Release JavaScript AWS KMS Storage v1.0.0#875
Open
stas-schaller wants to merge 27 commits intomasterfrom
Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+19
to
+38
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/aws | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/aws/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To resolve the issue, an explicit permissions block should be added to limit the permissions granted to the workflow's jobs. The least-privilege starting point is typically contents: read, which allows jobs to clone and read the repository content but does not permit write operations. This block can be added either at the root level of the workflow, applying to all jobs, or just to the specific job. Since the workflow contains only one job (test), either location is acceptable, but best practice is to place it at the root for future extensibility. The modification involves editing .github/workflows/test.javascript.storage.aws.kms.yml by inserting the following block after the name: and before the on: section:
permissions:
contents: readNo new imports, methods, or definitions are required beyond adding this block.
Suggested changeset
1
.github/workflows/test.javascript.storage.aws.kms.yml
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - AWS KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added Support for KSM JS SDK to be able to use a key from AWS to encrypt local config * Added rimraf to devDependencies. * Fixed issue with KMS overwriting configuration file even wne encryption failed --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com>
…m8vf - Updates @smithy/config-resolver from 4.1.0 to 4.4.6 - Resolves LOW severity vulnerability (CVSS 3.7) - Defense-in-depth enhancement for region parameter validation
- Adds npm install step to generate-sbom job - Ensures Syft scans actual installed dependencies - Resolves phantom @smithy/config-resolver@4.1.0 detection
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
stas-schaller
force-pushed
the
release/storage/javascript/aws-kms/v1.0.0
branch
from
2b0abbc to
3f9e401
Compare
…d visibility (KSM-836) Fix contains() which incorrectly used `key in Object.keys(config)` — this checks numeric array indices and always returns false for real config key strings. Corrected to `key in config` which checks object property names directly. Also normalize getKeyDetails() from implicit public to private, aligning it with all other JS KMS storage packages (Azure, GCP, Oracle). Add regression tests for contains() to prevent recurrence.
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
…up-node in publish, npm ci, --ignore-scripts, .npmrc auth
…it fix Ran npm audit fix to resolve 5 vulnerabilities (1 critical, 3 high, 1 medium) in transitive dependencies: fast-xml-parser, minimatch, ajv via @aws-sdk/client-kms and dev toolchain. Updated package-lock.json and yarn.lock. Grype rescan: 0 findings.
…-values KSM-839: fix AwsKeyValueStore.delete() skipping keys with falsy values
…BOM GHA false positives - Upgrade actions/checkout, setup-node to v6 (SHA-pinned); upload-artifact to v7 - Bump node-version from 20 to 24 in all three jobs - Syft v1.18.1 → v1.32.0 (Manifest CLI v0.31.0 max), Manifest CLI v0.18.3 → v0.31.0 - Disable github-action-workflow-usage-cataloger and github-actions-usage-cataloger in Syft config — eliminates GHA false positives from SBOM - Fix retention-days: 90 → 10 (repo maximum) - Add permissions: contents: read at workflow and job level - Set persist-credentials: false on all checkout steps - Use manifest (PATH) instead of /tmp/bin/manifest (hardcoded)
…decryptBuffer and saveConfig
… Uint8Array
When an empty Uint8Array was stored, it was encoded as an empty base64
string (""). On retrieval, the falsy check (if bytesString) treated ""
as absent, returning undefined instead of Uint8Array(0). Fix replaces
truthy check with strict !== undefined guard.
KSM-851
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release of @keeper-security/secrets-manager-aws v1.0.0
AWS Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Bug Fixes
contains()—key in Object.keys(config)checked numeric array indices and always returnedfalsefor real config keys. Corrected tokey in config. Add regression tests.delete()— truthy checkif (config[key])silently skipped keys holding falsy values ("",0,false,null). Corrected tokey in config. Add regression tests.encryptBuffer()anddecryptBuffer()inutils.tsreturned empty values (Buffer.alloc(0)/"") on AWS KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors;saveConfig()also caught and discarded errors without rethrowing; both layers now rethrow, makingsaveString(),saveBytes(),saveObject(), andchangeKey()propagate AWS KMS failures as expected;changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigialblob.length > 0guards insaveConfig()andcreateConfigFileIfMissing().getBytes()— falsy checkif (bytesString)treated an empty base64 string ("", produced by saving a zero-lengthUint8Array) as absent, returningundefinedinstead ofUint8Array(0). Corrected toif (bytesString !== undefined). Add regression tests.getKeyDetails()from implicit public toprivate, aligning with all other JS KMS storage packages (Azure, GCP, Oracle).Maintenance
npm audit fix— fixed 1 critical (fast-xml-parser), 3 high (minimatch), 1 medium (ajv). Grype rescan: 0 findings.Closes https://keeper.atlassian.net/browse/KSM-703
Closes https://keeper.atlassian.net/browse/KSM-836
Closes https://keeper.atlassian.net/browse/KSM-839
Closes https://keeper.atlassian.net/browse/KSM-846
Closes https://keeper.atlassian.net/browse/KSM-851