Address all known vulnerabilities#284
Merged
Merged
Conversation
Pattern follows the visual-editor / sdk-test-data cleanup: bump direct
deps to latest within their compatible major (or to a known-fixed
major) so audit findings clear transitively. Aimed for zero `resolutions`
in this round; bumping deps was sufficient.
yarn audit: 128 paths → 0 (was 1 Critical / 59 High / 51 Moderate / 17 Low).
No `resolutions` in package.json.
Direct dep bumps:
- @eppo/js-client-sdk-common 4.15.5 → ^5 — drops the uuid runtime dep
entirely (replaced upstream with crypto.randomUUID), clearing the
uuid moderate advisory and most of the deep transitive vulns the
earlier `resolutions` block was working around.
- @microsoft/api-documenter, @microsoft/api-extractor → latest
- @types/jest 29 → 30 (paired with jest 30)
- @typescript-eslint/{eslint-plugin,parser} 5 → 8 (rule renames forced
the lint fixes below)
- jest 29 → 30, jest-environment-jsdom 29 → 30
- lint-staged 15 → 16 (17 needs Node 22, we still target Node 20)
- webpack 5.98 → 5.106 (clears webpack <5.104 SSRF advisory)
- @types/chrome 0.0.313 → 0.0.332 (deliberately stayed in 0.0.x — 0.1.x
introduces a stricter generic in `chrome.storage.StorageArea.get`
that would force a wider refactor)
CI matrix + engines:
- engines.node added: ">=20.0.0" — matches the @eppo/js-client-sdk-common
v5 requirement.
- .github/workflows/lint-test-sdk.yml matrix updated from
[18, 20, 22, 23] → [20, 22, 24]. Node 18 is past EOL and incompatible
with the bumped common dep; Node 23 is non-LTS and explicitly excluded
by jest 30's engine range.
Resolutions: previously the package shipped resolutions for form-data,
js-yaml, @babel/helpers, brace-expansion, diff, flatted, lodash,
minimatch, picomatch, plus scoped schema-utils/ajv and ajv-formats/ajv.
After the dep bumps every one of those transitives now resolves to a
patched version on its own, so the entire `resolutions` block is gone.
Source-code adjustments forced by the dep bumps:
- src/cache/local-storage-assignment-shim.ts: drop the explicit
IterableIterator return-type annotations on the Map<string,string>
shim's iterator methods. TS 5.6+ tightened Map.entries/keys/values
to return MapIterator<T> (a disposable iterator), which
IterableIterator no longer satisfies. Letting TS infer keeps the
implementation valid.
- src/local-storage-engine.ts: unused `catch (e)` parameters → bare
`catch` (typescript-eslint v8's stricter `no-unused-vars`).
- src/sdk-data.ts and src/index.spec.ts: replace deprecated
`@typescript-eslint/no-var-requires` and `@typescript-eslint/ban-types`
disable directives with the v8-equivalents; two `let init: Function`
test fixtures retyped to their actual signatures.
Verification:
- `yarn lint`, `yarn typecheck`, `yarn test:unit` (153 tests),
`yarn webpack` all pass locally.
- `yarn audit` reports 0 vulnerabilities with no `resolutions` block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
aarsilv
force-pushed
the
aarsilv/address-vulnerabilities
branch
from
6a7bd3d to
8979b1d
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates the SDK’s dependency set and build/test tooling to eliminate known yarn audit vulnerabilities without relying on package.json resolutions, while also raising the supported Node.js baseline to match upstream requirements.
Changes:
- Bumped multiple direct dependencies/devDependencies (notably
@eppo/js-client-sdk-commonv5, Jest v30,@typescript-eslint/*v8, Webpack v5.x) and removed the previousresolutionsblock. - Updated runtime/tooling expectations by setting
engines.node >=20and adjusting the GitHub Actions CI matrix to Node 20/22/24. - Applied small source/test adjustments required by the tooling upgrades (new eslint disable rule name, bare
catch, TS Map iterator typing change).
