Skip to content

fix(deps): bump dependencies and resolve audit issues #386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tmoody merged 3 commits into from
Dec 21, 2025
Merged

fix(deps): bump dependencies and resolve audit issues #386

tmoody merged 3 commits into from
Dec 21, 2025

Conversation

@tmoody
Copy link
Member

@tmoody tmoody commented Dec 21, 2025
edited
Loading

Issue

House-keeping

Changes are required to:

  1. prevent npm pre/post script execution
  2. reduce the incidence of CRLF end-of-line characters in changes pushed from Windows clients.

./api

  1. Newer versions of @sasjs/core and @sasjs/utils dependencies have been released.

  2. npm audit failure caused by jsonwebtoken@9.0.2:

$ npm audit --omit=dev
# npm audit report

jws  <3.2.3
jws  <3.2.3
Severity: high
auth0/node-jws Improperly Verifies HMAC Signature - https://github.com/advisories/GHSA-869p-cjfg-cm3x
fix available via `npm audit fix`
node_modules/jws

1 high severity vulnerability

To address all issues, run:
  npm audit fix

./web

  1. For the web package, npm audit raises issues with the following production dependencies:
$ npm audit --omit=dev
# npm audit report

@babel/runtime  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime

@babel/runtime-corejs3  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8

Intent

  1. Impose an npm directive to prevent the automatic execution of pre/post scripts.
  2. Add a git directive to checkout files with lf end-of-line characters.
  3. Bump @sasjs component versions.
  4. Bump jsonwebtoken version.
  5. Let npm audit automatically manage dependency updates.

Implementation

  1. New file .npmrc in the root folder contains ignore-scripts=true. The api sub-folder package.json actions previously assigned to prebuild and postbuild npm scripts are incorporated into its build script.
  2. New file .gitattributes in the root folder contains * text=auto eol=lf.
  3. ./api/package.json edited for the packages/versions above. npm i to update the package-lock.json.
  4. See (3).
  5. npm audit updated the ./web/package-lock.json file.

Checks

  • Code is formatted correctly (npm run lint:fix).
  • Any new functionality has been unit tested.
  • All unit tests are passing (npm test).
  • All CI checks are green.
  • Reviewer is assigned.

@tmoody tmoody requested a review from allanbowe December 21, 2025 01:11
@tmoody tmoody self-assigned this Dec 21, 2025
@tmoody tmoody merged commit a56c0b0 into main Dec 21, 2025
3 checks passed
@tmoody tmoody deleted the depBumps_20251221 branch December 21, 2025 01:24
@github-actions
Copy link

github-actions bot commented Dec 21, 2025

🎉 This PR is included in version 0.39.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@allanbowe allanbowe allanbowe approved these changes

Assignees

@tmoody tmoody

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmoody @allanbowe