Skip to content

fix: resolve npm vulns and unbreak nix dev shell#112

Merged
tembleking merged 3 commits into
masterfrom
fix-vulns
Jul 9, 2026
Merged

fix: resolve npm vulns and unbreak nix dev shell#112
tembleking merged 3 commits into
masterfrom
fix-vulns

Conversation

@tembleking

@tembleking tembleking commented Jun 9, 2026

Copy link
Copy Markdown
Member

fast-uri and tmp had high-severity path traversal advisories; npm update + npm audit fix clears both (found 0 vulnerabilities).

The nixpkgs bump in just update dropped the nodePackages set, breaking the dev shell. Moved typescript-language-server and eslint to top-level pkgs so it builds again. Also added coreutils and gnused to the devshell: the cli-scanner recipes rely on GNU-only date -u -d and sed -i -E, which only worked by accident on hosts that already had GNU tools on PATH; now they are guaranteed for anyone entering nix develop.

Reworked the cli-scanner version tooling to track the 1-year support window instead of a single default. just update-cli-scanner / just update-oldest-cli-scanner substitute versions via doc-marker sentinels rather than a fragile global sed, so unrelated version-looking strings are no longer clobbered. Justfile recipes are now grouped and internal helpers marked private.

Also rolls in the routine just update bumps: cli-scanner 1.26 -> 1.27, pinned action SHAs (pinact), and flake.lock.

fast-uri and tmp had high-severity path traversal advisories; npm update
+ audit fix clears both. nixpkgs bump dropped the nodePackages set, so
typescript-language-server and eslint move to top-level pkgs to keep the
dev shell buildable. Includes routine just-update bumps (cli-scanner 1.27,
pinned action SHAs, flake.lock).
@tembleking tembleking requested a review from a team as a code owner June 9, 2026 12:36
mateobur
mateobur previously approved these changes Jun 18, 2026

@mateobur mateobur left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving. Reviewed the version bump, the regenerated dist/, the nix change, and the dependency churn.

  • cli-scanner 1.26.0 to 1.27.0 is consistent across src/infrastructure/sysdig/SysdigCliScannerConstants.ts, dist/index.js, action.yml, and the README. The only residual 1.26.0 strings are in tests/fixtures/vm/sarif-test.json, which is an unrelated commons-compress CVE fix version.
  • dist/index.js matches src: the only first-party change is the version constant, and the rest of the churn is a genuine ncc rebuild tracking the undici 7.25.0 to 7.29.7 bump.
  • The flake.nix dev shell fix is correct: typescript-language-server and eslint move to top-level buildInputs with no leftover nodePackages.* references, and flake.lock updates consistently.
  • All dependency bumps are minor or patch, package.json untouched. The four pinned action SHAs are real 40-char pins matching their version comments.
  • CI all green, which backs the 114/114 tests and 0 vulnerabilities claim.

Thanks!

Track the newest/oldest supported sysdig-cli-scanner versions via
just recipes + doc-marker sentinels, replacing the fragile global-sed
update. Group justfile recipes and add coreutils/gnused to the nix
devshell so the GNU-only date/sed the recipes rely on are guaranteed
regardless of host.
_set-version now greps for the marker and edits every file that carries
it, so a marker added anywhere is picked up automatically. Skips
generated output (dist/build) and the tooling/docs that only mention the
marker name in prose.

@mateobur mateobur left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid maintenance PR. The action pin bumps are all SHA-pinned, and the oldest/newest scanner version markers plus the AGENTS.md documentation make the version-support workflow clear and consistent across action.yml, README, and dist. Since most of the diff is a regenerated dist bundle from the undici/npm update, please confirm dist/ was produced by a clean npm ci + build against the committed lockfile rather than edited by hand. Also double-check the nix dev-shell fix mentioned in the title landed, since I don't see nix files in the diff here.

@tembleking tembleking merged commit 4f06a3c into master Jul 9, 2026
43 checks passed
@tembleking tembleking deleted the fix-vulns branch July 9, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants