chore: sec updates #8193
Conversation
sid-bruno
requested review from
bijin-bruno,
helloanoop,
lohit-bruno and
naman-bruno
as code owners
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughCoordinated dependency bumps across the monorepo: root devDependency and overrides adjusted, axios updated to 1.16.0 in several workspaces, lodash bumped to ^4.18.0 across packages, and ChangesMonorepo Dependency Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 45: The repo has a version mismatch: "jest" is updated to 30.0.0 while
companion packages (`@jest/globals`, `@types/jest`, ts-jest, babel-jest) remain at
29.x across root package.json and workspace packages (packages/bruno-requests,
packages/bruno-filestore, packages/bruno-common, packages/bruno-app); update
those companion deps to compatible 30.x versions or add a workspace-wide
resolution/override that pins all Jest-related packages to 30.x so
transforms/types remain consistent in CI—adjust entries for `@jest/globals`,
`@types/jest`, ts-jest, babel-jest in the mentioned package manifests (or add a
top-level "resolutions" / "overrides") to align with jest@30.0.0.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 40acbd21-67be-402b-9774-4ed52cf64ecf
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (8)
package.jsonpackages/bruno-app/package.jsonpackages/bruno-cli/package.jsonpackages/bruno-electron/package.jsonpackages/bruno-filestore/package.jsonpackages/bruno-js/package.jsonpackages/bruno-requests/package.jsonpackages/bruno-tests/package.json
| "globals": "^16.1.0", | ||
| "husky": "^9.1.7", | ||
| "jest": "^29.2.0", | ||
| "jest": "30.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Jest ecosystem major alignment across workspace manifests.
# Expected: jest-related packages should resolve to a consistent major (30) where used together.
rg -n --glob '**/package.json' '"(jest|babel-jest|`@types/jest`|`@jest/globals`|ts-jest|jest-environment-jsdom)"\s*:\s*"[^"]+"'Repository: usebruno/bruno
Length of output: 1057
Align Jest toolchain versions (jest 30 with 29.x companions).
jest is upgraded to 30.0.0, but the repo still pins @jest/globals, @types/jest, ts-jest, and babel-jest to 29.x in multiple places (root package.json, plus packages/bruno-requests, packages/bruno-filestore, packages/bruno-common, and partially packages/bruno-app). This version skew commonly breaks Jest transforms/types in CI.
Bump all Jest-related companions to matching 30.x versions consistently across the workspace (or enforce via a single resolution/override).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 45, The repo has a version mismatch: "jest" is updated
to 30.0.0 while companion packages (`@jest/globals`, `@types/jest`, ts-jest,
babel-jest) remain at 29.x across root package.json and workspace packages
(packages/bruno-requests, packages/bruno-filestore, packages/bruno-common,
packages/bruno-app); update those companion deps to compatible 30.x versions or
add a workspace-wide resolution/override that pins all Jest-related packages to
30.x so transforms/types remain consistent in CI—adjust entries for
`@jest/globals`, `@types/jest`, ts-jest, babel-jest in the mentioned package
manifests (or add a top-level "resolutions" / "overrides") to align with
jest@30.0.0.
There was a problem hiding this comment.
Pull request overview
This PR updates dependency versions across the Bruno monorepo, primarily to pick up security/maintenance upgrades for Axios and the Jest toolchain.
Changes:
- Bump
axiosfrom1.13.6→1.16.0across multiple workspaces and via the rootoverrides. - Bump
jestto30.0.0in the root and a couple of packages. - Bump
jest-environment-jsdomto30.0.0inbruno-app.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/bruno-tests/package.json | Updates axios to 1.16.0 for the testbench workspace. |
| packages/bruno-requests/package.json | Updates axios to 1.16.0 and bumps jest to 30.0.0. |
| packages/bruno-js/package.json | Updates axios to 1.16.0 for the JS package. |
| packages/bruno-filestore/package.json | Bumps jest to 30.0.0 for the filestore package. |
| packages/bruno-electron/package.json | Updates axios to 1.16.0 for the Electron app workspace. |
| packages/bruno-cli/package.json | Updates axios to 1.16.0 for the CLI workspace. |
| packages/bruno-app/package.json | Bumps jest-environment-jsdom to 30.0.0 for app tests. |
| package.json | Bumps root jest to 30.0.0 and updates the root axios override to 1.16.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
scripts/update-package-lock.js (1)
11-86: ⚡ Quick winConsider adding JSDoc comments to non-trivial functions.
