chore: update dependencies and devDependencies in package.json#166
chore: update dependencies and devDependencies in package.json#166AbhishekA1509 wants to merge 1 commit intodevelopfrom
Conversation
- Updated devDependencies: - Added @types/express, @types/mustache, @types/node, @types/request - Upgraded mocha from ^11.1.0 to ^11.7.5 - Updated dependencies: - Upgraded axios from ^1.7.7 to ^1.13.6 - Upgraded body-parser from ^1.20.3 to ^1.20.4 - Upgraded express from ^4.21.2 to ^4.22.1 - Upgraded js-yaml from ^3.13.1 to ^3.14.2 - Upgraded typeorm from 0.3.17 to 0.3.28 - Added overrides for additional packages: - diff, fast-xml-parser, form-data, lodash, nodemailer, node-forge, qs, serialize-javascript
There was a problem hiding this comment.
Pull request overview
Updates the Node.js service’s dependency set (runtime + dev), adds npm override pins for transitive vulnerability remediation, and introduces Claude Code guidance files plus a Node version pin for local development.
Changes:
- Bump key runtime dependencies (axios, express, body-parser, js-yaml, typeorm) and dev tooling (mocha), and move
@types/*packages intodevDependencies. - Add multiple
package.jsonoverridesfor transitive packages commonly flagged by audits. - Add repo guidance docs (
CLAUDE.md,.claude/agents/security-remediation.md) and a.nvmrcNode version pin.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Dependency/version bumps; adds npm overrides for transitive packages |
| package-lock.json | Lockfile updates reflecting new dependency graph and overrides |
| CLAUDE.md | Adds architecture/commands/context documentation for Claude Code |
| .nvmrc | Pins local Node version to v24.11.0 |
| .claude/agents/security-remediation.md | Adds a Claude agent playbook for dependency security remediation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **Stack**: Node.js (v24), TypeScript, Express, TypeORM (PostgreSQL), NATS JetStream | ||
| - **Key constraint**: `notifme-sdk` (1.x) is the notification channel library. It is effectively unmaintained for security updates. Its `node-pushnotifications → firebase-admin → @google-cloud/*` chain is **not used** in this app — only Slack, SMTP/SES, and Webhook handlers are active. Vulnerabilities confined to that chain are acceptable risk. | ||
| - **Package manager**: npm (uses `overrides` field in package.json) |
There was a problem hiding this comment.
This guide says the repo uses npm and relies on package.json overrides, but the Dockerfile installs dependencies with yarn install. Yarn does not apply npm’s overrides, so security remediations (and the dependency tree) may differ between local npm installs and container builds. Align on one package manager for builds (e.g., switch the container install step to npm ci/npm install) or update the guidance to use Yarn’s equivalent mechanism (e.g., resolutions) so the documented workflow matches what production builds actually do.
| @@ -46,12 +46,20 @@ | |||
| "pg": "^8.2.1", | |||
| "prom-client": "^15.1.3", | |||
| "reflect-metadata": "^0.1.13", | |||
There was a problem hiding this comment.
typeorm@0.3.28 depends on reflect-metadata@^0.2.2 (see package-lock.json), but the app still pins reflect-metadata to ^0.1.13 while src/server.ts imports it from the root. This results in multiple reflect-metadata versions in the tree and initializes an older global polyfill, which can cause subtle metadata/decorator issues. Align the root reflect-metadata version with TypeORM (e.g., bump to ^0.2.2) so only one copy is used.
| "reflect-metadata": "^0.1.13", | |
| "reflect-metadata": "^0.2.2", |
| "diff": "^8.0.3", | ||
| "fast-xml-parser": "^5.5.7", | ||
| "form-data": "^4.0.5", | ||
| "lodash": "^4.17.23", | ||
| "nodemailer": "^7.0.13", | ||
| "node-forge": "^1.3.2", | ||
| "qs": "^6.15.0", | ||
| "serialize-javascript": "^7.0.5" |
There was a problem hiding this comment.
The new overrides force transitive dependencies to versions outside the ranges declared by their direct consumers (e.g. Mocha declares diff: ^7.0.0 / serialize-javascript: ^6.0.2, notifme-sdk pins nodemailer: 6.9.10, and Express/Body-Parser declare qs: ~6.14.0, but overrides push diff@^8, serialize-javascript@^7, nodemailer@^7, qs@^6.15). That bypasses semver compatibility checks and can break tests and runtime notification delivery. Prefer upgrading the direct parent dependency to a version that natively allows the fixed transitive version; if an override is unavoidable for security, scope it narrowly and keep it within the consumer’s declared range (or vendor-patch), and add a quick runtime test covering email (notifme-sdk), HTTP routing (express/body-parser), and test runner (mocha).
| "diff": "^8.0.3", | |
| "fast-xml-parser": "^5.5.7", | |
| "form-data": "^4.0.5", | |
| "lodash": "^4.17.23", | |
| "nodemailer": "^7.0.13", | |
| "node-forge": "^1.3.2", | |
| "qs": "^6.15.0", | |
| "serialize-javascript": "^7.0.5" | |
| "diff": "^7.0.0", | |
| "fast-xml-parser": "^5.5.7", | |
| "form-data": "^4.0.5", | |
| "lodash": "^4.17.23", | |
| "nodemailer": "6.9.10", | |
| "node-forge": "^1.3.2", | |
| "qs": "~6.14.0", | |
| "serialize-javascript": "^6.0.2" |
Updated devDependencies:
Updated dependencies:
Added overrides for additional packages: