Skip to content

fix(deps): bump dependencies and resolve audit issues#386

Merged
tmoody merged 3 commits intomainfrom
depBumps_20251221
Dec 21, 2025
Merged

fix(deps): bump dependencies and resolve audit issues#386
tmoody merged 3 commits intomainfrom
depBumps_20251221

Conversation

@tmoody
Copy link
Member

@tmoody tmoody commented Dec 21, 2025
edited
Loading

Issue

House-keeping

Changes are required to:

  1. prevent npm pre/post script execution
  2. reduce the incidence of CRLF end-of-line characters in changes pushed from Windows clients.

./api

  1. Newer versions of @sasjs/core and @sasjs/utils dependencies have been released.

  2. npm audit failure caused by jsonwebtoken@9.0.2:

$ npm audit --omit=dev
# npm audit report

jws  <3.2.3
jws  <3.2.3
Severity: high
auth0/node-jws Improperly Verifies HMAC Signature - https://github.com/advisories/GHSA-869p-cjfg-cm3x
fix available via `npm audit fix`
node_modules/jws

1 high severity vulnerability

To address all issues, run:
  npm audit fix

./web

  1. For the web package, npm audit raises issues with the following production dependencies:
$ npm audit --omit=dev
# npm audit report

@babel/runtime  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime

@babel/runtime-corejs3  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8

Intent

  1. Impose an npm directive to prevent the automatic execution of pre/post scripts.
  2. Add a git directive to checkout files with lf end-of-line characters.
  3. Bump @sasjs component versions.
  4. Bump jsonwebtoken version.
  5. Let npm audit automatically manage dependency updates.

Implementation

  1. New file .npmrc in the root folder contains ignore-scripts=true. The api sub-folder package.json actions previously assigned to prebuild and postbuild npm scripts are incorporated into its build script.
  2. New file .gitattributes in the root folder contains * text=auto eol=lf.
  3. ./api/package.json edited for the packages/versions above. npm i to update the package-lock.json.
  4. See (3).
  5. npm audit updated the ./web/package-lock.json file.

Checks

  • Code is formatted correctly (npm run lint:fix).
  • Any new functionality has been unit tested.
  • All unit tests are passing (npm test).
  • All CI checks are green.
  • Reviewer is assigned.

@tmoody tmoody requested a review from allanbowe December 21, 2025 01:11
@tmoody tmoody self-assigned this Dec 21, 2025
@tmoody tmoody merged commit a56c0b0 into main Dec 21, 2025
3 checks passed
@tmoody tmoody deleted the depBumps_20251221 branch December 21, 2025 01:24
@github-actions
Copy link

github-actions bot commented Dec 21, 2025

🎉 This PR is included in version 0.39.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@allanbowe allanbowe allanbowe approved these changes

Assignees

@tmoody tmoody

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tmoody @allanbowe