chore: update dependencies and improve security measures#16
Open
saran2006psg wants to merge 1 commit into
Open
chore: update dependencies and improve security measures#16saran2006psg wants to merge 1 commit into
saran2006psg wants to merge 1 commit into
Conversation
saran2006psg
commented
Apr 13, 2026
saran2006psg
commented
- Updated axios from ^1.13.2 to ^1.15.0
- Updated express-rate-limit from ^8.2.1 to ^8.3.2
- Updated yaml from ^2.8.2 to ^2.8.3
- Refactored config generator to use execFileSync for safer command execution
- Added package spec validation in config generator and plugin loader
- Enhanced CORS policy to restrict origins based on environment variables
- Secured admin-channel routes with authentication middleware
- Fixed hardcoded Grafana admin password in infrastructure template
- Increased timeout for integration tests to mitigate brittleness
- Added external MongoDB URI support for integration tests
- Created FLAWS_REPORT.md documenting security findings and remediation status
- Updated axios from ^1.13.2 to ^1.15.0 - Updated express-rate-limit from ^8.2.1 to ^8.3.2 - Updated yaml from ^2.8.2 to ^2.8.3 - Refactored config generator to use execFileSync for safer command execution - Added package spec validation in config generator and plugin loader - Enhanced CORS policy to restrict origins based on environment variables - Secured admin-channel routes with authentication middleware - Fixed hardcoded Grafana admin password in infrastructure template - Increased timeout for integration tests to mitigate brittleness - Added external MongoDB URI support for integration tests - Created FLAWS_REPORT.md documenting security findings and remediation status
There was a problem hiding this comment.
Pull request overview
This PR updates core dependencies and hardens several security/operational areas across the API, plugin system, onboarding infra templates, and integration tests.
Changes:
- Upgraded dependencies (axios, express-rate-limit, yaml) and regenerated lockfile.
- Mitigated command-injection risks by switching to
execFileSync+ validating npm package specs in the plugin loader and config generator. - Tightened API security (restricted CORS origins, added auth middleware to admin-channel routes) and stabilized integration testing (longer setup timeouts + optional external Mongo URI).
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
tests/utils/db.ts |
Adds optional external MongoDB URI support and pins MongoMemoryServer binary version. |
tests/integration/database/outbox.model.test.ts |
Increases beforeAll timeout to reduce flaky DB startup failures. |
tests/integration/database/notification.model.test.ts |
Increases beforeAll timeout to reduce flaky DB startup failures. |
tests/integration/api/utils.test.ts |
Increases beforeAll timeout to reduce flaky DB startup failures. |
src/plugins/loader/loader.ts |
Uses execFileSync and validates package specs; fixes config path discovery for Windows paths. |
src/api/server.ts |
Restricts CORS by allowlist and secures admin-channel routes with auth middleware. |
packages/onboard/src/infra.ts |
Removes hardcoded Grafana password in the generated infra template (but current change introduces a TS/YAML issue). |
packages/config-gen/src/generator.ts |
Uses execFileSync + validates package specs to reduce command injection risk. |
package.json |
Dependency version bumps for axios, express-rate-limit, yaml. |
package-lock.json |
Lockfile updates reflecting dependency bumps and transitive updates. |
FLAWS_REPORT.md |
Documents identified flaws and remediation status for this security hardening pass. |
Comments suppressed due to low confidence (1)
packages/config-gen/src/generator.ts:66
- The
try/catcharoundnpm installalso catches validation failures fromassertValidPackageSpecs(packages), but the logged message says the install failed and suggests package names may not be published. It would be clearer to validate outside the installtry/catch(or special-case validation errors) so users see the actual "Invalid package spec" reason.
spinner.text = `Installing ${packages.length} plugin(s)...`;
try {
assertValidPackageSpecs(packages);
execFileSync('npm', ['install', ...packages], { cwd: tempDir, stdio: 'pipe' });
} catch (err) {
spinner.fail('Failed to install plugins');
console.error(chalk.red('\nError: Could not install one or more plugins.'));
console.error(chalk.yellow('Make sure the package names are correct and published to npm.'));
process.exit(1);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+78
to
82
| assertValidNpmPackageSpec(pkg); | ||
| execFileSync('npm', ['install', pkg], { | ||
| cwd: PLUGINS_DIR, | ||
| stdio: 'pipe' // Suppress output for cleaner logs | ||
| }); |
There was a problem hiding this comment.
execFileSync('npm', ...) is likely to fail on Windows because npm is typically a npm.cmd shim and execFileSync does not invoke a shell. Since the repo explicitly supports Windows, consider selecting the executable based on platform (e.g. npm.cmd on win32) or using a cross-platform runner (while still passing args separately to avoid injection).
Comment on lines
+55
to
62
| execFileSync('npm', ['init', '-y'], { cwd: tempDir, stdio: 'pipe' }); | ||
|
|
||
| // Step 3: Install all plugins | ||
| spinner.text = `Installing ${packages.length} plugin(s)...`; | ||
| try { | ||
| execSync(`npm install ${packages.join(' ')}`, { cwd: tempDir, stdio: 'pipe' }); | ||
| assertValidPackageSpecs(packages); | ||
| execFileSync('npm', ['install', ...packages], { cwd: tempDir, stdio: 'pipe' }); | ||
| } catch (err) { |
There was a problem hiding this comment.
execFileSync('npm', ...) is likely to fail on Windows because npm is commonly a npm.cmd shim and execFileSync doesn't run through a shell. Since this CLI is expected to work cross-platform, pick the executable based on process.platform (e.g. npm.cmd on win32) or use a cross-platform runner that still passes arguments separately.
Member
|
@saran2006psg thanks for your contribution. Always PRs must be given to development branch. So kindly fork the development branch and then give PR to the development branch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.