chore: update deps, fix security vulns, upgrade deprecated CI actions#171
Merged
chore: update deps, fix security vulns, upgrade deprecated CI actions#171
Conversation
…d CI actions - Update 8 outdated dependencies (vitest 4.1, eslint-plugin 8.57, etc.) - Fix 3 high-severity npm audit vulns by overriding tar→7.5.11, underscore→1.13.8 - Clear audit-ci allowlist (no longer needed with fixed overrides) - Upgrade github/codeql-action from v3→v4 (deprecated Dec 2026) - Upgrade docker/login-action from v3→v4 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reviewer's guide (collapsed on small PRs)Reviewer's GuideUpdates security-related dependencies and CI workflows: bumps vulnerable tar and adds underscore overrides, updates markdownlint-cli and other dev deps, clears the npm audit allowlist, and upgrades GitHub CodeQL and Docker login actions to their latest major versions in CI pipelines. Flow diagram for npm audit with updated overrides and cleared allowlistflowchart TD
A[Start] --> B[Install dependencies via npm ci]
B --> C[npm audit runs in CI]
C --> D[Apply overrides in package json]
D --> D1[tar resolved to 7_5_11]
D --> D2[underscore resolved to 1_13_8]
D1 --> E[Recalculate dependency tree]
D2 --> E
E --> F[Known vulnerabilities rechecked]
F --> G[audit_ci json allowlist cleared]
G --> H[npm audit reports 0 vulnerabilities]
H --> I[Security validation tests run]
I --> J[End]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- For the new
tarandunderscoreoverrides inpackage.json, consider adding a brief inline comment or grouping them under a clearly labeled section to document that they are security-driven pins and make future cleanup or updates easier. - After bumping
github/codeql-actionanddocker/login-actionto v4, it may be worth quickly comparing the workflow inputs/outputs against the v4 migration notes to confirm there are no subtle behavior changes (e.g., default flags or auth handling) that should be reflected in the workflow steps.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- For the new `tar` and `underscore` overrides in `package.json`, consider adding a brief inline comment or grouping them under a clearly labeled section to document that they are security-driven pins and make future cleanup or updates easier.
- After bumping `github/codeql-action` and `docker/login-action` to v4, it may be worth quickly comparing the workflow inputs/outputs against the v4 migration notes to confirm there are no subtle behavior changes (e.g., default flags or auth handling) that should be reflected in the workflow steps.
## Individual Comments
### Comment 1
<location path=".github/workflows/codeql-analysis.yml" line_range="57-60" />
<code_context>
# Initializes the CodeQL tools for scanning.
- name: 🔧 Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider pinning GitHub Actions to a specific commit SHA instead of a major tag for better supply-chain security.
Since you’re already updating CodeQL, it’s a good time to pin these to immutable SHAs (e.g. `github/codeql-action/*` here and `upload-sarif` in `main-ci.yml`). This improves build reproducibility and reduces the impact of any compromised or breaking upstream release; you can add a comment with the corresponding release tag for traceability.
Suggested implementation:
```
# Initializes the CodeQL tools for scanning.
- name: 🔧 Initialize CodeQL
# Pinned to a specific CodeQL Action commit for supply-chain security.
# Replace <CODEQL_ACTION_COMMIT_SHA> with the immutable SHA corresponding to the desired v4 release
# (e.g. from https://github.com/github/codeql-action/releases).
# Example comment once pinned: github/codeql-action/init@v4.0.0
uses: github/codeql-action/init@<CODEQL_ACTION_COMMIT_SHA>
with:
