Skip to content

fix: scope GCP packages to prevent dependency confusion (BRISKET-W103)#130

Merged
igoroctaviano merged 2 commits into
masterfrom
fix/brisket-w103-dependency-confusion
Jun 24, 2026
Merged

fix: scope GCP packages to prevent dependency confusion (BRISKET-W103)#130
igoroctaviano merged 2 commits into
masterfrom
fix/brisket-w103-dependency-confusion

Conversation

@igoroctaviano

Copy link
Copy Markdown
Collaborator

Summary

  • Renames ohif-gcp-mode and ohif-gcp-extension to scoped @idc/gcp-mode and @idc/gcp-extension to prevent public npm registry substitution (Synack BRISKET-W103).
  • Pins both dependencies to explicit Git commit SHAs instead of #main.
  • Adds .npmrc documenting that @idc packages must be installed from Git URLs only.
  • Updates plugin config, webpack transpilation rules, and app config references.

Related changes

Requires the following commits on the GCP package repos (already on main):

Test plan

  • yarn install --frozen-lockfile succeeds
  • yarn build completes without module resolution errors
  • Deployed viewer loads GCP mode/extension correctly
  • Confirm Synack finding BRISKET-W103 can be closed after redeploy

Rename ohif-gcp-mode and ohif-gcp-extension dependencies to the @idc
scoped packages, pin them to explicit Git commit SHAs, and document the
registry policy in .npmrc to mitigate supply-chain substitution risk.
Update @idc/gcp-mode and @idc/gcp-extension to the current main branch
HEAD on their respective repositories.
@igoroctaviano igoroctaviano merged commit 4395482 into master Jun 24, 2026
1 check failed
@DavidPotCanuck

Copy link
Copy Markdown
Member

this has passed the retest by Synack:

image

Please move to production. Thank you!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants