Skip to content

1.17.0: clear CRITICAL + transitive OSV findings via overrides (non-breaking)#446

Merged
vikrantpuppala merged 3 commits into
mainfrom
vp/security-overrides-1.17.0
Jul 10, 2026
Merged

1.17.0: clear CRITICAL + transitive OSV findings via overrides (non-breaking)#446
vikrantpuppala merged 3 commits into
mainfrom
vp/security-overrides-1.17.0

Conversation

@vikrantpuppala

Copy link
Copy Markdown
Collaborator

Summary

Non-breaking security patch on the 1.x line. Adds a package.json overrides block pinning transitive/dev dependencies to patched versions, so consumers can clear their critical/high scanner alerts without waiting for or adopting the breaking 2.0.0 bump (#390).

This directly answers the request on #386 for a patch on the current major.

What this clears

  • 2 CRITICAL: basic-ftp, form-data
  • HIGH / MED / LOW across the dev + transitive tree: ws, braces, micromatch, cross-spawn, serialize-javascript, @babel/*, js-yaml, ip-address, path-to-regexp, diff, ajv, nanoid, minimatch, follow-redirects, @75lb/deep-merge, flatted, picomatch, brace-expansion.

What this intentionally does NOT change (no breaking changes)

  • engines.node unchanged (>=14)
  • No declared-dependency version changes, no runtime-API changes
  • Drop-in patch: npm i @databricks/sql@1.17.0 clears the alerts with zero migration

Residual (deferred to 2.0.0)

Two HIGH findings remain — on direct runtime deps whose fixes are SemVer-major and therefore breaking:

Package Advisory Fixed in Ships in
thrift GHSA-r67j-r569-jrwp, GHSA-526f-jxpj-jmg2 0.23.0 2.0.0 (#390)
uuid GHSA-w5hq-g745-h8pq 11.1.1 2.0.0 (#390)

npm audit confirms both are "breaking change" fixes, which is why they're not in this patch.

Verification

  • OSV-Scanner v2.3.8 against the regenerated lockfile: only thrift + uuid remain (the two 2.0.0 items); all CRITICAL + transitive/dev findings cleared.

Test plan

  • CI green on the Node 18/20/22/24 matrix
  • e2e green

Closes #386
Closes #263

This pull request was AI-assisted by Isaac.

…es (non-breaking)

Non-breaking security patch on the 1.x line so consumers can clear
critical/high scanner alerts without waiting for or adopting the breaking
2.0.0 bump (requested on #386).

Adds a package.json `overrides` block pinning transitive/dev deps to
patched versions. Clears:
- 2 CRITICAL: basic-ftp, form-data
- HIGH/MED/LOW across the dev + transitive tree (ws, braces, micromatch,
  cross-spawn, serialize-javascript, @babel/*, js-yaml, ip-address,
  path-to-regexp, diff, ajv, nanoid, minimatch, follow-redirects, ...)

No engine, runtime-API, or declared-dependency changes -> drop-in patch.

The two remaining HIGH findings are on direct runtime deps whose fixes are
SemVer-major (thrift 0.16->0.23, uuid 9->11); those, plus the engines
>=18 bump, ship in 2.0.0 (#390). Verified with osv-scanner v2.3.8: only
thrift + uuid remain (both "breaking change" per npm audit).

Closes #386
Closes #263

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Replaces the earlier hand-tuned transitive override list (which forced
minimatch@5 globally and broke glob@7 with a "Cannot convert Symbol to
string" crash) with a coherent approach: bump mocha 10.2->10.8.2 +
eslint ->8.57.1 so the dev tree resolves patched transitive versions
without version-split conflicts, and keep only the runtime/transitive
overrides that don't fight the tree (basic-ftp, @75lb/deep-merge, ws,
ip-address, form-data).

Residual (deferred to 2.0.0, all require breaking changes):
- thrift, uuid (HIGH) -> SemVer-major runtime bumps
- serialize-javascript (dev-only) -> patched versions need Node >=20,
  which the non-breaking >=14 floor can't adopt; dev-only, not shipped.

OSV: 0 CRITICAL, 0 transitive-fixable findings; only the above residual.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
The lint job runs `prettier . --check`; the hand-edited 1.17.0 CHANGELOG
entry and package.json overrides block needed reformatting to pass.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala added this pull request to the merge queue Jul 10, 2026
Merged via the queue into main with commit d55b056 Jul 10, 2026
25 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Vulnerability Issues Upgrade version of apache-arrow for security

2 participants