Skip to content

Bump jws to 4.0.1 (security: GHSA-869p-cjfg-cm3x)#1953

Open
rugpanov wants to merge 1 commit into
mainfrom
deps/jws-4.0.1
Open

Bump jws to 4.0.1 (security: GHSA-869p-cjfg-cm3x)#1953
rugpanov wants to merge 1 commit into
mainfrom
deps/jws-4.0.1

Conversation

@rugpanov

@rugpanov rugpanov commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Why

Replaces Dependabot's #1816, which couldn't merge (lockfile-only bump, conflicted with main after recent merges). jws 4.0.1 fixes advisory GHSA-869p-cjfg-cm3xcreateSign/createVerify now require signature headers, mitigating a JWT signature-verification flaw.

jws is a transitive dependency (via google-auth-library and gtoken, both requesting ^4.0.0), so it can't be bumped with yarn up — it needs a resolution override.

What

  • Add "jws": "^4.0.1" to the root resolutions block (following the existing json5 / path-scurry pattern).
  • Regenerated yarn.lock resolves jws@4.0.1 (and jwa@2.0.1).

Verification

  • yarn install --immutable passes (the CI gate Bump jws from 4.0.0 to 4.0.1 #1816 failed on).
  • Resolved versions verified on public npm (jws@4.0.1, jwa@2.0.1).
  • Both dependents request ^4.0.0, which permits 4.0.1 — no peer conflicts.

Backward compatibility: transitive security patch only; no direct dependency, API, persisted-state, or config change.

Closes #1816.

This pull request and its description were written by Isaac.

*Why*
Dependabot's #1816 (jws 4.0.0 -> 4.0.1) could not merge: it was a lockfile-only
bump that conflicted with main after recent merges. jws 4.0.1 fixes advisory
GHSA-869p-cjfg-cm3x (createSign/createVerify signature-header handling). jws is
a transitive dependency (via google-auth-library and gtoken, both requesting
^4.0.0), so it can't be bumped with `yarn up`; it needs a resolution override.

*What*
- Add `"jws": "^4.0.1"` to the root `resolutions` block (following the existing
  json5 / path-scurry pattern) to force the transitive dependency to the patched
  version. Regenerated yarn.lock now resolves jws@4.0.1 (and jwa@2.0.1).

*Verification*
- `yarn install --immutable` passes (the CI gate that #1816 failed).
- Resolved versions verified to exist on public npm (jws@4.0.1, jwa@2.0.1).
- Both dependents request `^4.0.0`, which permits 4.0.1 — no peer conflicts.

Backward compatibility: transitive security patch only; no direct dependency,
API, persisted state, or config change.

Closes #1816.

Co-authored-by: Isaac
@rugpanov rugpanov temporarily deployed to test-trigger-is July 2, 2026 16:49 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/vscode

Inputs:

  • PR number: 1953
  • Commit SHA: 789716885224e4060089e9292c083b476b038ba5

Checks will be approved automatically on success.

@rugpanov rugpanov enabled auto-merge (squash) July 2, 2026 18:14
@rugpanov

rugpanov commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Integration tests: https://github.com/databricks-eng/eng-dev-ecosystem/actions/runs/28607412003

TLDR: no regressions — 25 passing / 7 failing, matching the current e2e baseline. Zero Can't find view control "CONFIGURATION" (activation) failures and no jws-related failures. The 7 reds are the known pre-existing environmental flakes (terraform-registry network, UC Item "access" not found, element click intercepted, ENOENT) that fail identically on main regardless of this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant