Skip to content

chore: resolve Snyk-reported npm vulnerabilities#244

Merged
vpbs2 merged 10 commits into
mainfrom
ISS-285830-snyk-dependency-fixes
Apr 20, 2026
Merged

chore: resolve Snyk-reported npm vulnerabilities#244
vpbs2 merged 10 commits into
mainfrom
ISS-285830-snyk-dependency-fixes

Conversation

@vpbs2

@vpbs2 vpbs2 commented Apr 11, 2026

Copy link
Copy Markdown
Contributor

Description

Resolve Snyk-reported npm dependency issues: direct dependency bumps, minimal overrides (DuckDB/node-gyp, Vitest peers, @tootallnate/once), and meerkat-dbm/package-lock.json so Snyk resolves that package correctly.

work-item: ISS-285830

Changes

  • Root: axios, lodash, next, puppeteer; overrides for duckdbglob/tar, vitest, @tootallnate/once (removed redundant qs override).
  • meerkat-dbm: lodash bump + new package-lock.json.

Tests

  • snyk test --all-projects

@vpbs2
chore(ISS-285830): resolve Snyk-reported npm vulnerabilities
b04aa29 
work-item: ISS-285830
Made-with: Cursor
@vpbs2 vpbs2 changed the title chore(ISS-285830): resolve Snyk-reported npm vulnerabilities chore: resolve Snyk-reported npm vulnerabilities Apr 11, 2026
vpbs2 added 8 commits April 11, 2026 14:26
@vpbs2
Empty commit
7228ec7
@vpbs2
update: package
cadc46e
@vpbs2
update package
826ff58
@vpbs2
update package
2def968
@vpbs2
update package
5c26407
@vpbs2
chore: sync lockfile with npm overrides for Snyk (@tootallnate/once)
63f63d5 
Made-with: Cursor
@vpbs2
fix: align overrides for npm ci (Node 22) and Snyk
283bc57 
Replace duckdb glob/tar pin with node-gyp ^11 so the lockfile stays
internally consistent under strict npm ci, and add picomatch >=4.0.4.

Made-with: Cursor
@vpbs2
test(benchmarking): relax parallel vs memory timing on CI runners
9ec9a63 
Made-with: Cursor
@github-actions

github-actions Bot commented Apr 20, 2026

Copy link
Copy Markdown

⚠️ Heads-up: This repository will be blocked from any work other than patching.

File benchmarking/src/app/benchmarking-tests/dbm-benchmarking.spec.ts is not allowed to be modified in this patch.
The following vulnerability issues are past SLA:

Note that there is significant latency in updating this list. Please reach out on #antifragile if you are in a hurry or have an emergency.

@github-actions

github-actions Bot commented Apr 20, 2026

Copy link
Copy Markdown

⚠️ Heads-up: This repository will be blocked from any work other than patching.

File benchmarking/src/app/benchmarking-tests/dbm-benchmarking.spec.ts is not allowed to be modified in this patch.
The following vulnerability issues are past SLA:

Note that there is significant latency in updating this list. Please reach out on #antifragile if you are in a hurry or have an emergency.

@vpbs2 vpbs2 enabled auto-merge (squash) April 20, 2026 04:07
@vpbs2 vpbs2 merged commit 2d53744 into main Apr 20, 2026
3 of 4 checks passed
shriram-devrev added a commit that referenced this pull request May 8, 2026
@shriram-devrev
chore: override lodash-es to 4.18.1 to clear Snyk advisories
fc1e1a2 
semantic-release (dev dep) pins lodash-es@^4.17.21, which npm resolves to
4.17.23 — flagged by Snyk as SNYK-JS-LODASH-15869625 (high) and
SNYK-JS-LODASH-15869619 (medium). Latest lodash-es 4.18.1 carries the
patches.

Adds a root npm override for lodash-es >=4.18.1 so every nested
semantic-release dep de-dupes to the patched version. Follows the same
pattern as the earlier qs/picomatch/@tootallnate/once overrides from #244.

