build(deps): add security resolutions for vulnerable npm packages#1740
build(deps): add security resolutions for vulnerable npm packages#1740
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
PR Review: build(deps): add security resolutions for vulnerable npm packagesOverall this is a well-structured security hardening PR. A couple of items worth flagging:
✅ The |
E2E Test Results✅ All tests passed • 67 passed • 4 skipped • 858s
Tests ran across 4 shards in parallel. |
Add yarn resolutions to address high and medium severity vulnerabilities in transitive dependencies: - tar: ^7.4.4 (fixes 3 high severity CVEs) - axios: ^1.7.0 (fixes 3 high severity CVEs - SSRF, redirect issues) - fast-xml-parser: ^4.4.0 (fixes 1 high - prototype pollution) - systeminformation: ^5.24.0 (fixes 1 high - command injection) - glob: ^10.4.6 (fixes 1 high - ReDoS) These resolutions force secure versions of packages that are pulled in as transitive dependencies, reducing Docker Scout vulnerability count by ~6 vulnerabilities. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
motsc
force-pushed
the
fix/npm-security-resolutions
branch
from
d49b1e5 to
f99d299
Compare
There was a problem hiding this comment.
Just noting for further investigation, axios is a major jump from 0 -> 1, tar from 6 to 7.
Looks like Axios is primarily due to an outdated @slack/webhook dependency. We should instead upgrade to @slack/webhook v7, which does not have any listed breaking changes
Strip npm/yarn from production images (~15-20 CVEs removed): - Add concurrently to @hyperdx/api dependencies so entry scripts can use ./node_modules/.bin/concurrently instead of a global install - Remove npm, npx, corepack, yarn, yarnpkg binaries and modules from both prod and all-in-one-base stages (unused at runtime) Update curl and busybox in all-in-one image (~7 CVEs removed): - Upgrade curl and busybox via apk --upgrade in the MongoDB RUN block Add VEX exceptions for OpenSSL 1.1.1k (~55 CVEs suppressed): - New .vex/openssl-mongodb.vex.json marks 20 OpenSSL CVEs as not_affected (MongoDB is localhost-only, no external TLS cert processing); reference via: docker scout cves --vex-location /etc/vex/ - Copy VEX files into image at /etc/vex/ Add supply chain attestations to release builds (+15 policy points): - Replace --squash with --sbom=true --provenance=true on all 6 docker buildx build release targets in Makefile - --squash is incompatible with attestation flags; multi-stage build already minimizes layers Drop app process privileges via su-exec in all-in-one: - Install su-exec in all-in-one-base stage - Run HyperDX app via su-exec otel in entry.local.base.sh; system services (ClickHouse, MongoDB, OTel) continue as root - chown /app to otel user so the app process has full file access
| # Start HyperDX app | ||
| concurrently \ | ||
| # Start HyperDX app (run as otel user via su-exec) | ||
| su-exec otel ./node_modules/.bin/concurrently \ |
There was a problem hiding this comment.
Could you elaborate on what this is for? It seems a bit odd to run the main application node process as the otel user (which is intended for the collector).
| @@ -319,7 +319,7 @@ release-local-nightly: | |||
| .PHONY: release-all-in-one-nightly | |||
| release-all-in-one-nightly: | |||
| @echo "Building and pushing nightly tag ${ALL_IN_ONE_IMAGE_NAME_DOCKERHUB}:${IMAGE_NIGHTLY_TAG}..."; \ | |||
| docker buildx build --squash . -f ./docker/hyperdx/Dockerfile \ | |||
| docker buildx build --sbom=true --provenance=true . -f ./docker/hyperdx/Dockerfile \ | |||
There was a problem hiding this comment.
does this break the build? I don't think we should remove --squash right?
wrn14897
left a comment
wrn14897
left a comment
There was a problem hiding this comment.
Some changes are breaking the build. Please review the comments.
| "@opentelemetry/host-metrics": "^0.35.5", | ||
| "@opentelemetry/sdk-metrics": "^1.30.1", | ||
| "@slack/webhook": "^6.1.0", | ||
| "@slack/webhook": "^7.0.0", |
There was a problem hiding this comment.
Tested slack webhook and it worked fine
3 participants
Summary
Addresses npm security vulnerabilities in transitive dependencies. Prefer direct dependency upgrades over broad resolutions where possible.
Changes
Direct upgrade:
@slack/webhook:^6.1.0→^7.0.0— v7 natively uses axios v1, eliminating the axios@0.21.4 SSRF/redirect vulnerabilities. Only breaking change in v7 is dropping Node <18 (we're on Node 22).Resolutions for transitive deps with no direct upgrade path:
fast-xml-parser:^4.4.0— fixes prototype pollution (High)systeminformation:^5.24.0— fixes command injection (High)Removed/Not Done
axiosresolution removed — covered by the@slack/webhookupgrade insteadtarresolution removed — was a v6→v7 major jump on build-only tools (cacache,node-gyp); not present in the production imageglobresolution removed — was breaking test coverage tooling (test-exclude@6depends on glob@^7)Related
Follow-up to #1731 which addressed base image vulnerabilities (Node, Go, ClickHouse).