Functions like
fetchJson,resolveVersion,buildUpdatedEntry, andfindLockEntrieshave non-obvious behavior and would benefit from JSDoc comments documenting their purpose, parameters, return values, and any thrown errors.📝 Example JSDoc for fetchJson
+/** + * Fetches JSON data from a URL via HTTPS. + * `@param` {string} url - The URL to fetch from + * `@returns` {Promise<any>} Parsed JSON response + * `@throws` {Error} If the request fails, times out, or response is not valid JSON + */ function fetchJson(url) {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/update-package-lock.js` around lines 11 - 86, Add JSDoc blocks to the non-trivial functions to document intent and contract: for fetchJson, resolveVersion, fetchPackageMeta, parseSpec, findLockEntries, and buildUpdatedEntry add /** ... */ comments immediately above each function that briefly describe purpose, list parameters with types and meanings (e.g. url, pkgName, requestedVersion, spec, packages, existing, registryMeta), specify return types (Promise<object>, string, parsed spec object, array of keys, updated entry object), and note thrown/rejection conditions (HTTP non-200, JSON parse errors, version-not-found). Keep comments concise and mention any important edge cases (scoped package handling in parseSpec, matching logic in findLockEntries, which registry fields are used in buildUpdatedEntry).Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/update-package-lock.js`:
- Around line 63-86: The buildUpdatedEntry function must validate critical
registryMeta fields before constructing fromRegistry: check that
registryMeta.version and registryMeta.dist?.tarball and
registryMeta.dist?.integrity exist and are non-empty; if any are missing, do not
write incomplete data — either throw an Error or return the original existing
entry unchanged (consistent with project behavior) and log a clear message.
Update the validation in buildUpdatedEntry (before creating fromRegistry) to
perform these checks and handle the failure path; ensure subsequent code (the
fromRegistry/updated merge) only runs when validation passes.
- Around line 11-29: The fetchJson function has no timeout and can hang
indefinitely; add a 30-second timeout to the https.get request inside fetchJson
(use a timer or an AbortController/req.setTimeout) so the request is aborted and
the Promise rejected with a clear timeout Error if not completed in 30s; ensure
you clear the timeout on 'end', 'error', and on successful resolve, and
remove/handle listeners to avoid leaks (reference function name fetchJson and
the https.get callback/returned request to locate where to attach the timeout
and abort logic).
- Around line 1-144: Add unit tests covering the script's public functions:
write tests for parseSpec (scoped and non-scoped with/without versions),
findLockEntries (various package-lock structures), and buildUpdatedEntry
(merging existing entry with registryMeta including missing keys), plus
integration tests for resolveVersion/fetchPackageMeta/main that mock network
responses (fetchJson/https) and filesystem (fs.readFileSync/fs.writeFileSync) to
simulate registry responses, missing package errors, malformed JSON, and
lockfile updates; ensure you stub network errors and non-200 status to validate
error handling and assert that main updates lock.packages correctly and exits
with appropriate messages.
- Around line 31-41: The resolveVersion function assumes the registry response
has the expected shape; add explicit validation of the fetched meta before
accessing meta.versions and meta['dist-tags'] to produce clear errors when the
registry returns a malformed response. Inside resolveVersion (and after await
fetchJson(url)), check that meta is an object, that meta.versions exists and is
an object, and that meta['dist-tags'] exists and has a latest string; if any
check fails, throw a descriptive Error mentioning the package name and which
field is missing/invalid so callers can distinguish malformed registry responses
from missing versions.
- Around line 137-138: Replace the direct fs.writeFileSync call that writes
LOCK_FILE with an atomic-write pattern: serialize lock to a temp file in the
same directory (e.g., LOCK_FILE + '.tmp'), fs.writeFileSync the temp file with
the JSON, fs.fsync the temp file descriptor (or ensure sync write), close it,
then fs.renameSync the temp file to LOCK_FILE so the rename is atomic; update
the code around fs.writeFileSync, LOCK_FILE and lock in
scripts/update-package-lock.js to use this temp-write-and-rename sequence to
avoid partial/corrupt lockfiles.
