2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11 (0 OSV findings)#390
2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11 (0 OSV findings)#390vikrantpuppala wants to merge 9 commits into
Conversation
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
da4c50c to
439de47
Compare
b5b46b2 to
f4b11d3
Compare
…V findings) Completes the security cleanup that 1.17.0 (#446) could not do without breaking changes. Stacks on the 1.17.0 overrides. Breaking: - engines.node >=14 -> >=20. Node 14/16/18 dropped (all past upstream EOL; 18 EOL 2025-04). >=20 is also the floor for the patched serialize-javascript (dev) and clears the kernel backend's own Node 18 requirement. - thrift ^0.16.0 -> ^0.23.0 (clears GHSA-r67j-r569-jrwp HIGH + GHSA-526f-jxpj-jmg2) - uuid ^9.0.0 -> ^11.1.1 (clears GHSA-w5hq-g745-h8pq HIGH 7.5); overrides pin thrift's transitive uuid at 11 (uuid 13 is ESM-only, breaks require()). Supporting: - typescript pinned 5.5.4 (uuid@11's .d.ts uses `export type` -> needs TS 5+; <5.6 to avoid @types/node Buffer-generic emit changing published .d.ts). - serialize-javascript override ^7.0.5 (needs Node >=20; now satisfied). - @types/node-fetch ^2.6.13. - OAuth.ts stub: cast Symbol.asyncDispose through any (ES2018 target predates the symbol; runtime Node 20+ provides it). - CI matrix -> [20, 22, 24]; e2e expanded to matrix; setup-jfrog lockfile URL rewrite (carried from the prior PR). Verified locally under Node 20: build clean, eslint clean, 1249 unit tests passing, osv-scanner v2.3.8 = No issues found. Closes #370 Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
8d81b92 to
b2aa909
Compare
|
Heads-up — I force-updated this branch to a clean rebuild (re-review needed). What changed since the last approval:
This PR is stacked on #446 — please merge #446 first; this then merges cleanly. Verified locally on Node 20: build + eslint clean, 1249 unit tests passing, osv-scanner reports no issues. |
Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
…ime-and-dev Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com> # Conflicts: # CHANGELOG.md # package-lock.json # package.json
401b17e to
7635c4c
Compare
…trix Two related changes for the widened 2.0.0 CI matrix [20, 22, 24, 26]: 1. Node >= 22.6 enables --experimental-strip-types, which on Node 24+ is the default loader for .ts and intercepts before ts-node. Its strip-only mode can't handle TypeScript features that emit code (constructor parameter properties), throwing "parameter property is not supported in strip-only mode" — even on files ts-node compiles fine. Both mocharc files now force `require: ts-node/register` and `node-option: [no-experimental-strip-types]` so ts-node owns .ts compilation on every supported Node. Verified locally: unit specs using parameter properties pass under Node 24. 2. Add Node 26 (current) to the unit + e2e matrices alongside the 20/22/24 LTS+active lines, for forward-compat coverage. Note: main previously only tested [14,16,18,20], so Node 22/24/26 were never exercised — this surfaced the strip-types issue as a latent, not a regression. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
… Node 24+ The previous commit added `node-option: [no-experimental-strip-types]`, but that flag doesn't exist before Node 22.6 — it's a "bad option" on Node 20, crashing the test process at startup and breaking a version that previously passed. `require: ts-node/register` alone is sufficient and version-agnostic: it registers ts-node's CommonJS require-hook so `.ts` resolves through ts-node on every supported Node, bypassing Node 24+'s built-in ESM strip-types path (whose strip-only mode rejects TS parameter properties). Verified locally: 34-test OAuth spec (uses parameter properties) passes on both Node 20 and Node 24 with require-only. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
…t() path require:ts-node/register alone was insufficient: mocha loads some specs (e.g. tests/unit/kernel/execution.test.ts) via import() (ESM), not require (CJS). On Node 24+ those ESM-loaded .ts files are grabbed by Node's built-in --experimental-strip-types, whose strip-only mode rejects TS parameter properties. Adding `loader: ts-node/esm` covers the import() path; the existing `require: ts-node/register` covers the require() path. Verified locally on BOTH Node 20 and Node 24: the kernel spec (ESM-loaded, uses parameter properties) and the OAuth spec (CJS-loaded) both pass — 102 passing on each. No version-specific node flags (which would crash Node < 22.6). Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Summary
Breaking security release (2.0.0) — completes the vulnerability cleanup, taking the lockfile to 0 OSV-Scanner findings. This stacks on the non-breaking #446 (1.17.0), which ships first and clears the criticals without breaking changes.
Breaking changes
engines.node>=14→>=20>=20is also the floor for the patchedserialize-javascript(dev) and clears the kernel backend's Node 18 requirement.thrift^0.16.0→^0.23.0uuid^9.0.0→^11.1.1dist/stillrequire('uuid')unchanged. Anoverridespin holds thrift's transitive uuid at 11 (uuid 13 is ESM-only → would breakrequire()).Supporting changes
typescriptpinned to exact 5.5.4 — uuid@11's.d.tsusesexport type(needs TS 5+);<5.6avoids@types/nodeBuffer-generic emit changing our published.d.ts.serialize-javascriptoverride^7.0.5(its only patched line requires Node ≥20 — now satisfied by the floor bump).@types/node-fetch^2.6.13.OAuth.tstest stub: castSymbol.asyncDisposethroughany(ES2018 target predates the symbol; Node 20+ runtime provides it).[20, 22, 24]; e2e expanded to a matrix;setup-jfrogrewrites lockfileresolved:URLs to the JFrog mirror so protected runners cannpm ci.Net security result
OSV-Scanner v2.3.8 against the regenerated lockfile: No issues found (0 CRITICAL / 0 HIGH / 0 MED / 0 LOW).
Verification (local, Node 20)
npm run buildclean (TS 5.5.4)eslintcleanosv-scanner= No issues found[20, 22, 24]matrix (pending 1.17.0: clear CRITICAL + transitive OSV findings via overrides (non-breaking) #446 merge for a clean base)Closes #370
This pull request was AI-assisted by Isaac.