Skip to content

Bumping deps to avoid CVE (13/11/2025) #9303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
liranmauda merged 1 commit into from
Nov 23, 2025
Merged

Bumping deps to avoid CVE (13/11/2025) #9303

liranmauda merged 1 commit into from
Nov 23, 2025

Conversation

@liranmauda
Copy link
Contributor

@liranmauda liranmauda commented Nov 23, 2025
edited by coderabbitai bot
Loading

Explain the Changes

Bumping deps to avoid CVE (13/11/2025)

Summary by CodeRabbit

  • Chores
    • Updated project dependencies to newer patch versions to maintain compatibility and security: MIME handling, native bindings, Kafka client, TypeScript, and lodash type definitions.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Nov 23, 2025
edited
Loading

Walkthrough

Bumped dependency versions in package.json: mime-types 3.0.1→3.0.2, nan 2.23.0→2.23.1, node-rdkafka 3.5.0→3.6.0, typescript 5.9.2→5.9.3, and devDependency @types/lodash 4.17.20→4.17.21. No functional or API changes.

Changes

Cohort / File(s) Summary
Dependency Version Bumps
package.json		 Updated dependency versions: mime-types (3.0.1 → 3.0.2), nan (2.23.0 → 2.23.1), node-rdkafka (3.5.0 → 3.6.0), typescript (5.9.2 → 5.9.3); updated devDependency @types/lodash (4.17.20 → 4.17.21).

Sequence Diagram(s)

(No sequence diagram: changes are dependency version updates only; no control-flow or feature changes to visualize.)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

  • Verify package.json semver and no accidental key edits.
  • Validate native-binding dependencies (node-rdkafka, nan) build/install on CI.
  • Run install/build/typecheck to ensure typescript bump causes no regressions.
  • Check lockfile update (if applicable) and CI pipeline results.

Possibly related PRs

Suggested reviewers

  • nimrod-becker
  • dannyzaken

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Bumping deps to avoid CVE (13/11/2025)' directly aligns with the changeset, which contains only dependency version updates made to address CVE concerns.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6fad477 and a140e49.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json (2 hunks)
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings 
Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9229
File: .github/workflows/ibm-nightly-provision-dispatcher.yaml:13-13
Timestamp: 2025-09-30T08:56:55.478Z
Learning: In the noobaa-core repository, PR #9229 (nightly IBM VM provision dispatcher) has a dependency on `.github/ibm-warp-runner-config.yaml` which is provided in PR #9230, requiring PR #9230 to be merged first.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: run-package-lock-validation
  • GitHub Check: Build Noobaa Image
  • GitHub Check: run-jest-unit-tests
🔇 Additional comments (1)
package.json (1)

104-104: Clarify CVE reference and update package-lock.json before merging.

The PR description mentions avoiding a CVE dated 13/11/2025, but no public CVE could be identified affecting these specific npm packages (mime-types, nan, node-rdkafka). Web search and commit metadata confirm only a generic reference without a CVE ID or affected package details.

More critically, package-lock.json is not included in this PR. Updating package.json without synchronizing the lock file breaks reproducible builds and prevents accurate dependency resolution for end users. This must be fixed.

Required actions:

  1. Provide the specific CVE ID or security advisory link justifying these version bumps, or confirm this is general maintenance
  2. Run npm install (or equivalent) and commit the updated package-lock.json

Also applies to: 111-111, 113-113, 121-121, 132-132

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@liranmauda
Bumping deps to avoid CVE (13/11/2025)
a140e49 
Bumping deps to avoid CVE (13/11/2025)

Signed-off-by: liranmauda <[email protected]>
@liranmauda liranmauda merged commit d3c091e into noobaa:master Nov 23, 2025
18 checks passed
@coderabbitai coderabbitai bot mentioned this pull request Jan 1, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jackyalbo jackyalbo jackyalbo approved these changes

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

@nimrod-becker nimrod-becker Awaiting requested review from nimrod-becker

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liranmauda @jackyalbo