Skip to content

Remove unused decompress dependency#2393

Merged
ravikiranvm merged 1 commit into
mainfrom
remove-decompress-dependency
Jul 7, 2026
Merged

Remove unused decompress dependency#2393
ravikiranvm merged 1 commit into
mainfrom
remove-decompress-dependency

Conversation

@ravikiranvm

@ravikiranvm ravikiranvm commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Fixes OPS-4620.

Additional Notes

Removing this unused dependancy due to security warning.
See GHSA-mp2f-45pm-3cg9

@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

@linear

linear Bot commented Jul 7, 2026

Copy link
Copy Markdown

OPS-4620

@ravikiranvm ravikiranvm marked this pull request as ready for review July 7, 2026 07:20
Copilot AI review requested due to automatic review settings July 7, 2026 07:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the unused decompress npm dependency (and related transitive packages/license entries) to address the referenced security advisory (OPS-4620) and reduce the dependency surface area in the OpenOps monorepo.

Changes:

  • Removed decompress and @types/decompress from root package.json.
  • Updated package-lock.json to drop decompress@4.2.1 and its transitive dependency tree (reclassifying some remaining packages as dev-only where applicable).
  • Pruned corresponding entries from THIRD_PARTY_LICENSES.txt for packages no longer included.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
THIRD_PARTY_LICENSES.txt Removes license blocks for decompress and related transitive packages that are no longer included.
package.json Drops decompress and @types/decompress from dependencies/devDependencies.
package-lock.json Removes decompress@4.2.1 subtree and updates dependency metadata accordingly.

@openops-hq-agent

Copy link
Copy Markdown

Claude PR Review — #2393: Remove unused decompress dependency

Author: ravikiranvm | Base: main | Labels: none

Verdict

SHIP — removes a genuinely unused dependency flagged by a security advisory; no reliability concerns.

Summary

This PR drops the decompress@4.2.1 npm package (and its @types/decompress types) from the root package.json, regenerates package-lock.json, and updates THIRD_PARTY_LICENSES.txt accordingly. Motivation is the GHSA-mp2f-45pm-3cg9 advisory (arbitrary file write via path traversal in decompress). Risk is minimal — this is a build-dependency cleanup with no source-code changes.

Verification performed

  • Package is truly unused: no import/require/jest.mock of the npm decompress package anywhere in the tree (grep over *.ts/*.tsx/*.js, excluding node_modules, returned nothing).
  • Not confused with the custom helper: every .decompress(...) reference in source resolves to the local fileCompressor.decompress in packages/server/shared/src/lib/file-compressor.ts, which is built on node:zlib (brotliDecompress/unzip) and msgpackr — not the removed package. The decompress mock in encrypt-compress.test.ts mocks the local file-compressor module, not the npm package.
  • Lockfile is consistent: no remaining node_modules/decompress entry, no decompress@4.2.1 reference, and no orphaned dependents. Transitive deps that were only pulled in by decompress (fd-slicer, unbzip2-stream, seek-bzip, file-type@3/5/6) are correspondingly removed from THIRD_PARTY_LICENSES.txt.
  • Both package.json and package-lock.json parse as valid JSON.

Findings

None. LGTM.

Testing gaps

None applicable — pure dependency removal with no source changes. CI's build, test, audit, and check-licenses jobs are the appropriate gate here and will catch any unexpected resolution breakage.

@ravikiranvm ravikiranvm merged commit 2c4971d into main Jul 7, 2026
23 checks passed
@ravikiranvm ravikiranvm deleted the remove-decompress-dependency branch July 7, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants