Skip to content

chore(security): fix ws and body-parser mend vulnerabilities#725

Merged
SteinGabriel merged 1 commit into
mainfrom
fix-mend-security-issues
Jul 17, 2026
Merged

chore(security): fix ws and body-parser mend vulnerabilities#725
SteinGabriel merged 1 commit into
mainfrom
fix-mend-security-issues

Conversation

@SteinGabriel

@SteinGabriel SteinGabriel commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes 2 vulnerabilities flagged by the Mend Security Check:

  • CVE-2026-62389 (High, CVSS 7.5) — ws@8.21.0, pulled in transitively via vitest
    jsdom. Pinned to ^8.21.1 via a pnpm override in the root package.json.
  • CVE-2026-12590 (Low, CVSS 3.7) — body-parser@2.2.2 in e2e/am-mock-api. Bumped the
    direct dependency to ^2.3.0.

pnpm-lock.yaml regenerated via pnpm install to reflect both changes.

Test plan

  • pnpm install resolves ws to 8.21.1 and body-parser (am-mock-api) to 2.3.0
  • nx affected typecheck/lint/build/api-report pass (pre-commit hook)
  • syncpack lint clean, no version drift introduced

Summary by CodeRabbit

  • Chores
    • Updated the mock API’s request parsing dependency.
    • Added an override to ensure a consistent WebSocket dependency version across the project.

@changeset-bot

changeset-bot Bot commented Jul 17, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 858c05d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c26df60e-573e-4361-b6bd-e95655cde4dc

📥 Commits

Reviewing files that changed from the base of the PR and between cc1a536 and 858c05d.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • e2e/am-mock-api/package.json
  • package.json

📝 Walkthrough

Walkthrough

Updated body-parser in the mock API package and added a root pnpm.overrides entry for ws.

Changes

Dependency updates

Layer / File(s) Summary
Dependency version declarations
e2e/am-mock-api/package.json, package.json
Updated body-parser from ^2.2.2 to ^2.3.0 and added a ws override at ^8.21.1.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: ryanbas21, ancheetah

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the dependency security fixes for ws and body-parser.
Description check ✅ Passed The description covers the main changes and test plan, though it does not explicitly address the optional Jira ticket or changeset note.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-mend-security-issues

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@nx-cloud

nx-cloud Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

View your CI Pipeline Execution ↗ for commit 858c05d

Command Status Duration Result
nx run-many -t build --no-agents ✅ Succeeded <1s View ↗
nx affected -t build lint test typecheck e2e-ci ✅ Succeeded 2m 26s View ↗

💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗


☁️ Nx Cloud last updated this comment at 2026-07-17 19:11:39 UTC

@pkg-pr-new

pkg-pr-new Bot commented Jul 17, 2026

Copy link
Copy Markdown

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/@forgerock/davinci-client@725

@forgerock/device-client

pnpm add https://pkg.pr.new/@forgerock/device-client@725

@forgerock/journey-client

pnpm add https://pkg.pr.new/@forgerock/journey-client@725

@forgerock/oidc-client

pnpm add https://pkg.pr.new/@forgerock/oidc-client@725

@forgerock/protect

pnpm add https://pkg.pr.new/@forgerock/protect@725

@forgerock/sdk-types

pnpm add https://pkg.pr.new/@forgerock/sdk-types@725

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/@forgerock/sdk-utilities@725

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/@forgerock/iframe-manager@725

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/@forgerock/sdk-logger@725

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/@forgerock/sdk-oidc@725

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/@forgerock/sdk-request-middleware@725

@forgerock/storage

pnpm add https://pkg.pr.new/@forgerock/storage@725

commit: 858c05d

@github-actions

Copy link
Copy Markdown
Contributor

Deployed 4415b4a to https://ForgeRock.github.io/ping-javascript-sdk/pr-725/4415b4a96a41d19c5968070a382f57cebf72b6cb branch gh-pages in ForgeRock/ping-javascript-sdk

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.13%. Comparing base (eafe277) to head (858c05d).
⚠️ Report is 47 commits behind head on main.

❌ Your project status has failed because the head coverage (23.13%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #725      +/-   ##
==========================================
+ Coverage   18.07%   23.13%   +5.06%     
==========================================
  Files         155      161       +6     
  Lines       24398    25602    +1204     
  Branches     1203     1613     +410     
==========================================
+ Hits         4410     5924    +1514     
+ Misses      19988    19678     -310     

see 16 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions

Copy link
Copy Markdown
Contributor

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-10.0 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-92.6 KB, -100.0%)

➖ No Changes

@forgerock/device-client - 10.0 KB
@forgerock/sdk-types - 9.1 KB
@forgerock/protect - 144.6 KB
@forgerock/sdk-request-middleware - 4.6 KB
@forgerock/iframe-manager - 3.2 KB
@forgerock/sdk-logger - 1.6 KB
@forgerock/sdk-oidc - 5.7 KB
@forgerock/storage - 1.5 KB
@forgerock/journey-client - 92.6 KB
@forgerock/oidc-client - 35.3 KB
@forgerock/sdk-utilities - 18.6 KB
@forgerock/davinci-client - 54.4 KB


14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated
  • Current Size: Total gzipped size of all files in the package's dist directory
  • Baseline: Comparison against the latest build from the main branch
  • Files included: All build outputs except source maps and TypeScript build cache
  • Exclusions: .map, .tsbuildinfo, and .d.ts.map files

🔄 Updated automatically on each push to this PR

@SteinGabriel
SteinGabriel merged commit 9549894 into main Jul 17, 2026
9 checks passed
@SteinGabriel
SteinGabriel deleted the fix-mend-security-issues branch July 17, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants