhan-tw reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mdkhan-tw mdkhan-tw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we try exhaustive testing? We had a sev because of liquidjs parsing error

@itsarijitray
Copy link
Copy Markdown
Contributor

itsarijitray commented Mar 24, 2026
edited
Loading

Can we try exhaustive testing? We had a sev because of liquidjs parsing error

Yes... This yet to be tested on staging...

MME-e2e tests added for liquid js code: https://github.com/segmentio/mme-e2e/pull/476

@itsarijitray itsarijitray marked this pull request as draft March 24, 2026 12:54
Copilot AI review requested due to automatic review settings April 9, 2026 09:58
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Snyk-reported high-severity vulnerabilities by upgrading liquidjs across the workspace and forcing a safe fast-xml-parser version via Yarn resolutions.

Changes:

  • Bumped liquidjs to ^10.25.0 in the root and relevant workspace packages.
  • Added a Yarn resolutions override to pin fast-xml-parser to 5.5.9.
  • Updated yarn.lock to reflect the new resolved dependency graph.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File Description
yarn.lock Updates lockfile entries for liquidjs and forces fast-xml-parser to resolve to 5.5.9 (plus new transitive deps).
package.json Adds fast-xml-parser resolution and bumps root liquidjs dependency.
packages/destination-actions/package.json Bumps liquidjs dependency to ^10.25.0.
packages/actions-shared/package.json Bumps liquidjs dependency to ^10.25.0.

Comment thread package.json
Comment on lines 121 to 124
"dependencies": {
"chance": "^1.1.8",
"liquidjs": "^10.21.0",
"liquidjs": "^10.25.0",
"xml-js": "^1.6.11"
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@segment/actions-core imports liquidjs (e.g., packages/core/src/mapping-kit/liquid-directive.ts) but packages/core/package.json does not declare it as a dependency. Relying on the workspace root dependency can break consumers that install @segment/actions-core standalone (missing module at runtime). Consider adding liquidjs to packages/core/package.json dependencies (and optionally removing the root-level dependency if it’s only needed for local workspace usage).

Copilot uses AI. Check for mistakes.
Fix Snyk vulnerabilities: upgrade liquidjs, lodash, and picomatch
43f7e3d 
- Update liquidjs from ^10.25.0 to ^10.25.3 (fixes SNYK-JS-LIQUIDJS-15953364 - Symlink Following)
- Update lodash from ^4.17.21/^4.17.20 to ^4.18.1 (fixes SNYK-JS-LODASH-15869625 - Arbitrary Code Injection)
- Add picomatch resolution to 2.3.2 (fixes SNYK-JS-PICOMATCH-15765511 - ReDoS)
Copilot AI review requested due to automatic review settings April 27, 2026 06:15
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Comment thread package.json Outdated
"istanbul-lib-instrument/semver": "6.3.1"
"istanbul-lib-instrument/semver": "6.3.1",
"fast-xml-parser": "5.5.9",
"picomatch": "2.3.2"
Add lodash resolution to fix remaining Snyk vulnerability
4a76b65 
The previous lodash update in package.json files was not enough because
transitive dependencies were still pulling in lodash@4.17.21. Adding a
yarn resolution forces ALL lodash versions to resolve to 4.18.1.

Fixes SNYK-JS-LODASH-15869625 - Arbitrary Code Injection vulnerability
Copilot AI requested review from Copilot and removed request for Copilot April 27, 2026 09:45
Copilot stopped work on behalf of itsarijitray due to an error April 27, 2026 10:02
The session was cancelled by the user.
@itsarijitray itsarijitray marked this pull request as ready for review April 27, 2026 11:57
Copilot AI review requested due to automatic review settings April 27, 2026 11:57
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Comment thread package.json
"istanbul-lib-instrument/semver": "6.3.1"
"istanbul-lib-instrument/semver": "6.3.1",
"fast-xml-parser": "5.5.9",
"picomatch": "2.3.2",
mdkhan-tw
mdkhan-tw reviewed Apr 28, 2026
View reviewed changes
Comment thread packages/actions-shared/package.json
"cheerio": "^1.0.0-rc.10",
"dayjs": "^1.10.7",
"escape-goat": "^3",
"liquidjs": "^10.8.4",
Copy link
Copy Markdown
Contributor

@mdkhan-tw mdkhan-tw Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have liquidjs validation in UI as well. Can we ensure that action-destination and UI's liquidjs version aren't in conflict.

Copilot AI review requested due to automatic review settings April 28, 2026 12:43
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Comment thread package.json
"istanbul-lib-instrument/semver": "6.3.1"
"istanbul-lib-instrument/semver": "6.3.1",
"fast-xml-parser": "5.5.9",
"picomatch": "2.3.2",
Copilot AI review requested due to automatic review settings May 4, 2026 06:37
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Comment thread package.json
"istanbul-lib-instrument/semver": "6.3.1"
"istanbul-lib-instrument/semver": "6.3.1",
"fast-xml-parser": "5.5.9",
"picomatch": "2.3.2",
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sayan-das-in sayan-das-in sayan-das-in approved these changes

@itsarijitray itsarijitray Awaiting requested review from itsarijitray

@mdkhan-tw mdkhan-tw Awaiting requested review from mdkhan-tw

Assignees

@itsarijitray itsarijitray

Copilot code review Copilot

Labels

not-partner-eng-review (cloud) team:external

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@itsarijitray @sayan-das-in @mdkhan-tw @joe-ayoub-segment