Skip to content

chore: update @devrev/ts-adaas to 1.19.10 and fix package vulnerabilities#90

Merged
radovanjorgic merged 1 commit into
mainfrom
update-ts-adaas-1.19.10
Jul 2, 2026
Merged

chore: update @devrev/ts-adaas to 1.19.10 and fix package vulnerabilities#90
radovanjorgic merged 1 commit into
mainfrom
update-ts-adaas-1.19.10

Conversation

@radovanjorgic

Copy link
Copy Markdown
Contributor

Related issue: https://app.devrev.ai/devrev/issue/ASCPT-41

Summary

Bumps @devrev/ts-adaas in code/ from 1.19.7 → 1.19.10 (latest) and clears the package vulnerabilities that were fixable within existing semver ranges.

No migration guides existed in the intermediate releases (1.19.8–1.19.10) — all feature adds and dependency bumps.

Vulnerability fixes

Regenerating the lockfile pulled two transitive deps up to their patched versions (no overrides needed — the highest version satisfying each parent's range is already the fixed one):

Package Before After Snyk finding
form-data 4.0.5 4.0.6 CRLF Injection (Medium), via axios
protobufjs 7.6.2 7.6.4 Improper Check for Exceptional Conditions (Medium), via @devrev/typescript-sdk

Snyk result: 5 issues / 19 paths → 3 issues / 13 paths.

Remaining findings (dev-only, not fixable today)

None of these ship in the deployed connector runtime — all are devDependencies (jest/eslint/nodemon tooling):

  • brace-expansion 5.0.6 (High) — fix 5.0.7 is not yet published to npm (latest is still 5.0.6); nothing to upgrade to.
  • inflight 1.0.6 (Medium) — abandoned package, no patched version exists.
  • js-yaml 3.14.2 (Medium) — fix requires 4.x, blocked by parent @istanbuljs/load-nyc-config's ^3.13.1 pin; only reachable via an override (deliberately not added).

Verification

  • npx tsc --noEmit
  • npm run lint
  • npm run build

🤖 Generated with Claude Code

…ties

Bump @devrev/ts-adaas 1.19.7 -> 1.19.10 (latest). No migration guides in
the intermediate releases (1.19.8-1.19.10) — all feature adds and dep bumps.

Regenerating the lockfile resolves two Snyk findings to their patched
versions within existing semver ranges (no overrides needed):
- form-data 4.0.5 -> 4.0.6 (CRLF Injection, via axios)
- protobufjs 7.6.2 -> 7.6.4 (Improper Check for Exceptional Conditions,
  via @devrev/typescript-sdk)

Verified: tsc --noEmit, lint, and build all pass.

Remaining Snyk findings are dev-only and not fixable cleanly today:
- brace-expansion 5.0.6 (High): fix 5.0.7 not yet published to npm
- inflight 1.0.6 (Medium): abandoned, no patched version exists
- js-yaml 3.14.2 (Medium): fix requires 4.x, blocked by parent's ^3.13.1 pin

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@radovanjorgic radovanjorgic merged commit 1b9f529 into main Jul 2, 2026
4 checks passed
@radovanjorgic radovanjorgic deleted the update-ts-adaas-1.19.10 branch July 2, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants