Skip to content

security: add npm overrides for glob and jspdf vulnerabilities #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

security: add npm overrides for glob and jspdf vulnerabilities #81

wants to merge 1 commit into from

Conversation

@wdconinc
Copy link
Contributor

@wdconinc wdconinc commented Dec 2, 2025

Briefly, what does this PR introduce?

What kind of change does this PR introduce?

@wdconinc
security: add npm overrides for glob and jspdf vulnerabilities
890e8fe 
- Added npm overrides to enforce secure versions
- glob: >=13.0.0 (was 7.2.3 in nested dependencies)
- jspdf: >=3.0.2 (upgraded from 3.0.1 to 3.0.4)
- All security requirements now met
Copilot AI review requested due to automatic review settings December 2, 2025 01:26
Copilot finished reviewing on behalf of wdconinc December 2, 2025 01:32
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security vulnerabilities by adding npm overrides to enforce secure versions of glob and jspdf packages. The changes upgrade glob from v7.2.3 (deprecated and vulnerable) to v13.0.0, and jspdf from v3.0.1 to v3.0.4, addressing Dependabot security alert #79.

Key Changes

  • Added npm overrides section to package.json with version constraints for glob (>=13.0.0) and jspdf (>=3.0.2)
  • Upgraded glob from v7.2.3 to v13.0.0, a major version jump that removes deprecated dependencies and introduces Node 20+ requirement
  • Upgraded jspdf from v3.0.1 to v3.0.4, replacing deprecated atob/btoa dependencies with fast-png

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File Description
firebird-ng/package.json Added overrides section to force secure versions of glob and jspdf packages
firebird-ng/package-lock.json Updated dependency tree with glob v13.0.0 and jspdf v3.0.4, removed deprecated transitive dependencies (inflight, @isaacs/cliui, jackspeak, etc.)
Files not reviewed (1)
  • firebird-ng/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

firebird-ng/package.json
"webpack-bundle-analyzer": "^4.10.2"
},
"overrides": {
"glob": ">=13.0.0",
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The glob override constraint >=13.0.0 may be too permissive for a major version change. Since glob v13 represents a major version jump from the previous v7 (skipping v8-12), there could be breaking API changes. Consider using a more restrictive constraint like ^13.0.0 to prevent automatic upgrades to potentially incompatible v14+ in the future, while still allowing patch and minor updates within v13.x.

Suggested change
"glob": ">=13.0.0",
"glob": "^13.0.0",

Copilot uses AI. Check for mistakes.
firebird-ng/package.json
},
"overrides": {
"glob": ">=13.0.0",
"jspdf": ">=3.0.2"
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The jspdf override constraint >=3.0.2 may be too permissive. Consider using ^3.0.2 instead to prevent automatic upgrades to potentially incompatible v4+ in the future. This provides the security fix while maintaining semver-compatible upgrades within v3.x only.

Suggested change
"jspdf": ">=3.0.2"
"jspdf": "^3.0.2"

Copilot uses AI. Check for mistakes.
firebird-ng/package.json
Comment on lines +63 to +66
"overrides": {
"glob": ">=13.0.0",
"jspdf": ">=3.0.2"
},
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The glob v13 upgrade introduces a Node.js version requirement (Node 20 or >=22). Consider adding an "engines" field to package.json to explicitly document this requirement:

"engines": {
  "node": "20 || >=22"
}

This will help prevent installation issues for developers using older Node versions.

Copilot uses AI. Check for mistakes.
@DraTeots
Copy link
Contributor

DraTeots commented Dec 2, 2025

Lets put them under this

#85

It needs to be updated in coordination and testing.

@DraTeots DraTeots closed this Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DraTeots DraTeots DraTeots approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wdconinc @DraTeots