Fix 12 dependabot alerts: update transitive deps, replace vulnerable `ip` package, bump fast-xml-parser override by Copilot · Pull Request #58 · advanced-security/GSSAR

Copilot · 2026-04-07T15:40:45Z

Resolves dependabot alerts 473–482, 484–485 spanning all 15 package manifests in the repo.

Transitive dependency updates (`npm audit fix`)

Root and all 7 function packages: patched ajv, brace-expansion, diff, flatted, js-yaml, minimatch, picomatch, semver, @smithy/config-resolver

`fast-xml-parser` override bump (getSecretDetails)

4.5.4 → 5.5.10 in both resolutions and overrides to fix GHSA-8gc5-j5rx-235r and GHSA-jp2q-39xq-3w4g (entity expansion DoS)

Replace `ip` with `ipaddr.js` (githubWebhookIPValidator)

ip has an unpatched SSRF vulnerability (GHSA-2p57-rm9w-gvfp) with no fix available
Switched to ipaddr.js@^2.2.0 which has built-in TypeScript types

// Before
import { cidrSubnet } from "ip";
const findIP = (keys: string[], ipToCheck: string) => {
  return keys.some((cidr) => cidrSubnet(cidr).contains(ipToCheck));
};

// After
import * as ipaddr from "ipaddr.js";
const findIP = (keys: string[], ipToCheck: string) => {
  const parsedIP = ipaddr.parse(ipToCheck);
  return keys.some((cidr) => {
    const [addr, prefixLength] = ipaddr.parseCIDR(cidr);
    return parsedIP.match(addr, prefixLength);
  });
};

Remove unused `ip` dep (githubWebhookSecretValidator)

ip and @types/ip were listed but never imported — removed both

All 15 package-lock.json manifests now report 0 audit vulnerabilities. TypeScript compilation verified on affected packages.

Agent-Logs-Url: https://github.com/advanced-security/GSSAR/sessions/aaf20009-ecfb-4c32-8a8e-fc7307710cd0 Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

…paddr.js, update fast-xml-parser override to 5.5.10, remove unused ip dep from secretValidator Agent-Logs-Url: https://github.com/advanced-security/GSSAR/sessions/aaf20009-ecfb-4c32-8a8e-fc7307710cd0 Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

felickz

👍

Copilot AI and others added 2 commits April 7, 2026 15:25

Initial exploration of dependabot alerts

eb7ec5b

Agent-Logs-Url: https://github.com/advanced-security/GSSAR/sessions/aaf20009-ecfb-4c32-8a8e-fc7307710cd0 Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

Copilot AI assigned Copilot and felickz Apr 7, 2026

Copilot created this pull request from a session on behalf of felickz April 7, 2026 15:40 View session

felickz marked this pull request as ready for review April 7, 2026 15:41

felickz approved these changes Apr 7, 2026

View reviewed changes

felickz merged commit 552239f into main Apr 7, 2026
4 checks passed

Copilot AI mentioned this pull request Apr 10, 2026

Remove stale @types/ip devDependency across 5 function packages #59

Draft

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix 12 dependabot alerts: update transitive deps, replace vulnerable `ip` package, bump fast-xml-parser override#58

Fix 12 dependabot alerts: update transitive deps, replace vulnerable `ip` package, bump fast-xml-parser override#58
felickz merged 2 commits intomainfrom
copilot/fix-dependabot-alerts-again

Copilot AI commented Apr 7, 2026

Uh oh!

felickz left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Apr 7, 2026

Transitive dependency updates (npm audit fix)

fast-xml-parser override bump (getSecretDetails)

Replace ip with ipaddr.js (githubWebhookIPValidator)

Remove unused ip dep (githubWebhookSecretValidator)

Uh oh!

felickz left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Transitive dependency updates (`npm audit fix`)

`fast-xml-parser` override bump (getSecretDetails)

Replace `ip` with `ipaddr.js` (githubWebhookIPValidator)

Remove unused `ip` dep (githubWebhookSecretValidator)