---
Nitpick comments:
In `@scripts/update-package-lock.js`:
- Around line 11-86: Add JSDoc blocks to the non-trivial functions to document
intent and contract: for fetchJson, resolveVersion, fetchPackageMeta, parseSpec,
findLockEntries, and buildUpdatedEntry add /** ... */ comments immediately above
each function that briefly describe purpose, list parameters with types and
meanings (e.g. url, pkgName, requestedVersion, spec, packages, existing,
registryMeta), specify return types (Promise<object>, string, parsed spec
object, array of keys, updated entry object), and note thrown/rejection
conditions (HTTP non-200, JSON parse errors, version-not-found). Keep comments
concise and mention any important edge cases (scoped package handling in
parseSpec, matching logic in findLockEntries, which registry fields are used in
buildUpdatedEntry).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 1b695b4c-b32c-4ba3-8bb3-b6e5c4ec8c85
📒 Files selected for processing (1)
scripts/update-package-lock.js
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/bruno-common/package.json (1)
44-50:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAlign Jest package majors with
babel-jest@^30.0.0.
babel-jestwas bumped to 30, but this package still pins Jest-related deps at 29 (@jest/globals,@types/jest). That version skew can break test execution or dependency resolution in workspace installs.#!/bin/bash set -euo pipefail echo "== Check babel-jest@30 peer deps from npm registry ==" curl -s https://registry.npmjs.org/babel-jest/30.0.0 | jq '.peerDependencies' echo echo "== Find Jest-family versions in this repo ==" fd -HI "package.json" | xargs -I{} sh -c 'echo "--- {}"; jq -r ".devDependencies // {} | to_entries[]? | select(.key|test(\"^(jest|babel-jest|`@jest/globals`|`@types/jest`|jest-environment-jsdom)$\")) | \"\(.key): \(.value)\"" "{}"' echo echo "== Spot mixed majors (29 vs 30) ==" fd -HI "package.json" | xargs -I{} sh -c 'jq -r ".devDependencies // {} | to_entries[]? | select(.key|test(\"^(jest|babel-jest|`@jest/globals`|`@types/jest`|jest-environment-jsdom)$\")) | \"{} \(.key) \(.value)\"" "{}"' \ | rg -n " (\\^?29|\\^?30|29\\.|30\\.)"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/bruno-common/package.json` around lines 44 - 50, Update the Jest-related devDependencies in packages/bruno-common's package.json to match babel-jest's major (30) to avoid version skew: change `@jest/globals` and `@types/jest` (and any other jest-family entries like jest, jest-environment-jsdom if present) from major 29 to compatible 30.x versions (e.g., ^30.0.0 or the exact versions that satisfy babel-jest@^30.0.0 peer deps), then run install to verify the workspace resolves cleanly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@packages/bruno-common/package.json`:
- Around line 44-50: Update the Jest-related devDependencies in
packages/bruno-common's package.json to match babel-jest's major (30) to avoid
version skew: change `@jest/globals` and `@types/jest` (and any other jest-family
entries like jest, jest-environment-jsdom if present) from major 29 to
compatible 30.x versions (e.g., ^30.0.0 or the exact versions that satisfy
babel-jest@^30.0.0 peer deps), then run install to verify the workspace resolves
cleanly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: b28b20c1-8b7a-4f2b-a6d8-59cb57ea9a1e
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (4)
packages/bruno-common/package.jsonpackages/bruno-converters/package.jsonpackages/bruno-filestore/package.jsonpackages/bruno-requests/package.json
✅ Files skipped from review due to trivial changes (1)
- packages/bruno-converters/package.json
🚧 Files skipped from review as they are similar to previous changes (2)
- packages/bruno-filestore/package.json
- packages/bruno-requests/package.json
sid-bruno
force-pushed
the
chore/sec-updates-5-june
branch
from
9c780e0 to
3d589ef
Compare
|
Hi @sid-bruno, Following up on this to request an expedited merge. Our current releases are flagging 3 vulnerabilities linked to axios < 1.16.0. This PR contains the necessary version bump to remediate: https://nvd.nist.gov/vuln/detail/CVE-2026-42044 https://nvd.nist.gov/vuln/detail/CVE-2025-62718 https://nvd.nist.gov/vuln/detail/CVE-2026-42264 Let me know if you need anything else from my end to get this across the finish line. |
|
Working on since the grpc updates have broken our grpc tests, i'll be fixing it by tomorrow and will be a part of our 3.5.0 release |
Thanks for the prompt reply. I really appreciate it! |
Description
Contribution Checklist:
Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.
Publishing to New Package Managers
Please see here for more information.
Summary by CodeRabbit
@babel/preset-envto ^7.27.1 across several packages