Skip to content

Upgrade standard to v17 to fix security vulnerabilities#52

Merged
niall3rs merged 4 commits into
masterfrom
ncolfer/dependency-updates-may-2026
May 14, 2026
Merged

Upgrade standard to v17 to fix security vulnerabilities#52
niall3rs merged 4 commits into
masterfrom
ncolfer/dependency-updates-may-2026

Conversation

@niall3rs

@niall3rs niall3rs commented May 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Upgrades standard from v16 to v17 to resolve 3 high-severity Dependabot alerts
  • Removes vulnerable transitive dependencies (fast-uri, lodash) that came from eslint@7.x
  • Auto-fixes object-shorthand lint warnings in connection_helper.js

Resolved Vulnerabilities

Alert Severity Package Issue
#41 High fast-uri Host confusion via percent-encoded authority delimiters
#40 High fast-uri Path traversal via percent-encoded dot segments
#38 High lodash Code injection via _.template imports key names

Test plan

  • npm audit shows 0 vulnerabilities
  • npm run lint passes
  • CI tests pass

🤖 Generated with Claude Code

Resolves 3 Dependabot alerts:
- fast-uri host confusion (GHSA-41)
- fast-uri path traversal (GHSA-40)
- lodash code injection via _.template (GHSA-38)

The vulnerable packages came from eslint@7.x bundled in standard@16.
standard@17 uses eslint@8.x which doesn't include these dependencies.

Also auto-fixed object-shorthand lint warnings in connection_helper.js.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@niall3rs niall3rs requested a review from a team as a code owner May 13, 2026 15:31
niall3rs and others added 2 commits May 13, 2026 16:35
- Replace Node 20 (EOL April 2026) with currently supported LTS versions
- Fix matrix variable name bug (versions → node-version)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The simple_sentinel helper has a race condition where it sends kill -TERM
to sentinel processes then immediately tries to rm -rf their directories.
On faster systems or newer Node versions, the rm can fail because the
process hasn't fully exited yet.

Fix by gracefully shutting down Redis/Sentinel processes via redis-cli
and waiting for them to actually exit before calling SentinelHelper.stop().

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

@zendesk-bartoszwasko zendesk-bartoszwasko left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with one comment.

Comment thread test/connection.test.js
@niall3rs niall3rs force-pushed the ncolfer/dependency-updates-may-2026 branch from 4baf319 to 8b7ff0a Compare May 14, 2026 15:16
@niall3rs niall3rs merged commit c040831 into master May 14, 2026
5 checks passed
@niall3rs niall3rs deleted the ncolfer/dependency-updates-may-2026 branch May 14, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants