Skip to content

Address all known vulnerabilities #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aarsilv merged 3 commits into from
May 12, 2026
Merged

Address all known vulnerabilities #124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7dac7b2
Address all known vulnerabilities
aarsilv May 6, 2026
8bae6a2
Bump to 4.0.1
aarsilv May 7, 2026
bba4152
Align jest and @types/express major versions
aarsilv May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 27 additions & 25 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@eppo/node-server-sdk",
"version": "4.0.0",
"version": "4.0.1",
"description": "Eppo node server SDK",
"main": "dist/index.js",
"files": [
Expand Down Expand Up @@ -29,38 +29,40 @@
},
"homepage": "https://github.com/Eppo-exp/node-server-sdk#readme",
"dependencies": {
"@eppo/js-client-sdk-common": "4.15.2"
"@eppo/js-client-sdk-common": "^5"
},
"devDependencies": {
"@google-cloud/storage": "^7.18.0",
"@microsoft/api-documenter": "^7.28.2",
"@microsoft/api-extractor": "^7.38.0",
"@types/express": "^4.17.13",
"@types/jest": "^29.5.14",
"@typescript-eslint/eslint-plugin": "^5.13.0",
"@typescript-eslint/parser": "^5.13.0",
"eslint": "^8.57.1",
"eslint-config-prettier": "^8.5.0",
"eslint-import-resolver-typescript": "^2.5.0",
"eslint-plugin-import": "^2.25.4",
"eslint-plugin-prettier": "^4.0.0",
"eslint-plugin-promise": "^6.0.0",
"express": "^4.22.1",
"husky": "^6.0.0",
"jest": "^29.7.0",
"lint-staged": "^12.3.5",
"prettier": "^2.2.1",
"testdouble": "^3.16.4",
"ts-jest": "^29.4.6",
"typescript": "^5.4.5"
"@google-cloud/storage": "^7",
Copy link
Copy Markdown
Contributor

@sameerank sameerank May 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless we're intentionally allowing downgrades to older versions (I only see versions going up in the yarn.lock), why are we loosening the lower bounds on these versions, i.e. dropping the minimum minor/patch constraints?

"@microsoft/api-documenter": "^7.30.5",
"@microsoft/api-extractor": "^7.58.7",
"@types/express": "^5",
"@types/jest": "^30",
"@typescript-eslint/eslint-plugin": "^8",
"@typescript-eslint/parser": "^8",
"eslint": "^8",
"eslint-config-prettier": "^10",
"eslint-import-resolver-typescript": "^4",
"eslint-plugin-import": "^2",
"eslint-plugin-prettier": "^5",
"eslint-plugin-promise": "^7",
"express": "^5",
"husky": "^9",
Comment on lines +35 to +49
"jest": "^30",
"lint-staged": "^16",
"prettier": "^3",
"testdouble": "^3",
"ts-jest": "^29",
"typescript": "^5"
},
"engines": {
"node": ">=20.x",
"yarn": "1.x"
},
"packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e",
"resolutions": {
"minimatch": "^3.1.2",
"@types/node": "^20.0.0"
"//@types/node": "Pinned to ^20 to keep the dev type surface aligned with engines.node >=20.x; newer @types/node would let consumer code use APIs that aren't actually available on Node 20",
"@types/node": "^20.0.0",
"//@tootallnate/once": "GHSA-rj4j-rrv4-3xc4 (low). Pulled deeply by @google-cloud/storage → teeny-request → http-proxy-agent. The latest @google-cloud/storage (7.19.x) still ships the unpatched chain and there's no newer release; the chain is dev-only (test fixture downloader)",
"@tootallnate/once": "^3.0.1"
Comment on lines 62 to +66
Copy link
Copy Markdown
Contributor Author

@aarsilv aarsilv May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From Claude: the published-package concern is unfounded — resolutions is not honored on installed packages. npm and yarn both deliberately ignore the resolutions field of any dependency in node_modules; only the field in the root project's package.json controls dependency resolution. So while these "//<key>" entries do get published into the package's package.json, they never affect a downstream consumer's install graph or behavior. They're essentially dead bytes for anyone who installs @eppo/node-server-sdk.

What's left after that is a developer-experience consideration: yarn does emit one warning per pseudo-comment key during yarn install here (Resolution field "//@types/node" does not end with a valid package name and will be ignored). The trade-off we picked, in line with visual-editor and sdk-test-data's vuln-cleanup PRs, is that having the GHSA reasoning inline next to each resolution is more useful for the next person who has to revisit them than the cost of two install-time warnings. Happy to convert these to comments above the block in a sibling RESOLUTIONS.md if there's a preference for that convention instead.

}
}
2 changes: 2 additions & 0 deletions src/index.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1331,6 +1331,7 @@ describe('EppoClient E2E test', () => {
jest.resetModules();

// Step 4: Re-import module and initialize with offlineInit using exported config
// eslint-disable-next-line @typescript-eslint/no-require-imports
sdkModule = require('.');
sdkModule.offlineInit({ flagsConfiguration: flagsConfig });
});
Expand Down Expand Up @@ -1391,6 +1392,7 @@ describe('EppoClient E2E test', () => {
jest.resetModules();

// Step 4: Re-import module and initialize with offlineInit using exported configs
// eslint-disable-next-line @typescript-eslint/no-require-imports
sdkModule = require('.');
sdkModule.offlineInit({
flagsConfiguration: flagsConfig,
Expand Down
2 changes: 1 addition & 1 deletion src/sdk-data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// eslint-disable-next-line @typescript-eslint/no-var-requires
// eslint-disable-next-line @typescript-eslint/no-require-imports
const packageJson = require('../package.json');

export const sdkVersion = packageJson.version;
Expand Down
2 changes: 1 addition & 1 deletion src/util/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ export function isReadOnlyFs(directory: string): boolean {
fs.writeFileSync(testFilePath, 'test', { flag: 'w' });
fs.unlinkSync(testFilePath);
return false;
} catch (error) {
} catch {
return true;
}
}
Loading
Loading