Skip to content

MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client.#934

Merged
anu3990 merged 1 commit intomarklogic:developfrom
anu3990:for-3.6.0
Jun 25, 2025
Merged

MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client.#934
anu3990 merged 1 commit intomarklogic:developfrom
anu3990:for-3.6.0

Conversation

@anu3990
Copy link
Copy Markdown
Contributor

@anu3990 anu3990 commented Jun 24, 2025

This commit includes fixes for -

  • Inflight Vulnerable to Denial-of-Service (DoS) via Memory Leak
  • 'brace-expansion' Package Vulnerable to Regular Expression Denial-of-Service (ReDoS)
  • GHSA-8cj5-5rvv-wf4v

Copilot AI reviewed Jun 24, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses BlackDuck-reported vulnerabilities in the Node client by updating dependency versions and adding overrides for known issues.

  • Upgrades bunyan to v2.0.5
  • Adds overrides entries for brace-expansion, glob, and tar-fs
Comments suppressed due to low confidence (2)

package.json:56

  • Upgrading from bunyan v1.x to v2.x is a major version bump that may include breaking changes. Please ensure existing logging behavior is covered by tests and update any initialization calls if needed.
    "bunyan": "2.0.5",

package.json:80

  • The PR description mentions an inflight memory-leak vulnerability, but there's no override for inflight. Consider adding an override to a patched version of inflight to fully address that issue.
    "brace-expansion": "2.0.2",

package.json
"overrides": {
"braces": "3.0.3",
"brace-expansion": "2.0.2",
"cross-spawn":"7.0.6",

This comment was marked as off-topic.

Sign in to view

@anu3990
MLE-22656 : Provide fix for BlackDuck vulnerabilities in Node Client.
0ed6a31 
This commit includes fixes for -
- Inflight Vulnerable to Denial-of-Service (DoS) via Memory Leak
- 'brace-expansion' Package Vulnerable to Regular Expression Denial-of-Service (ReDoS)
-  GHSA-8cj5-5rvv-wf4v
@anu3990 anu3990 requested a review from stevebio June 25, 2025 16:14
stevebio
stevebio approved these changes Jun 25, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@stevebio stevebio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, blackduck suggestions.

@anu3990 anu3990 merged commit ba8ac14 into marklogic:develop Jun 25, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stevebio stevebio stevebio approved these changes

@rjrudin rjrudin Awaiting requested review from rjrudin rjrudin is a code owner

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anu3990 @stevebio