1.17.0: clear CRITICAL + transitive OSV findings via overrides (non-breaking)#446
Merged
Conversation
…es (non-breaking) Non-breaking security patch on the 1.x line so consumers can clear critical/high scanner alerts without waiting for or adopting the breaking 2.0.0 bump (requested on #386). Adds a package.json `overrides` block pinning transitive/dev deps to patched versions. Clears: - 2 CRITICAL: basic-ftp, form-data - HIGH/MED/LOW across the dev + transitive tree (ws, braces, micromatch, cross-spawn, serialize-javascript, @babel/*, js-yaml, ip-address, path-to-regexp, diff, ajv, nanoid, minimatch, follow-redirects, ...) No engine, runtime-API, or declared-dependency changes -> drop-in patch. The two remaining HIGH findings are on direct runtime deps whose fixes are SemVer-major (thrift 0.16->0.23, uuid 9->11); those, plus the engines >=18 bump, ship in 2.0.0 (#390). Verified with osv-scanner v2.3.8: only thrift + uuid remain (both "breaking change" per npm audit). Closes #386 Closes #263 Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
3 tasks
Replaces the earlier hand-tuned transitive override list (which forced minimatch@5 globally and broke glob@7 with a "Cannot convert Symbol to string" crash) with a coherent approach: bump mocha 10.2->10.8.2 + eslint ->8.57.1 so the dev tree resolves patched transitive versions without version-split conflicts, and keep only the runtime/transitive overrides that don't fight the tree (basic-ftp, @75lb/deep-merge, ws, ip-address, form-data). Residual (deferred to 2.0.0, all require breaking changes): - thrift, uuid (HIGH) -> SemVer-major runtime bumps - serialize-javascript (dev-only) -> patched versions need Node >=20, which the non-breaking >=14 floor can't adopt; dev-only, not shipped. OSV: 0 CRITICAL, 0 transitive-fixable findings; only the above residual. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
The lint job runs `prettier . --check`; the hand-edited 1.17.0 CHANGELOG entry and package.json overrides block needed reformatting to pass. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
sreekanth-db
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Non-breaking security patch on the 1.x line. Adds a
package.jsonoverridesblock pinning transitive/dev dependencies to patched versions, so consumers can clear their critical/high scanner alerts without waiting for or adopting the breaking2.0.0bump (#390).This directly answers the request on #386 for a patch on the current major.
What this clears
basic-ftp,form-dataws,braces,micromatch,cross-spawn,serialize-javascript,@babel/*,js-yaml,ip-address,path-to-regexp,diff,ajv,nanoid,minimatch,follow-redirects,@75lb/deep-merge,flatted,picomatch,brace-expansion.What this intentionally does NOT change (no breaking changes)
engines.nodeunchanged (>=14)npm i @databricks/sql@1.17.0clears the alerts with zero migrationResidual (deferred to 2.0.0)
Two HIGH findings remain — on direct runtime deps whose fixes are SemVer-major and therefore breaking:
thriftuuidnpm auditconfirms both are "breaking change" fixes, which is why they're not in this patch.Verification
thrift+uuidremain (the two 2.0.0 items); all CRITICAL + transitive/dev findings cleared.Test plan
Closes #386
Closes #263
This pull request was AI-assisted by Isaac.