Skip to content

2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11 (0 OSV findings)#390

Open
vikrantpuppala wants to merge 9 commits into
mainfrom
vp/security-bump-runtime-and-dev
Open

2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11 (0 OSV findings)#390
vikrantpuppala wants to merge 9 commits into
mainfrom
vp/security-bump-runtime-and-dev

Conversation

@vikrantpuppala

@vikrantpuppala vikrantpuppala commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Summary

Breaking security release (2.0.0) — completes the vulnerability cleanup, taking the lockfile to 0 OSV-Scanner findings. This stacks on the non-breaking #446 (1.17.0), which ships first and clears the criticals without breaking changes.

⚠️ Stacked on #446 — this branch is built on top of 1.17.0. Merge #446 first; this PR then merges cleanly onto main. (Until #446 merges, this shows as conflicting against bare main.)

Breaking changes

Change From → To Why
engines.node >=14>=20 Node 14/16/18 dropped — all past upstream EOL (18 EOL'd 2025-04). >=20 is also the floor for the patched serialize-javascript (dev) and clears the kernel backend's Node 18 requirement.
thrift ^0.16.0^0.23.0 Clears GHSA-r67j-r569-jrwp (HIGH) + GHSA-526f-jxpj-jmg2. Direct runtime dep; fix is a major bump.
uuid ^9.0.0^11.1.1 Clears GHSA-w5hq-g745-h8pq (HIGH 7.5). uuid 11 dual-publishes ESM+CJS; the driver's CJS dist/ still require('uuid') unchanged. An overrides pin holds thrift's transitive uuid at 11 (uuid 13 is ESM-only → would break require()).

Supporting changes

  • typescript pinned to exact 5.5.4 — uuid@11's .d.ts uses export type (needs TS 5+); <5.6 avoids @types/node Buffer-generic emit changing our published .d.ts.
  • serialize-javascript override ^7.0.5 (its only patched line requires Node ≥20 — now satisfied by the floor bump).
  • @types/node-fetch ^2.6.13.
  • OAuth.ts test stub: cast Symbol.asyncDispose through any (ES2018 target predates the symbol; Node 20+ runtime provides it).
  • CI matrix → [20, 22, 24]; e2e expanded to a matrix; setup-jfrog rewrites lockfile resolved: URLs to the JFrog mirror so protected runners can npm ci.

Net security result

OSV-Scanner v2.3.8 against the regenerated lockfile: No issues found (0 CRITICAL / 0 HIGH / 0 MED / 0 LOW).

Verification (local, Node 20)

Closes #370

This pull request was AI-assisted by Isaac.

@github-actions

Copy link
Copy Markdown

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-runtime-and-dev branch from da4c50c to 439de47 Compare May 29, 2026 06:21
@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-runtime-and-dev branch from b5b46b2 to f4b11d3 Compare May 29, 2026 10:18
…V findings)

Completes the security cleanup that 1.17.0 (#446) could not do without
breaking changes. Stacks on the 1.17.0 overrides.

Breaking:
- engines.node >=14 -> >=20. Node 14/16/18 dropped (all past upstream EOL;
  18 EOL 2025-04). >=20 is also the floor for the patched serialize-javascript
  (dev) and clears the kernel backend's own Node 18 requirement.
- thrift ^0.16.0 -> ^0.23.0 (clears GHSA-r67j-r569-jrwp HIGH + GHSA-526f-jxpj-jmg2)
- uuid ^9.0.0 -> ^11.1.1 (clears GHSA-w5hq-g745-h8pq HIGH 7.5); overrides pin
  thrift's transitive uuid at 11 (uuid 13 is ESM-only, breaks require()).

Supporting:
- typescript pinned 5.5.4 (uuid@11's .d.ts uses `export type` -> needs TS 5+;
  <5.6 to avoid @types/node Buffer-generic emit changing published .d.ts).
- serialize-javascript override ^7.0.5 (needs Node >=20; now satisfied).
- @types/node-fetch ^2.6.13.
- OAuth.ts stub: cast Symbol.asyncDispose through any (ES2018 target predates
  the symbol; runtime Node 20+ provides it).
- CI matrix -> [20, 22, 24]; e2e expanded to matrix; setup-jfrog lockfile
  URL rewrite (carried from the prior PR).

Verified locally under Node 20: build clean, eslint clean, 1249 unit tests
passing, osv-scanner v2.3.8 = No issues found.

Closes #370

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-runtime-and-dev branch from 8d81b92 to b2aa909 Compare July 13, 2026 09:56
@vikrantpuppala vikrantpuppala changed the title Clear all OSV-Scanner findings (2 CRITICAL + HIGH/MED/LOW) via dep bumps + overrides; drop Node <18 2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11 (0 OSV findings) Jul 13, 2026
@vikrantpuppala

Copy link
Copy Markdown
Collaborator Author

Heads-up — I force-updated this branch to a clean rebuild (re-review needed).

What changed since the last approval:

This PR is stacked on #446 — please merge #446 first; this then merges cleanly. Verified locally on Node 20: build + eslint clean, 1249 unit tests passing, osv-scanner reports no issues.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@github-actions

Copy link
Copy Markdown

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

…ime-and-dev

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

# Conflicts:
#	CHANGELOG.md
#	package-lock.json
#	package.json
…trix

Two related changes for the widened 2.0.0 CI matrix [20, 22, 24, 26]:

1. Node >= 22.6 enables --experimental-strip-types, which on Node 24+ is the
   default loader for .ts and intercepts before ts-node. Its strip-only mode
   can't handle TypeScript features that emit code (constructor parameter
   properties), throwing "parameter property is not supported in strip-only
   mode" — even on files ts-node compiles fine. Both mocharc files now force
   `require: ts-node/register` and `node-option: [no-experimental-strip-types]`
   so ts-node owns .ts compilation on every supported Node. Verified locally:
   unit specs using parameter properties pass under Node 24.

2. Add Node 26 (current) to the unit + e2e matrices alongside the 20/22/24
   LTS+active lines, for forward-compat coverage.

Note: main previously only tested [14,16,18,20], so Node 22/24/26 were never
exercised — this surfaced the strip-types issue as a latent, not a regression.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
… Node 24+

The previous commit added `node-option: [no-experimental-strip-types]`,
but that flag doesn't exist before Node 22.6 — it's a "bad option" on
Node 20, crashing the test process at startup and breaking a version that
previously passed.

`require: ts-node/register` alone is sufficient and version-agnostic: it
registers ts-node's CommonJS require-hook so `.ts` resolves through ts-node
on every supported Node, bypassing Node 24+'s built-in ESM strip-types path
(whose strip-only mode rejects TS parameter properties). Verified locally:
34-test OAuth spec (uses parameter properties) passes on both Node 20 and
Node 24 with require-only.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
…t() path

require:ts-node/register alone was insufficient: mocha loads some specs
(e.g. tests/unit/kernel/execution.test.ts) via import() (ESM), not require
(CJS). On Node 24+ those ESM-loaded .ts files are grabbed by Node's built-in
--experimental-strip-types, whose strip-only mode rejects TS parameter
properties. Adding `loader: ts-node/esm` covers the import() path; the
existing `require: ts-node/register` covers the require() path.

Verified locally on BOTH Node 20 and Node 24: the kernel spec (ESM-loaded,
uses parameter properties) and the OAuth spec (CJS-loaded) both pass —
102 passing on each. No version-specific node flags (which would crash
Node < 22.6).

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bump thrift dependency past GHSA-r67j-r569-jrwp

2 participants