From b56bc024caa1fdbba0fb1adff3ec974fbf5bde2e Mon Sep 17 00:00:00 2001 From: Richard Zampieri Date: Tue, 16 Jun 2026 00:23:35 -0700 Subject: [PATCH 1/2] fix(security): resolve js-yaml advisory and clear-text env logging Pin transitive js-yaml to 4.2.0 via npm overrides (dev toolchain only). Replace debug dump of the full env object with key names only. Co-authored-by: Cursor --- package-lock.json | 48 ------------------- package.json | 3 ++ .../populate.early.spec.ts | 1 + src/env/environment.ts | 3 +- 4 files changed, 5 insertions(+), 50 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1c3328b..c534f26 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1441,16 +1441,6 @@ "node": ">=8" } }, - "node_modules/@istanbuljs/load-nyc-config/node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", - "dev": true, - "license": "MIT", - "dependencies": { - "sprintf-js": "~1.0.2" - } - }, "node_modules/@istanbuljs/load-nyc-config/node_modules/find-up": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz", @@ -1465,20 +1455,6 @@ "node": ">=8" } }, - "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", - "dev": true, - "license": "MIT", - "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" - }, - "bin": { - "js-yaml": "bin/js-yaml.js" - } - }, "node_modules/@istanbuljs/load-nyc-config/node_modules/locate-path": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz", @@ -2177,23 +2153,6 @@ "node": ">=18" } }, - "node_modules/@release-it/conventional-changelog/node_modules/conventional-commits-parser": { - "version": "6.4.0", - "resolved": "https://registry.npmjs.org/conventional-commits-parser/-/conventional-commits-parser-6.4.0.tgz", - "integrity": "sha512-tvRg7FIBNlyPzjdG8wWRlPHQJJHI7DylhtRGeU9Lq+JuoPh5BKpPRX83ZdLrvXuOSu5Eo/e7SzOQhU4Hd2Miuw==", - "extraneous": true, - "license": "MIT", - "dependencies": { - "@simple-libs/stream-utils": "^1.2.0", - "meow": "^13.0.0" - }, - "bin": { - "conventional-commits-parser": "dist/cli/index.js" - }, - "engines": { - "node": ">=18" - } - }, "node_modules/@simple-libs/child-process-utils": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/@simple-libs/child-process-utils/-/child-process-utils-1.0.2.tgz", @@ -8519,13 +8478,6 @@ "node": ">= 10.x" } }, - "node_modules/sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", - "dev": true, - "license": "BSD-3-Clause" - }, "node_modules/stack-utils": { "version": "2.0.6", "resolved": "https://registry.npmjs.org/stack-utils/-/stack-utils-2.0.6.tgz", diff --git a/package.json b/package.json index 87db2ba..7760b1d 100644 --- a/package.json +++ b/package.json @@ -83,6 +83,9 @@ "optional": true } }, + "overrides": { + "js-yaml": "4.2.0" + }, "devDependencies": { "@commitlint/cli": "19.6.0", "@commitlint/config-conventional": "19.6.0", diff --git a/src/env/environment.early.spec/populate.early.spec.ts b/src/env/environment.early.spec/populate.early.spec.ts index f4fc3b4..08616c6 100644 --- a/src/env/environment.early.spec/populate.early.spec.ts +++ b/src/env/environment.early.spec/populate.early.spec.ts @@ -72,6 +72,7 @@ describe("populate() populate method", () => { populate(mockEnvObject, mockParsed, mockOptions as any); expect(log).toHaveBeenCalledWith('"KEY1" was set to "value1"', LogLevel.Debug); + expect(log).toHaveBeenCalledWith("Loaded env keys: KEY1", LogLevel.Debug); }); test("should handle empty parsed object gracefully", () => { diff --git a/src/env/environment.ts b/src/env/environment.ts index 4e1ec16..cf749c1 100644 --- a/src/env/environment.ts +++ b/src/env/environment.ts @@ -346,9 +346,8 @@ export function populate( } } - // Final debug log to ensure variables are correctly populated if (debug) { - console.log("Final process.env object:", envObject); + log(`Loaded env keys: ${Object.keys(parsed).join(", ")}`, LogLevel.Debug); } } From 248c231c4e797b916eecaf1af93ff19ed475620d Mon Sep 17 00:00:00 2001 From: Richard Zampieri Date: Tue, 16 Jun 2026 00:37:25 -0700 Subject: [PATCH 2/2] fix(ci): restore conventional-commits-parser entry in package-lock.json The js-yaml override regen dropped a required lockfile node for @release-it/conventional-changelog, breaking npm ci on GitHub Actions. Co-authored-by: Cursor --- package-lock.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/package-lock.json b/package-lock.json index c534f26..01fe223 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2153,6 +2153,23 @@ "node": ">=18" } }, + "node_modules/@release-it/conventional-changelog/node_modules/conventional-commits-parser": { + "version": "6.4.0", + "resolved": "https://registry.npmjs.org/conventional-commits-parser/-/conventional-commits-parser-6.4.0.tgz", + "integrity": "sha512-tvRg7FIBNlyPzjdG8wWRlPHQJJHI7DylhtRGeU9Lq+JuoPh5BKpPRX83ZdLrvXuOSu5Eo/e7SzOQhU4Hd2Miuw==", + "extraneous": true, + "license": "MIT", + "dependencies": { + "@simple-libs/stream-utils": "^1.2.0", + "meow": "^13.0.0" + }, + "bin": { + "conventional-commits-parser": "dist/cli/index.js" + }, + "engines": { + "node": ">=18" + } + }, "node_modules/@simple-libs/child-process-utils": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/@simple-libs/child-process-utils/-/child-process-utils-1.0.2.tgz",