Issues: ISS-279504, ISS-279506
shriram-devrev added a commit that referenced this pull request May 8, 2026
@shriram-devrev
perf: only alias schema members referenced by the query (#252)
eb4f167 
* fix: qualify struct field access to avoid binder ambiguity post-join

When a dimension SQL references a struct field like `stage.stage_id`, the
aliaser previously skipped it because `column_names.length !== 1`. After
joining tables that have a column with the same name as the struct root
(e.g. `devusers.stage` alongside `issue.stage`), DuckDB's binder raises
an ambiguous column reference error before the query can run.

Make the aliaser schema-aware: introspect each table's physical columns via
`DESCRIBE` in the browser and node wrappers, then rewrite a multi-part
column ref as `<tableName>.<root>.<rest...>` only when the leading
identifier is a known column on the current table. Cross-table references
(`customers.id`), already-qualified refs, lambda-bound identifiers, and
unknown multi-part refs are left untouched.

Falls back to the legacy length-1 behavior when schema information is not
supplied, preserving backwards compatibility.

* perf: only alias schema members referenced by the query

ensureTableSchemasAlias was collecting every measure and dimension across
every table schema into a single batch and sending them through
ensureColumnAliasBatch — two DuckDB roundtrips (parseExpressions and
serializeExpressions) that scale linearly with the number of members in
the batch. For tenants with ~8k fields, a single call took ~16.5s even
when the active query referenced only a handful of them.

Make ensureTableSchemaAliasSql take the Query as a required arg and only
alias members the query actually touches — walking measures, dimensions,
order, and filters (recursive and/or tree). joinPaths is intentionally
excluded: its left/right values are table names, not member references,
and the actual join SQL lives in TableSchema.joins[].sql which is already
fully qualified.

Members not referenced by the query are passed through untouched on the
cloned schema, so DuckDB never parses them. For a widget referencing ~20
members out of 8k, that is roughly a 400x reduction in parse/serialize
work per call.

BREAKING CHANGE:
- @devrev/meerkat-core: EnsureTableSchemaAliasSqlParams now requires
  `query: Query`.
- @devrev/meerkat-browser: EnsureTableSchemasAliasParams now requires
  `query: Query`; the curried ensureTableSchemaAlias(connection) factory
  returns (tableSchemas, query) => ....
- @devrev/meerkat-node: mirrored changes.

Bumped meerkat-core, meerkat-browser, meerkat-node to 0.0.128.

Unit tests cover query-driven filtering, member preservation for
unreferenced members, filter-only refs, order-only refs, and joinPaths
exclusion. All pre-existing tests updated to pass a query.

Issue: ISS-299745

* chore: override lodash-es to 4.18.1 to clear Snyk advisories

semantic-release (dev dep) pins lodash-es@^4.17.21, which npm resolves to
4.17.23 — flagged by Snyk as SNYK-JS-LODASH-15869625 (high) and
SNYK-JS-LODASH-15869619 (medium). Latest lodash-es 4.18.1 carries the
patches.

Adds a root npm override for lodash-es >=4.18.1 so every nested
semantic-release dep de-dupes to the patched version. Follows the same
pattern as the earlier qs/picomatch/@tootallnate/once overrides from #244.

Issues: ISS-279504, ISS-279506

* test(meerkat-node): pass query arg to ensureTableSchemaAliasSql integration tests

The two meerkat-node integration tests for ensureTableSchemaAliasSql
invoke the core helper directly (rather than through the node wrapper),
so they need the new required 'query' arg that drives referenced-member
filtering. Reference every fixture member so the aliaser behaves the
same as before.

Issue: ISS-299745
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ujaval403 ujaval403 ujaval403 approved these changes

@itsTalwar itsTalwar Awaiting requested review from itsTalwar itsTalwar is a code owner

@zaidjan-devrev zaidjan-devrev Awaiting requested review from zaidjan-devrev zaidjan-devrev is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vpbs2 @ujaval403