From ac4e1e8947bdf2bed45e3826668b8187f34359a4 Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:33:16 +0100 Subject: [PATCH 1/6] chore(.npmrc): add allow-git=none --- .npmrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.npmrc b/.npmrc index 61cbf3fc..167116cf 100644 --- a/.npmrc +++ b/.npmrc @@ -1,3 +1,4 @@ package-lock=false save-exact=true ignore-scripts=true +allow-git=none From 8b82c5a98e45982bdb357cde7003f680e00b5ab3 Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:34:32 +0100 Subject: [PATCH 2/6] chore: update @nodesecure/vulnera to v3.1.0 --- workspaces/rc/package.json | 2 +- workspaces/scanner/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/workspaces/rc/package.json b/workspaces/rc/package.json index 879e20c2..ca3fa272 100644 --- a/workspaces/rc/package.json +++ b/workspaces/rc/package.json @@ -47,7 +47,7 @@ "dependencies": { "@nodesecure/js-x-ray": "14.2.0", "@nodesecure/npm-types": "^1.2.0", - "@nodesecure/vulnera": "3.0.0", + "@nodesecure/vulnera": "3.1.0", "@openally/config": "^1.0.1", "@openally/result": "2.0.0", "lodash.merge": "^4.6.2", diff --git a/workspaces/scanner/package.json b/workspaces/scanner/package.json index d5436c7d..e1d8b384 100644 --- a/workspaces/scanner/package.json +++ b/workspaces/scanner/package.json @@ -76,7 +76,7 @@ "@nodesecure/tarball": "^3.7.0", "@nodesecure/tree-walker": "^2.7.0", "@nodesecure/utils": "^2.3.0", - "@nodesecure/vulnera": "3.0.0", + "@nodesecure/vulnera": "3.1.0", "@openally/mutex": "^2.0.0", "fastest-levenshtein": "^1.0.16", "frequency-set": "^2.1.0", From c659b86d23e8f9f80874c994ecbaaa7f594e46ff Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:35:42 +0100 Subject: [PATCH 3/6] chore: update @nodesecure/js-x-ray to v14.3.0 --- workspaces/rc/package.json | 2 +- workspaces/scanner/package.json | 2 +- workspaces/tarball/package.json | 2 +- workspaces/tree-walker/package.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/workspaces/rc/package.json b/workspaces/rc/package.json index ca3fa272..1b61554e 100644 --- a/workspaces/rc/package.json +++ b/workspaces/rc/package.json @@ -45,7 +45,7 @@ "ajv": "8.18.0" }, "dependencies": { - "@nodesecure/js-x-ray": "14.2.0", + "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/npm-types": "^1.2.0", "@nodesecure/vulnera": "3.1.0", "@openally/config": "^1.0.1", diff --git a/workspaces/scanner/package.json b/workspaces/scanner/package.json index e1d8b384..88b65179 100644 --- a/workspaces/scanner/package.json +++ b/workspaces/scanner/package.json @@ -68,7 +68,7 @@ "@nodesecure/contact": "^3.0.0", "@nodesecure/flags": "^3.0.3", "@nodesecure/i18n": "^4.1.0", - "@nodesecure/js-x-ray": "14.2.0", + "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/mama": "^2.2.0", "@nodesecure/npm-registry-sdk": "^4.4.0", "@nodesecure/npm-types": "^1.3.0", diff --git a/workspaces/tarball/package.json b/workspaces/tarball/package.json index fc2efd6a..1d4f6805 100644 --- a/workspaces/tarball/package.json +++ b/workspaces/tarball/package.json @@ -47,7 +47,7 @@ "dependencies": { "@nodesecure/conformance": "^1.2.1", "@nodesecure/fs-walk": "^2.0.0", - "@nodesecure/js-x-ray": "14.2.0", + "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/mama": "^2.2.0", "@nodesecure/npm-types": "^1.2.0", "@nodesecure/utils": "^2.3.0", diff --git a/workspaces/tree-walker/package.json b/workspaces/tree-walker/package.json index 9022d7da..efca4b91 100644 --- a/workspaces/tree-walker/package.json +++ b/workspaces/tree-walker/package.json @@ -37,7 +37,7 @@ }, "homepage": "https://github.com/NodeSecure/tree/master/workspaces/tree-walker#readme", "dependencies": { - "@nodesecure/js-x-ray": "14.2.0", + "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/mama": "2.2.0", "@nodesecure/npm-registry-sdk": "^4.0.0", "@nodesecure/npm-types": "^1.1.0", From b3b0c25ea09ddf7d745013b0b3fa6b810c5822d9 Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:36:57 +0100 Subject: [PATCH 4/6] chore: update @nodesecure/npm-registry-sdk to v4.5.2 --- workspaces/scanner/package.json | 2 +- workspaces/tree-walker/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/workspaces/scanner/package.json b/workspaces/scanner/package.json index 88b65179..7b5344c1 100644 --- a/workspaces/scanner/package.json +++ b/workspaces/scanner/package.json @@ -70,7 +70,7 @@ "@nodesecure/i18n": "^4.1.0", "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/mama": "^2.2.0", - "@nodesecure/npm-registry-sdk": "^4.4.0", + "@nodesecure/npm-registry-sdk": "4.5.2", "@nodesecure/npm-types": "^1.3.0", "@nodesecure/rc": "^5.5.0", "@nodesecure/tarball": "^3.7.0", diff --git a/workspaces/tree-walker/package.json b/workspaces/tree-walker/package.json index efca4b91..b3b2c34d 100644 --- a/workspaces/tree-walker/package.json +++ b/workspaces/tree-walker/package.json @@ -39,7 +39,7 @@ "dependencies": { "@nodesecure/js-x-ray": "14.3.0", "@nodesecure/mama": "2.2.0", - "@nodesecure/npm-registry-sdk": "^4.0.0", + "@nodesecure/npm-registry-sdk": "4.5.2", "@nodesecure/npm-types": "^1.1.0", "@npmcli/arborist": "9.4.1", "combine-async-iterators": "^3.0.0", From 260cce3149fa21b0f1283db3f1fda63a7d7283c7 Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:38:02 +0100 Subject: [PATCH 5/6] chore: update @openally/httpie to fix undici CVEs --- workspaces/conformance/package.json | 2 +- workspaces/github/package.json | 2 +- workspaces/gitlab/package.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/workspaces/conformance/package.json b/workspaces/conformance/package.json index 05e27aa0..3364f38a 100644 --- a/workspaces/conformance/package.json +++ b/workspaces/conformance/package.json @@ -41,7 +41,7 @@ }, "homepage": "https://github.com/NodeSecure/tree/master/workspaces/conformance#readme", "devDependencies": { - "@openally/httpie": "^1.0.0", + "@openally/httpie": "1.1.2", "@types/spdx-expression-parse": "^3.0.5", "node-estree": "^4.0.0" }, diff --git a/workspaces/github/package.json b/workspaces/github/package.json index a36afc24..85e41914 100644 --- a/workspaces/github/package.json +++ b/workspaces/github/package.json @@ -38,7 +38,7 @@ }, "homepage": "https://github.com/NodeSecure/scanner/tree/master/workspaces/github#readme", "dependencies": { - "@openally/httpie": "^1.0.0", + "@openally/httpie": "1.1.2", "tar-fs": "^3.0.5" }, "devDependencies": { diff --git a/workspaces/gitlab/package.json b/workspaces/gitlab/package.json index ed2c243d..57114a37 100644 --- a/workspaces/gitlab/package.json +++ b/workspaces/gitlab/package.json @@ -36,7 +36,7 @@ }, "homepage": "https://github.com/NodeSecure/scanner/tree/master/workspaces/gitlab#readme", "dependencies": { - "@openally/httpie": "^1.0.0", + "@openally/httpie": "1.1.2", "tar-fs": "^3.0.6" }, "devDependencies": { From 633493bf68683b34030e347c018d3ae355215b4c Mon Sep 17 00:00:00 2001 From: GENTILHOMME Thomas Date: Tue, 24 Mar 2026 19:42:19 +0100 Subject: [PATCH 6/6] chore(scanner): snyk is not available anymore with vulnera 3.1.0 --- .changeset/hip-deserts-pick.md | 5 +++++ workspaces/scanner/src/depWalker.ts | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 .changeset/hip-deserts-pick.md diff --git a/.changeset/hip-deserts-pick.md b/.changeset/hip-deserts-pick.md new file mode 100644 index 00000000..2311a05f --- /dev/null +++ b/.changeset/hip-deserts-pick.md @@ -0,0 +1,5 @@ +--- +"@nodesecure/scanner": patch +--- + +Remove snyk from hydratable strategy as it's no more available diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts index e4a479a2..a407eb92 100644 --- a/workspaces/scanner/src/depWalker.ts +++ b/workspaces/scanner/src/depWalker.ts @@ -328,8 +328,7 @@ export async function depWalker( vulnerabilityStrategy ); - const isVulnHydratable = (strategy === "github-advisory" || strategy === "snyk") - && isRemoteScanning; + const isVulnHydratable = strategy === "github-advisory" && isRemoteScanning; if (!isVulnHydratable) { await hydratePayloadDependencies(dependencies, { useFormat: "Standard",