Skip to content

CCM-17440: Fix dependabot issues#321

Open
simonlabarere wants to merge 4 commits intomainfrom
feature/CCM-17440_dependabot_updates
Open

CCM-17440: Fix dependabot issues#321
simonlabarere wants to merge 4 commits intomainfrom
feature/CCM-17440_dependabot_updates

Conversation

@simonlabarere
Copy link
Copy Markdown
Contributor

@simonlabarere simonlabarere commented Apr 30, 2026
edited
Loading

Description

Updated the following dependencies:

  • axios
  • uuid override for mermaid
  • erb

node-jose uses a vulnerable version of uuid and it couldn't be overridden (I hacked it to force it use a new version and node-jose wouldn't work because it detected something was wrong).

I used copilot to replace node-jose with a combination of jose (which is maintained) and node:crypto. The problem is that jose version 6 (latest) is not compatible out of the box with the way we use jest for testing. I spent some time trying to make it work but it involved using an experimental version of jest and it made all the unit tests flaky in general. Version 5 of jose didn't have that problem so this is what I ended up using but it's a year old. On the other hand it doesn't have any vulnerabilities so it's still better than the 3 year old version of node-jose.

Testing involved generating a new public/private key pair and making sure it's working with the APIM authentication mechanism.

image image

Testing

Running the key-generation lambda manually

image

Generated private key

image

Generated public key

image image

APIM Updated to point at pr321

image

Token generation

image image

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@simonlabarere simonlabarere requested a review from a team as a code owner April 30, 2026 09:57
@simonlabarere simonlabarere force-pushed the feature/CCM-17440_dependabot_updates branch 5 times, most recently from 0dfc38a to 2e522f2 Compare May 5, 2026 12:19
@simonlabarere simonlabarere added the dependencies Pull requests that update a dependency file label May 5, 2026
@simonlabarere simonlabarere force-pushed the feature/CCM-17440_dependabot_updates branch 2 times, most recently from 7d404da to 63ce4d2 Compare May 6, 2026 08:42
@simonlabarere simonlabarere force-pushed the feature/CCM-17440_dependabot_updates branch from 63ce4d2 to 72c1f93 Compare May 6, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simonlabarere