From ff24f44811fb230cff43eac12c51c8feea68a4c9 Mon Sep 17 00:00:00 2001 From: Rundeck CI Date: Thu, 16 Apr 2026 16:45:23 -0700 Subject: [PATCH] fix(security): address npm CVEs in rundeck-cli; schedule weekly Snyk - Pin xml2js via overrides (CVE-2023-0842) - Bump js-yaml to 3.14.2; override follow-redirects to 1.16.0 - Run Snyk workflow weekly on Mondays (UTC) --- .github/workflows/snyk-scan.yml | 3 +++ docker/client/rundeck-cli/package-lock.json | 23 ++++++++++++--------- docker/client/rundeck-cli/package.json | 4 +++- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml index e0f80e7..aa5cedc 100644 --- a/.github/workflows/snyk-scan.yml +++ b/.github/workflows/snyk-scan.yml @@ -5,6 +5,9 @@ on: branches: [ main, master ] pull_request: branches: [ main, master ] + schedule: + # Weekly on Monday 06:00 UTC (GitHub Actions cron is UTC-only) + - cron: '0 6 * * 1' workflow_dispatch: jobs: diff --git a/docker/client/rundeck-cli/package-lock.json b/docker/client/rundeck-cli/package-lock.json index 5264a3b..6c8cfa9 100644 --- a/docker/client/rundeck-cli/package-lock.json +++ b/docker/client/rundeck-cli/package-lock.json @@ -13,7 +13,7 @@ "@types/node": "^13.13.5", "dotenv": "^10.0.0", "form-data": "^3.0.0", - "js-yaml": "^3.13.2", + "js-yaml": "^3.14.2", "node-fetch": "^2.6.1", "ts-node": "^8.10.1", "ts-rundeck": "^0.1.8", @@ -334,15 +334,16 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.11", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", - "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "funding": [ { "type": "individual", "url": "https://github.com/sponsors/RubenVerborgh" } ], + "license": "MIT", "engines": { "node": ">=4.0" }, @@ -474,9 +475,10 @@ } }, "node_modules/js-yaml": { - "version": "3.14.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz", - "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==", + "version": "3.14.2", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", + "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", + "license": "MIT", "dependencies": { "argparse": "^1.0.7", "esprima": "^4.0.0" @@ -942,9 +944,10 @@ } }, "node_modules/xml2js": { - "version": "0.4.23", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", - "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz", + "integrity": "sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==", + "license": "MIT", "dependencies": { "sax": ">=0.6.0", "xmlbuilder": "~11.0.0" diff --git a/docker/client/rundeck-cli/package.json b/docker/client/rundeck-cli/package.json index 4f8dba1..a398165 100644 --- a/docker/client/rundeck-cli/package.json +++ b/docker/client/rundeck-cli/package.json @@ -13,7 +13,7 @@ "@types/node": "^13.13.5", "dotenv": "^10.0.0", "form-data": "^3.0.0", - "js-yaml": "^3.13.2", + "js-yaml": "^3.14.2", "node-fetch": "^2.6.1", "ts-node": "^8.10.1", "ts-rundeck": "^0.1.8", @@ -28,8 +28,10 @@ }, "overrides": { "axios": "1.15.0", + "follow-redirects": "1.16.0", "tough-cookie": "4.1.3", "xml-js": "0.5.1", + "xml2js": "0.6.2", "diff": "4.0.4" } }