harden: clear dependency CVEs and top quality-check findings#44
Merged
Conversation
A quality-check sweep plus remediation of the five open GitHub security advisories. Every gate is green: pnpm lint/typecheck/test, prettier, gofmt, golangci-lint ./... (0 issues), go build, and the operator envtest suite including conformance. ─── Supply chain: five advisories cleared ─── Patched transitive versions are forced via pnpm-workspace.yaml overrides (pnpm 11 reads workspace-level config, not package.json#pnpm, once a workspace file exists): - ws 8.20.1 → 8.21.0 CVE-2026-48779 (memory-exhaustion DoS) - form-data 4.0.5 → 4.0.6 CVE-2026-12143 (CRLF header injection) - vite 8.0.13 → 8.0.16 GHSA-v6wh-96g9-6wx3, GHSA-fx2h-pf6j-xcff - esbuild 0.28.0 → 0.28.1 GHSA-g7r4-m6w7-qqqr - js-yaml 3.14.2/4.1.1 → 4.2.0 CVE-2026-53550 (merge-key quadratic DoS) ws and form-data ship at runtime via @kubernetes/client-node inside the published @eks-agent/client, so these were live runtime exposure, not dev-only. read-yaml-file is bumped to v2 (which uses js-yaml 4) so the vulnerable js-yaml 3.x line drops out entirely; vite is pinned as an explicit root devDependency to defeat peer-dependency resolution stickiness. The package.json#pnpm block (peerDependencyRules) moves to pnpm-workspace.yaml so pnpm config stays single-source. The security workflow's two @master third-party actions (aquasecurity/trivy-action, securego/gosec) are pinned to commit SHAs (v0.36.0 / v2.27.1) — an unpinned mutable ref in the gate itself was a supply-chain hole. ─── Bounded external calls (two no-timeout sites) ─── packages/sdk bedrock-base.ts: every InvokeModel call now carries a default request deadline (configurable requestTimeoutMs, default 60s) even when the caller passes no AbortSignal; a caller signal is combined with the deadline, earliest fire wins. A deadline fire surfaces as a TimeoutError and classifies as a retryable Network error, distinct from a caller-driven Cancelled. operators/internal/awsclients/clients.go: AWS SDK clients are built with a 30s HTTP timeout. controller-runtime does not decorate the reconcile context with a per-call deadline and the default transport sets none, so a stalled response could otherwise pin a bounded reconcile worker indefinitely and starve the pool. ─── Correctness & observability ─── platform_kms_s3.go: a bucketPolicyMu serializes the shared artifacts-bucket-policy read-modify-write in both ensureBucketPolicy and removeBucketPolicyStatements, so concurrent reconciles (MaxConcurrentReconciles > 1) can't interleave Get→mutate→Put and drop a peer tenant's statement. @eks-agent/pricing gains priceModel() returning {costUsd, priced} so an unknown model id is observable instead of silently metering as $0; estimateCost() is unchanged and delegates to it. @eks-agent/core CallEvent gains an optional `unpriced` flag the SDK sets when a model id has no pricing entry, so cost dashboards can surface unmetered traffic. platform_reconcile.go: isNoKindMatch uses apimachinery's typed meta.IsNoMatchError (with a string fallback) instead of a hand-rolled substring scan. ─── Docs ─── ADR 0002 and the pricing header no longer claim a weekly Renovate refresh — the table is hand-curated and the refresh script is a fail-loud Phase-2 scaffold; the docs now say so. ─── Tests ─── New fakeKMS/fakeS3 cover the cross-tenant-isolation and AWS partial-failure branches the conformance suite skips (it runs those clients nil): KMS EncryptionContext + grant idempotency + pagination, S3 Sid-merge preserving a peer tenant's statement while replacing its own, and NoSuchBucketPolicy → empty doc. A new fakeEventBridge asserts FailedEntryCount>0 → retryable error so a dropped budget-breach kill-switch can't regress silently. A new SDK messages() test injects a fake BedrockRuntimeClient (no module-level SDK mocking) and asserts the default deadline, emit-once-on-success, the unpriced flag, and throttling → RateLimit. priceModel gets unit tests. Also fixes a pre-existing revive lint failure in labels.go (the exported const block needed a doc comment) that would otherwise block CI. Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See the commit message for full details.
Summary
ws→8.21.0 &form-data→4.0.6 (runtime, via@kubernetes/client-node),vite→8.0.16,esbuild→0.28.1,js-yaml→4.2.0. Overrides live inpnpm-workspace.yaml;read-yaml-file→v2 removes the js-yaml 3.x line. Pins the two@mastersecurity-gate actions to commit SHAs.messages()path and a 30s HTTP timeout on the operator's AWS clients.priceModel/CallEvent.unpriced), removes an aspirational-comment REJECT trigger (ADR 0002), and tidies a hand-rolled string match.messages()orchestration.Verification
All gates green locally:
pnpm test(43 SDK + 19 pricing), prettier, gofmt,golangci-lint ./...(0 issues),go build, operator envtest incl. conformance, changeset valid.