Release JavaScript GCP KMS Storage v1.0.0#874
Open
stas-schaller wants to merge 24 commits intomasterfrom
Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+19
to
+38
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/gcp | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/gcp/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To address the issue, the workflow YAML should be updated to specify a permissions block at the job or workflow root, stating the minimal necessary privileges. Since this workflow simply checks out code and runs tests — and does not perform write operations to the repository or PRs — the safest default is to set contents: read. This should be added as a new block immediately after the name: directive and before the on: directive (workflow root), or alternatively inside the test job. For clarity and to avoid unexpected privilege inheritance, the recommended location is at the workflow root; this will apply minimal permissions to all jobs.
No new methods or imports are needed to implement this; simply add the following YAML block in the right place:
permissions:
contents: read
Suggested changeset
1
.github/workflows/test.javascript.storage.gcp.kms.yml
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - GCP KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added GCP KMS support to KSM Javascript SDK * Added RAW_Encrypt functionality * Revert "Added RAW_Encrypt functionality" This reverts commit f6616be. * * Fixed issues related to writing to file even when encryption failed * Added support for GCP Raw Encrypt Decrypt type of key --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com> Co-authored-by: Ayush Asati <ayush.asati@metronlabs.com>
- Updates @google-cloud/kms from 4.5.0 to 5.2.1 - Updates jws from 4.0.0 to 4.0.1 (via google-auth-library) - Resolves HIGH severity vulnerability (CVSS 7.5) - Fixes improper HMAC signature verification in auth0/node-jws
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
stas-schaller
force-pushed
the
release/storage/javascript/gcp-kms/v1.0.0
branch
from
628a3fc to
9b588ed
Compare
…d visibility (KSM-837) Fix contains() which incorrectly used `key in Object.keys(config)` — this checks numeric array indices and always returns false for real config key strings. Corrected to `key in config` which checks object property names directly. Also normalize 5 methods from private to public to match Azure and AWS: contains(), isEmpty(), deleteAll(), readStorage(), saveStorage(). None of these packages are published yet, so this is a clean alignment. Add regression tests for contains() to prevent recurrence.
…up-node in publish, npm ci, --ignore-scripts, .npmrc auth
axios@1.13.2 had a high severity SSRF vulnerability (CVE-2025-27152). Updated to 1.7.9 via npm install and ran npm audit fix. One low severity transitive finding remains (@tootallnate/once via @google-cloud/kms) — unfixable without upstream GCP SDK update, accepted as low risk.
…-values KSM-840: fix delete() skipping keys with falsy values in GCP storage
…BOM GHA false positives - Upgrade actions/checkout, setup-node to v6 (SHA-pinned); upload-artifact to v7 - Bump node-version from 20 to 24 in all three jobs - Syft v1.18.1 → v1.32.0 (Manifest CLI v0.31.0 max), Manifest CLI v0.18.3 → v0.31.0 - Disable github-action-workflow-usage-cataloger and github-actions-usage-cataloger in Syft config — eliminates GHA false positives from SBOM - Fix retention-days: 90 → 10 (repo maximum) - Add permissions: contents: read at workflow and job level - Set persist-credentials: false on all checkout steps - Use manifest (PATH) instead of /tmp/bin/manifest (hardcoded)
…decryptBuffer and saveConfig
… Uint8Array
When an empty Uint8Array was stored, it was encoded as an empty base64
string (""). On retrieval, the falsy check (if bytesString) treated ""
as absent, returning undefined instead of Uint8Array(0). Fix replaces
truthy check with strict !== undefined guard.
KSM-849
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release of @keeper-security/secrets-manager-gcp v1.0.0
Google Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Bug Fixes
contains()—key in Object.keys(config)checked numeric array indices and always returnedfalsefor real config keys. Corrected tokey in config. Add regression tests.delete()— truthy checkif (config[key])silently skipped deletion of keys with falsy values ("",0). Corrected toif (key in config). Add regression tests.encryptBuffer()anddecryptBuffer()inutils.tsreturned empty values (Buffer.alloc(0)/"") on GCP KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors;saveConfig()also caught and discarded errors without rethrowing; both layers now rethrow, makingsaveString(),saveBytes(),saveObject(), andchangeKey()propagate GCP KMS failures as expected;changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigialblob.length > 0guards insaveConfig()andcreateConfigFileIfMissing(), and deadplaintext.length > 0guard indecryptConfig().getBytes()— falsy checkif (bytesString)treated an empty base64 string ("", produced by saving a zero-lengthUint8Array) as absent, returningundefinedinstead ofUint8Array(0). Corrected toif (bytesString !== undefined). Add regression tests.privatetopublicto match Azure and AWS:contains(),isEmpty(),deleteAll(),readStorage(),saveStorage().Maintenance
axiosfrom 1.13.2 to 1.7.9 to resolve high severity SSRF vulnerability (CVE-2025-27152). One low severity transitive finding remains (@tootallnate/once@2.0.0via@google-cloud/kms) — unfixable without upstream GCP SDK update, accepted as low risk. Grype rescan: 1 low finding.Closes https://keeper.atlassian.net/browse/KSM-704
Closes https://keeper.atlassian.net/browse/KSM-837
Closes https://keeper.atlassian.net/browse/KSM-840
Closes https://keeper.atlassian.net/browse/KSM-847
Closes https://keeper.atlassian.net/browse/KSM-849