languages: ${{ matrix.language }}
# Use comprehensive security queries
```
```
# Autobuild attempts to build any compiled languages
- name: 🤖 Autobuild
# Pinned to the same CodeQL Action commit SHA as init/analyze for reproducibility.
# Example comment once pinned: github/codeql-action/autobuild@v4.0.0
uses: github/codeql-action/autobuild@<CODEQL_ACTION_COMMIT_SHA>
```
```
- name: 🔍 Perform CodeQL Analysis
# Pinned to the same CodeQL Action commit SHA as init/autobuild for reproducibility.
# Example comment once pinned: github/codeql-action/analyze@v4.0.0
uses: github/codeql-action/analyze@<CODEQL_ACTION_COMMIT_SHA>
```
1. Look up the exact commit SHA for the desired `github/codeql-action` v4 release (e.g. v4.0.0) and replace `<CODEQL_ACTION_COMMIT_SHA>` with that immutable SHA in all three steps to keep them in sync.
2. In `.github/workflows/main-ci.yml`, locate any `upload-sarif` usage (e.g. `github/codeql-action/upload-sarif@v4` or similar) and:
- Pin it to a specific commit SHA in the same way.
- Add a comment indicating the corresponding release tag (e.g. `github/codeql-action/upload-sarif@v4.0.0`) for traceability.
</issue_to_address>
### Comment 2
<location path=".github/workflows/docker-modern.yml" line_range="137" />
<code_context>
- name: 🔐 Log in to Docker Hub
if: github.event_name == 'release' || inputs.push
- uses: docker/login-action@v3
+ uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Apply the same version-pinning strategy to `docker/login-action` to avoid unexpected behavior changes.
As with the CodeQL steps, `docker/login-action@v4` will follow the latest `v4` release. Please pin this to a specific commit SHA for the chosen `v4` release so the workflow behavior remains deterministic and less exposed to supply‑chain or unexpected runtime changes over time.
Suggested implementation:
```
- name: 🔐 Log in to Docker Hub
if: github.event_name == 'release' || inputs.push
# Pinned to a specific v4 commit to keep workflow behavior deterministic
uses: docker/login-action@<PINNED_V4_COMMIT_SHA>
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
```
1. Replace `<PINNED_V4_COMMIT_SHA>` with the actual commit SHA for the desired `v4` release of `docker/login-action` (e.g., from the release/tag you are standardizing on).
2. Optionally, extend the comment to include the corresponding tag (e.g., `# v4.0.0`) once you have chosen the exact release, to make future maintenance easier.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+57
to
60
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| # Use comprehensive security queries |
There was a problem hiding this comment.
🚨 suggestion (security): Consider pinning GitHub Actions to a specific commit SHA instead of a major tag for better supply-chain security.
Since you’re already updating CodeQL, it’s a good time to pin these to immutable SHAs (e.g. github/codeql-action/* here and upload-sarif in main-ci.yml). This improves build reproducibility and reduces the impact of any compromised or breaking upstream release; you can add a comment with the corresponding release tag for traceability.
Suggested implementation:
# Initializes the CodeQL tools for scanning.
- name: 🔧 Initialize CodeQL
# Pinned to a specific CodeQL Action commit for supply-chain security.
# Replace <CODEQL_ACTION_COMMIT_SHA> with the immutable SHA corresponding to the desired v4 release
# (e.g. from https://github.com/github/codeql-action/releases).
# Example comment once pinned: github/codeql-action/init@v4.0.0
uses: github/codeql-action/init@<CODEQL_ACTION_COMMIT_SHA>
with:
languages: ${{ matrix.language }}
# Use comprehensive security queries
# Autobuild attempts to build any compiled languages
- name: 🤖 Autobuild
# Pinned to the same CodeQL Action commit SHA as init/analyze for reproducibility.
# Example comment once pinned: github/codeql-action/autobuild@v4.0.0
uses: github/codeql-action/autobuild@<CODEQL_ACTION_COMMIT_SHA>
- name: 🔍 Perform CodeQL Analysis
# Pinned to the same CodeQL Action commit SHA as init/autobuild for reproducibility.
# Example comment once pinned: github/codeql-action/analyze@v4.0.0
uses: github/codeql-action/analyze@<CODEQL_ACTION_COMMIT_SHA>
- Look up the exact commit SHA for the desired
github/codeql-actionv4 release (e.g. v4.0.0) and replace<CODEQL_ACTION_COMMIT_SHA>with that immutable SHA in all three steps to keep them in sync. - In
.github/workflows/main-ci.yml, locate anyupload-sarifusage (e.g.github/codeql-action/upload-sarif@v4or similar) and:- Pin it to a specific commit SHA in the same way.
