Release JavaScript Oracle KMS Storage v1.0.0#873
Open
stas-schaller wants to merge 25 commits intomasterfrom
Open
Release JavaScript Oracle KMS Storage v1.0.0#873stas-schaller wants to merge 25 commits intomasterfrom
stas-schaller wants to merge 25 commits intomasterfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+19
to
+38
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/oracle | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/oracle/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, add a permissions: block either at the root of the workflow file (which will apply to all jobs) or at the jobs.test level if additional jobs are added in the future with different requirements. The minimal required permission for this workflow is likely contents: read, as the workflow only checks out code and runs tests. Add this block immediately after the workflow name: and before on: (for workflow-wide settings), or at the same indentation level as runs-on: inside the test job block.
No new methods, imports, or definitions are required.
Suggested changeset
1
.github/workflows/test.javascript.storage.oracle.kms.yml
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - Oracle KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added Oracle KMS support to KSM JavaScript SDK. * fixed markdown syntax * fixed encryption issue and exception handling for get key details functionality --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com>
…CVE-2025-13465 - Updates oci-keymanagement from 2.122.0 to 2.124.0 - Updates jws from 3.2.2 to 3.2.3 (via jsonwebtoken) - Updates lodash from 4.17.21 to 4.17.23 (via jsonwebtoken) - Resolves HIGH severity CVE-2025-65945 (CVSS 7.5) - jws HMAC signature bypass - Resolves MEDIUM severity CVE-2025-13465 (CVSS 6.9) - lodash prototype pollution
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
Adds existsSync and readFileSync mocks to fix Oracle SDK configuration loading
stas-schaller
force-pushed
the
release/storage/javascript/oracle-kms/v1.0.0
branch
from
4b5b8eb to
cbf95a1
Compare
…thod visibility (KSM-838) Fix contains() which incorrectly used `key in Object.keys(config)` — this checks numeric array indices and always returns false for real config key strings. Corrected to `key in config` which checks object property names directly. Also normalize 5 methods from private to public to match Azure and AWS: contains(), isEmpty(), deleteAll(), readStorage(), saveStorage(). None of these packages are published yet, so this is a clean alignment. Add regression tests for contains() to prevent recurrence.
…setup-node in publish, npm ci, --ignore-scripts, .npmrc auth
…-values KSM-841: fix delete() skipping keys with falsy values in Oracle storage
…BOM GHA false positives - Upgrade actions/checkout, setup-node to v6 (SHA-pinned); upload-artifact to v7 - Bump node-version from 20 to 24 in all three jobs - Syft v1.18.1 → v1.32.0 (Manifest CLI v0.31.0 max), Manifest CLI v0.18.3 → v0.31.0 - Disable github-action-workflow-usage-cataloger and github-actions-usage-cataloger in Syft config — eliminates GHA false positives from SBOM - Fix retention-days: 90 → 10 (repo maximum) - Add permissions: contents: read at workflow and job level - Set persist-credentials: false on all checkout steps - Use manifest (PATH) instead of /tmp/bin/manifest (hardcoded)
…er/decryptBuffer and saveConfig
…gth Uint8Array
When an empty Uint8Array was stored, it was encoded as an empty base64
string (""). On retrieval, the falsy check (if bytesString) treated ""
as absent, returning undefined instead of Uint8Array(0). Fix replaces
truthy check with strict !== undefined guard.
KSM-852
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release of @keeper-security/secrets-manager-oracle-kv v1.0.0
Oracle Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Bug Fixes
contains()—key in Object.keys(config)checked numeric array indices and always returnedfalsefor real config keys. Corrected tokey in config. Add regression tests.delete()— truthy checkif (config[key])silently skipped deletion of keys with falsy values ("",0). Corrected toif (key in config). Add regression tests.encryptBuffer()anddecryptBuffer()inutils.tsreturned empty values (Buffer.alloc(0)/"") on Oracle OCI KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors;saveConfig()also caught and discarded errors without rethrowing; both layers now rethrow, makingsaveString(),saveBytes(),saveObject(), andchangeKey()propagate Oracle KMS failures as expected;changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigialblob.length > 0guards insaveConfig()andcreateConfigFileIfMissing().getBytes()— falsy checkif (bytesString)treated an empty base64 string ("", produced by saving a zero-lengthUint8Array) as absent, returningundefinedinstead ofUint8Array(0). Corrected toif (bytesString !== undefined). Add regression tests.privatetopublicto match Azure and AWS:contains(),isEmpty(),deleteAll(),readStorage(),saveStorage().Closes https://keeper.atlassian.net/browse/KSM-705
Closes https://keeper.atlassian.net/browse/KSM-838
Closes https://keeper.atlassian.net/browse/KSM-841
Closes https://keeper.atlassian.net/browse/KSM-848
Closes https://keeper.atlassian.net/browse/KSM-852