fix(build): pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr#1374
fix(build): pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr#1374
Conversation
- add basic-ftp 5.3.0 override to patch transitive DoS vulnerability - resolve chain via markdown-link-check -> proxy-agent -> get-uri -> basic-ftp - npm audit now reports 0 vulnerabilities 🔒 - Generated by Copilot
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1374 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Dependency Review — fix(build): pin basic-ftp to 5.3.0
Note: This PR was not authored by
dependabot[bot], so the automated Dependabot approval workflow does not apply. The general dependency review below covers the change.
Changes Identified
| Package | Change | Type | License |
|---|---|---|---|
basic-ftp (transitive) |
5.2.2 → 5.3.0 via overrides |
Minor bump (security fix) | MIT ✅ |
Review Dimensions
1. New Dependencies
No new dependencies are introduced. basic-ftp was already present in the dependency tree transitively via markdown-link-check → proxy-agent → pac-proxy-agent → get-uri → basic-ftp. The overrides entry pins the transitive version to a patched release without adding a new direct dependency.
2. Version Update — basic-ftp 5.2.2 → 5.3.0
- Minor version bump. No breaking changes are expected.
- Resolves GHSA-rp42-5vxx-qpwr: unbounded memory consumption in
Client.list()(denial of service vector). - License remains MIT — compatible with the project's MIT license.
- The
overridesapproach matches the existing repo pattern (markdown-it,picomatch,undici,yaml,yauzl, etc. are all pinned the same way).
3. SHA Pinning Compliance
No GitHub Actions workflow files were modified. Not applicable.
4. Devcontainer and Setup Alignment
No .devcontainer/ or copilot-setup-steps.yml changes. Not applicable.
Summary
All dependency review checks pass. The change is a targeted, minimal security fix using the established repo convention for transitive overrides. Human review is recommended before merging, given this is not a Dependabot-automated bump.
Generated by Dependabot PR Review for issue #1374 · ● 409.9K
There was a problem hiding this comment.
Advisory review, this PR is from a maintainer. Findings are informational only.
Review Summary
This is a minimal, focused security patch that pins basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr. The implementation is clean, follows the existing overrides convention in the repository, and the dependency review bot has already confirmed zero vulnerabilities in the introduced version. The change is low-risk and well-justified.
Issue Alignment
PR Template Compliance
npm install --package-lock-only, npm audit, and npm run lint:dependency-pinning all passed, which is excellent. However, the required automated checks checklist items in the template body remain unchecked:
npm run lint:mdnpm run spell-checknpm run frontmatter validation- etc.
For a dependency-only change, most of these are N/A, but checking them off (or annotating with N/A) provides clearer signal to reviewers and keeps the template consistent. Advisory — not a blocker.
Coding Standards
✅ No applicable instruction files govern package.json or package-lock.json changes. The override entry follows the existing pattern in the file (no version specifier needed for a single-instance transitive dep, consistent with markdown-it, smol-toml, undici, and yauzl).
Code Quality
✅ The diff is minimal and correct:
package.json: one line added to theoverridesblock, alphabetically out of order (placed beforemarkdown-it) but consistent in style.package-lock.json: version, resolved URL, and integrity hash updated for the singlenode_modules/basic-ftpentry.
No logic errors, no security regressions, no resource leaks, no breaking changes.
Action Items (Advisory)
- Consider opening a tracking issue referencing GHSA-rp42-5vxx-qpwr so the fix is searchable in the issue history.
- Check off (or mark N/A) the Required Automated Checks checkboxes in the PR description for template completeness.
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
Description
Added an npm
overridesentry pinningbasic-ftpto5.3.0to resolve advisory GHSA-rp42-5vxx-qpwr (unbounded memory consumption inClient.list()— denial of service). The vulnerable package entered the tree transitively viamarkdown-link-check → proxy-agent → pac-proxy-agent → get-uri → basic-ftp. Using an override matches the existing convention in this repository (theoverridesblock already pinsmarkdown-it,picomatch,smol-toml,undici,yaml, andyauzlfor similar transitive security reasons). After the change,npm auditreports 0 vulnerabilities.Related Issue(s)
None
Type of Change
Code & Documentation:
Infrastructure & Configuration:
Testing
Agent-run validation:
npm install --package-lock-only— passed; lockfile regenerated cleanlynpm audit— passed; 0 vulnerabilities (previously reported GHSA-rp42-5vxx-qpwr)npm run lint:dependency-pinning— passed; 100% compliance across 177 dependencies, 0 violationsManual testing was not performed.
Checklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generatenpm run docs:testSecurity Considerations
Additional Notes
package.json(one override entry added) andpackage-lock.json(regenerated) are modified.npm audit fixwas considered but rejected because it would have pulled in an unrelated optional dependency (@vscode/vsce-sign-alpine-arm64); the explicit override keeps the diff focused and matches the existing repo pattern for transitive security pins.