Skip to content

fix: resolve BlackDuck operational risk findings for SAP_DOC_MGMT_CAP_NODEJS 1.0#291

Open
Myna855-sap wants to merge 2 commits into
cap-js:developfrom
Myna855-sap:fix/blackduck-operational-risks
Open

fix: resolve BlackDuck operational risk findings for SAP_DOC_MGMT_CAP_NODEJS 1.0#291
Myna855-sap wants to merge 2 commits into
cap-js:developfrom
Myna855-sap:fix/blackduck-operational-risks

Conversation

@Myna855-sap

@Myna855-sap Myna855-sap commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Resolves operational risk findings from BlackDuck for SAP_DOC_MGMT_CAP_NODEJS 1.0 version 1.0.

All flagged components are transitive dependencies. Fixed by adding npm overrides to the root package.json to force safe versions.

Note: agent-base 9.x and https-proxy-agent 9.x are ESM-only and incompatible with the Jest CJS test runner. 7.x versions are used instead — they are still newer than the flagged versions and resolve the operational risk.

Changes

  • agent-base 6.0.2 → 7.1.4 (transitive override — was nested under axios and teeny-request)
  • https-proxy-agent 5.0.1 → 7.0.6 (transitive override — was nested under axios and teeny-request)
  • iconv-lite 0.4.24 → 0.7.2 (transitive override)
  • xml2js 0.4.23 / 0.5.0 → 0.6.2 (transitive override)

Not fixed (manual review required)

  • follow-redirects 1.16.0 — already at latest published version; no upgrade available
  • path-to-regexp 0.1.13 — upgrade to 8.x is a breaking change; express 4.x depends on 0.1.x API — defer until express v5 upgrade
  • node-fetch 2.7.0 — 3.x is ESM-only; requires migration effort

Test Plan

  • npm install passes locally
  • BlackDuck re-scan confirms operational risks resolved for the 4 overridden packages
  • No regressions in unit tests (npm test — 484/484 passed)

@Myna855-sap Myna855-sap force-pushed the fix/blackduck-operational-risks branch from 1e61aab to b4b0e97 Compare June 29, 2026 03:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant