fix(security): resolve CVE alerts and fix integration tests | SUMO-285325#171
Merged
shauryasethi-sumo merged 7 commits intoJun 24, 2026
Merged
Conversation
The producer's queryFiles() now gracefully handles the case where FileOffsetMap table doesn't exist yet (returns empty array instead of throwing). Also updates expected resource count in integration test to account for auto-created actiongroups resource.
Kudu source control deployment was timing out during npm install for consumer/DLQ builds with larger dependency trees. Default 60s timeout is insufficient after CVE dependency upgrades. Also fixes expected resource count in BlockBlobReader integration test.
The ARM template reports deployment failure for sourcecontrols/web on Consumption plan apps because the ARM poller times out before Kudu finishes npm install, even though it eventually succeeds. The test now catches this specific error since test_03 validates actual functionality.
Replaces dynamic timestamp-based resource group names with fixed names (configurable via TEST_STORAGE_RESOURCE_GROUP env var). The tearDownClass now deletes only the storage account, not the RG. This allows scoped User Access Administrator permission instead of requiring subscription-level Owner.
Azure inconsistently auto-creates microsoft.insights/actiongroups alongside Application Insights. Accept either count as valid.
- Renamed resource groups to sumo-*-integration-test-do-not-delete - Updated READMEs with SP permissions, one-time setup, and 1Password reference - Added TEST_STORAGE_RESOURCE_GROUP to run_integration_test.sh - Blanked out credentials in shell scripts (public repo)
There was a problem hiding this comment.
Pull request overview
This PR addresses dependency CVE alerts across the Azure Function build targets and improves integration-test stability/permissions by switching to fixed (persistent) storage resource groups, while also hardening AppendBlob task polling when the offset table is missing.
Changes:
- Updated multiple
package-lock.jsonfiles to remediatenpm auditvulnerabilities across AppendBlobReader/BlockBlobReader target builds. - Improved integration tests to reuse fixed storage resource groups and tolerate small Azure resource-count variations.
- Updated ARM templates to set
SCM_COMMAND_IDLE_TIMEOUT=600, and adjusted AppendBlobTaskProducer polling to handle missingFileOffsetMaptable.
Reviewed changes
Copilot reviewed 13 out of 19 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| BlockBlobReader/tests/test_blobreader.py | Uses fixed storage RG via env var; adds deploy exception tolerance and resource-count range assertion. |
| BlockBlobReader/tests/run_integration_test.sh | Exports fixed storage RG env var; switches to python3. |
| BlockBlobReader/tests/baseblockblobtest.py | Changes teardown to delete only the storage account instead of the whole storage RG. |
| BlockBlobReader/target/producer_build/package-lock.json | Dependency lock updates to resolve CVEs. |
| BlockBlobReader/target/dlqprocessor_build/package-lock.json | Dependency lock updates (incl. msal-node update) to resolve CVEs. |
| BlockBlobReader/target/consumer_build/package-lock.json | Dependency lock updates (incl. msal-node update) to resolve CVEs. |
| BlockBlobReader/src/blobreaderdeploywithPremiumPlan.json | Adds SCM_COMMAND_IDLE_TIMEOUT app setting to function apps. |
| BlockBlobReader/src/blobreaderdeploy.json | Adds SCM_COMMAND_IDLE_TIMEOUT app setting to function apps. |
| BlockBlobReader/README.md | Updates integration test prerequisites, roles, and run instructions. |
| AppendBlobReader/tests/test_appendblobreader.py | Uses fixed storage RG via env var; resource-count range assertion. |
| AppendBlobReader/tests/run_integration_test.sh | Exports fixed storage RG env var; switches to python3. |
| AppendBlobReader/tests/baseappendblobtest.py | Changes teardown to delete only the storage account instead of the whole storage RG. |
| AppendBlobReader/target/producer_build/package-lock.json | Dependency lock updates to resolve CVEs. |
| AppendBlobReader/target/consumer_build/package-lock.json | Dependency lock updates (incl. msal-node update) to resolve CVEs. |
| AppendBlobReader/target/appendblob_producer_build/package-lock.json | Dependency lock updates to resolve CVEs. |
| AppendBlobReader/target/appendblob_producer_build/AppendBlobTaskProducer/index.js | Skips polling when FileOffsetMap table is missing (TableNotFound handling). |
| AppendBlobReader/src/appendblobreaderdeploy.json | Adds SCM_COMMAND_IDLE_TIMEOUT app setting to function apps. |
| AppendBlobReader/src/appendblobproducer.js | Skips polling when FileOffsetMap table is missing (TableNotFound handling). |
| AppendBlobReader/README.md | Updates integration test prerequisites, roles, and run instructions. |
Files not reviewed (6)
- AppendBlobReader/target/appendblob_producer_build/package-lock.json: Generated file
- AppendBlobReader/target/consumer_build/package-lock.json: Generated file
- AppendBlobReader/target/producer_build/package-lock.json: Generated file
- BlockBlobReader/target/consumer_build/package-lock.json: Generated file
- BlockBlobReader/target/dlqprocessor_build/package-lock.json: Generated file
- BlockBlobReader/target/producer_build/package-lock.json: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sumoanema
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolved CVE alerts in package dependencies across all AppendBlobReader and BlockBlobReader target builds. All builds now report 0 vulnerabilities via npm audit.
Changes
Integration Test Results
No internal references (no JIRA link, no team names, no subscription IDs, no vault names). The resource group names in the code diff are fine since they're non-sensitive by design.