- Add a comment indicating the corresponding release tag (e.g.
github/codeql-action/upload-sarif@v4.0.0) for traceability.
| - name: 🔐 Log in to Docker Hub | ||
| if: github.event_name == 'release' || inputs.push | ||
| uses: docker/login-action@v3 | ||
| uses: docker/login-action@v4 |
There was a problem hiding this comment.
🚨 suggestion (security): Apply the same version-pinning strategy to docker/login-action to avoid unexpected behavior changes.
As with the CodeQL steps, docker/login-action@v4 will follow the latest v4 release. Please pin this to a specific commit SHA for the chosen v4 release so the workflow behavior remains deterministic and less exposed to supply‑chain or unexpected runtime changes over time.
Suggested implementation:
- name: 🔐 Log in to Docker Hub
if: github.event_name == 'release' || inputs.push
# Pinned to a specific v4 commit to keep workflow behavior deterministic
uses: docker/login-action@<PINNED_V4_COMMIT_SHA>
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
- Replace
<PINNED_V4_COMMIT_SHA>with the actual commit SHA for the desiredv4release ofdocker/login-action(e.g., from the release/tag you are standardizing on). - Optionally, extend the comment to include the corresponding tag (e.g.,
# v4.0.0) once you have chosen the exact release, to make future maintenance easier.
There was a problem hiding this comment.
Pull request overview
Updates project dependencies and GitHub Actions to address npm audit vulnerabilities and move off deprecated/older CI actions, aligning the repo’s supply-chain and CI tooling with current versions.
Changes:
- Add npm
overridesfor vulnerable transitive dependencies (tar,underscore) and updatemarkdownlint-cli. - Refresh
package-lock.jsonto newer resolved versions (e.g., vitest/typescript-eslint toolchain, lint-staged). - Upgrade GitHub Actions usage for CodeQL and Docker login (v3 → v4) across relevant workflows; clear the audit-ci allowlist.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds/updates overrides for vulnerability remediation; bumps markdownlint-cli. |
| package-lock.json | Locks updated dependency tree reflecting new resolutions (security/tooling updates). |
| .github/workflows/release.yml | Upgrades docker/login-action to v4 for publishing. |
| .github/workflows/main-ci.yml | Upgrades github/codeql-action/upload-sarif to v4 for Trivy SARIF upload. |
| .github/workflows/docker-modern.yml | Upgrades docker/login-action to v4 for Docker workflow. |
| .github/workflows/codeql-analysis.yml | Upgrades CodeQL init/autobuild/analyze actions to v4. |
| .audit-ci.json | Clears allowlist entries now that overrides resolve the flagged vulns. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| @@ -128,7 +128,8 @@ | |||
| } | |||
| }, | |||
| "minimatch": "10.2.3", | |||
Owner
Author
|
🎉 This PR is included in version 3.1.13 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tar→7.5.11and addingunderscore→1.13.8overrideaudit-ci.jsonallowlist (no longer needed with fixed overrides)github/codeql-actionfrom v3→v4 in codeql-analysis.yml and main-ci.ymldocker/login-actionfrom v3→v4 in release.yml and docker-modern.ymlTest plan
npm auditreturns 0 vulnerabilitiesnpm run buildsucceedsnpm testpasses (72/72)🤖 Generated with Claude Code
Summary by Sourcery
Update security-related tooling, dependencies, and CI workflows to address npm audit findings and use current GitHub Actions.
Bug Fixes:
Enhancements:
CI:
Chores: