fix: resolve npm vulns and unbreak nix dev shell#112
Merged
Conversation
fast-uri and tmp had high-severity path traversal advisories; npm update + audit fix clears both. nixpkgs bump dropped the nodePackages set, so typescript-language-server and eslint move to top-level pkgs to keep the dev shell buildable. Includes routine just-update bumps (cli-scanner 1.27, pinned action SHAs, flake.lock).
mateobur
previously approved these changes
Jun 18, 2026
mateobur
left a comment
There was a problem hiding this comment.
Approving. Reviewed the version bump, the regenerated dist/, the nix change, and the dependency churn.
- cli-scanner 1.26.0 to 1.27.0 is consistent across
src/infrastructure/sysdig/SysdigCliScannerConstants.ts,dist/index.js,action.yml, and the README. The only residual 1.26.0 strings are intests/fixtures/vm/sarif-test.json, which is an unrelated commons-compress CVE fix version. dist/index.jsmatches src: the only first-party change is the version constant, and the rest of the churn is a genuine ncc rebuild tracking the undici 7.25.0 to 7.29.7 bump.- The
flake.nixdev shell fix is correct:typescript-language-serverandeslintmove to top-levelbuildInputswith no leftovernodePackages.*references, andflake.lockupdates consistently. - All dependency bumps are minor or patch,
package.jsonuntouched. The four pinned action SHAs are real 40-char pins matching their version comments. - CI all green, which backs the 114/114 tests and 0 vulnerabilities claim.
Thanks!
Track the newest/oldest supported sysdig-cli-scanner versions via just recipes + doc-marker sentinels, replacing the fragile global-sed update. Group justfile recipes and add coreutils/gnused to the nix devshell so the GNU-only date/sed the recipes rely on are guaranteed regardless of host.
_set-version now greps for the marker and edits every file that carries it, so a marker added anywhere is picked up automatically. Skips generated output (dist/build) and the tooling/docs that only mention the marker name in prose.
mateobur
approved these changes
Jul 9, 2026
mateobur
left a comment
There was a problem hiding this comment.
Solid maintenance PR. The action pin bumps are all SHA-pinned, and the oldest/newest scanner version markers plus the AGENTS.md documentation make the version-support workflow clear and consistent across action.yml, README, and dist. Since most of the diff is a regenerated dist bundle from the undici/npm update, please confirm dist/ was produced by a clean npm ci + build against the committed lockfile rather than edited by hand. Also double-check the nix dev-shell fix mentioned in the title landed, since I don't see nix files in the diff here.
airadier
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fast-uri and tmp had high-severity path traversal advisories;
npm update+npm audit fixclears both (found 0 vulnerabilities).The nixpkgs bump in
just updatedropped thenodePackagesset, breaking the dev shell. Movedtypescript-language-serverandeslintto top-levelpkgsso it builds again. Also addedcoreutilsandgnusedto the devshell: the cli-scanner recipes rely on GNU-onlydate -u -dandsed -i -E, which only worked by accident on hosts that already had GNU tools on PATH; now they are guaranteed for anyone enteringnix develop.Reworked the cli-scanner version tooling to track the 1-year support window instead of a single default.
just update-cli-scanner/just update-oldest-cli-scannersubstitute versions via doc-marker sentinels rather than a fragile global sed, so unrelated version-looking strings are no longer clobbered. Justfile recipes are now grouped and internal helpers marked private.Also rolls in the routine
just updatebumps: cli-scanner 1.26 -> 1.27, pinned action SHAs (pinact), and flake.lock.