fixed vulnerabilities #13
Conversation
There was a problem hiding this comment.
Pull request overview
This PR attempts to address security vulnerabilities by updating dependencies and adding security scanning to the CI pipeline. The changes include upgrading several npm packages (axios, js-yaml, validator, tar-fs), adding the glob package as a dependency, upgrading Node.js to version 22 in CI, and introducing npm audit and Trivy container scanning steps.
Key changes:
- Updated multiple npm packages to newer versions (axios 1.11.0→1.13.2, js-yaml 4.1.0→4.1.1, validator 13.15.15→13.15.23, tar-fs 3.1.0→3.1.1)
- Added glob ^10.5.0 as a production dependency and removed dev flags from many packages
- Upgraded Node.js from 18 to 22 in CI workflow and added security scanning steps
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Added glob dependency, reordered chalk, bumped Node engine requirement to >=20.0.0 |
| package-lock.json | Updated package versions, removed "dev": true flags from multiple packages, updated Node engine requirement |
| .github/workflows/ci.yaml | Upgraded Node.js to v22, added npm audit and Trivy vulnerability scanning steps |
Critical Issues Found:
- The dotenv version 17.2.1 does not exist (latest is 16.x)
- Version mismatch between package.json (axios 1.11.0) and package-lock.json (axios 1.13.2)
- Many dev dependencies incorrectly moved to production by removing "dev": true flags
- The glob package appears unused and unnecessarily added to production dependencies
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@kubernetes/client-node": "^1.2.0", | ||
| "chalk": "^4.1.2", | ||
| "axios": "^1.11.0", |
There was a problem hiding this comment.
The axios package version "^1.11.0" in package.json does not match the version "^1.13.2" in package-lock.json. This mismatch will cause issues during npm install as the versions should be consistent. Update package.json to specify "^1.13.2" to match the locked version.
| "axios": "^1.11.0", | |
| "axios": "^1.13.2", |
package.json
Outdated
| "class-transformer": "^0.5.1", | ||
| "class-validator": "^0.14.2", | ||
| "dotenv": "^17.2.1", | ||
| "glob": "^10.5.0", |
There was a problem hiding this comment.
The glob package has been added as a production dependency but is not used anywhere in the codebase. It appears to be a transitive dependency that was previously marked as dev-only. Adding it as a production dependency will unnecessarily increase the production bundle size. Unless glob is actually needed for runtime functionality, it should either be removed or moved to devDependencies.
No description provided.