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/sdk-data.ts |
Updates eslint suppression to the v8 rule name for require usage. |
src/local-storage-engine.ts |
Replaces unused catch (e) bindings with bare catch blocks. |
src/index.spec.ts |
Updates eslint suppression rule name and improves typing for reloaded-module helpers. |
src/cache/local-storage-assignment-shim.ts |
Removes explicit iterator return annotations to match newer TS MapIterator typing. |
package.json |
Removes vulnerability resolutions, bumps deps, and enforces Node >=20. |
docs/js-client-sdk.loglevel.md |
Regenerates API docs output for LogLevel signature formatting. |
.github/workflows/lint-test-sdk.yml |
Updates CI Node matrix to 20/22/24. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "testdouble": "^3.20.2", | ||
| "ts-jest": "^29.1.1", | ||
| "ts-loader": "^9.3.1", | ||
| "ts-jest": "^29", |
Contributor
Author
There was a problem hiding this comment.
The pairing here is intentional and supported, not fragile.
ts-jest hasn't published a 30.x major — only the 29.x line exists. ts-jest 29.4.x explicitly declares jest 30 as a supported peer:
$ npm view ts-jest@29.4.9 peerDependencies.jest
^29.0.0 || ^30.0.0
So ts-jest ^29 IS the jest-30-compatible release. Bumping to ^30 would fail — that version doesn't exist. Reverting jest to 29 would only cost us the Node 24 support that jest 30 added, with no toolchain benefit.
The CI matrix runs lint-test-sdk + typecheck on Node 20/22/24 (all pass on this PR), and jest.config.ts is exercised by all 153 tests under that transformer.
engines.node was raised to >=20.0.0 in this branch (matching the @eppo/js-client-sdk-common v5 floor), which is a breaking change for consumers still on Node 18. Treating that as a SemVer major. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sameerank
approved these changes
May 8, 2026
Contributor
sameerank
left a comment
sameerank
left a comment
There was a problem hiding this comment.
Some big changes (dropping Node 18, and major bumps in dependencies, esp js-client-common). Agreed with the major bump to 4.0.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit
8979b1dfor full per-package detail and verification notes. Summary:yarn audit: 128 paths → 0 (was 1 Critical / 59 High / 51 Moderate / 17 Low).resolutionsin package.json — the entire previous resolutions block (form-data, js-yaml, @babel/helpers, brace-expansion, diff, flatted, lodash, minimatch, picomatch, schema-utils/ajv, ajv-formats/ajv) was dropped. After the dep bumps every one of those transitives now resolves to a patched version on its own.@eppo/js-client-sdk-common 4.15.5 → ^5(drops the uuid runtime dep),@typescript-eslint/* 5 → 8,jest 29 → 30+jest-environment-jsdom 29 → 30+@types/jest 29 → 30,lint-staged 15 → 16,webpack 5.98 → 5.106, plus latest patches acrossapi-extractor/api-documenter. Held@types/chromein the 0.0.x line on purpose — 0.1.x tightenschrome.storage.StorageArea.get's generic in a way that would force a wider refactor.[18, 20, 22, 23] → [20, 22, 24]andengines.nodeset to>=20.0.0to match the @eppo/js-client-sdk-common v5 requirement (Node 18 is past EOL; Node 23 is non-LTS and explicitly excluded by jest 30's engine range).IterableIteratorreturn-type annotations on theLocalStorageAssignmentShim's iterator methods (TS 5.6+ tightenedMap.entries/keys/valuesto returnMapIterator); replace deprecated@typescript-eslint/no-var-requiresandban-typesdisable directives with the v8-equivalents; barecatchfor unusedcatch (e)parameters.Test plan
yarn lint,yarn typecheck,yarn test:unit,yarn webpackgreen on Node 20/22/24yarn auditreports 0 vulnerabilities with noresolutionsblockManual verification
Built a tiny toy browser app that loads the bundled SDK from this branch (
dist/eppo-sdk.js) and callseppo.init(...).getStringAssignment(...)against an Eppo Sandbox account. ResolvedMy-Flag(with attrs{accountId, sd:'dsf'}to hit the 50/50 allocation) andmegan-test-blahhfor 12 distinct subject keys, comparing against the same 12 subjects in a parallel toy node app onnode-server-sdkPR #124's branch. All 12 subjects produced identical variation assignments across the two SDK branches, distribution 8 treatment / 4 control, assignment-logger fired correctly on both sides.🤖 Generated with Claude Code