Skip to content

Merge upstream updates, bump dependencies, and refactor code and unit tests#5

Merged
marcransome merged 16 commits intomasterfrom
upstream-updates
Mar 2, 2026
Merged

Merge upstream updates, bump dependencies, and refactor code and unit tests#5
marcransome merged 16 commits intomasterfrom
upstream-updates

Conversation

@marcransome
Copy link

@marcransome marcransome commented Feb 9, 2026
edited
Loading

These changes incorporate upstream updates, dependency version bumps, and refactoring across the codebase and unit tests to improve maintainability and mitigate vulnerabilities. This includes the following changes:

  • Updated Dockerfile to use node:25-alpine base image.
  • Mitigated CVE-2026-24842 and CVE-2026-25547 by updating npm.
  • Removed coveralls due to dependency on request1 package.
  • Replaced request1 and request-promise1 with got version ^11.8.6; this is the last known version to support CommonJS at this time, newer versions are ESM-only.
  • Refactored bin/out.js, replacing request-promise related logic with equivalent logic using got promises.
  • Replaced js-combinatorics with inline function combinations() in unit test file; js-combinatorics uses heuristics that incorrectly treat the array of strings named required as a scalar leading to BigInt conversion failures.
  • Wrapped stdin related statements in a cli_mode_only() function in bin/out.js to avoid creating TTY handles when running in a test environment, which would otherwise remain open and lead to TTYWRAP failures when running npm test.
  • Added ESLint config file (eslint.config.cjs) and replaced deprecated --ignore-path flag from pretest script with explicit coverage/** ignore rule.
  • Fixed logic to determine if a matching webhook exists (as per Match existing hook without payload secret homedepot/github-webhook-resource#55).
  • Set Content-Type header for webhook requests to application/x-www-form-urlencoded (i.e. parameter payload_content_type defaults to form); this is a requirement of ci-webhook-trigger.
  • Updated GitHub Actions CI workflow (see Node.js CI workflow).
  • Added Dependabot configuration for grouped version/security updates to ease future maintenance.
  • Added CODEOWNERS configuration and updated branch protection rules to require reviews from designated code owners.
  • Added strict set of overrides to package.json to mitigate CVE-2026-26996

Resolves: DVOP-4179.

Footnotes

  1. request and request-promise are deprecated and exhibit known vulnerabilities; see https://github.com/request/request/issues/3142. 2 3

@marcransome marcransome changed the title Merge upstream updates Merge upstream updates, bump dependencies, and refactor code and unit tests Feb 9, 2026
@ch-code-analysis
Copy link

ch-code-analysis commented Feb 11, 2026

Image build success

bcullerton
bcullerton previously approved these changes Feb 11, 2026
View reviewed changes
@ch-code-analysis
Copy link

ch-code-analysis commented Feb 13, 2026

Image build success

@ch-code-analysis
Copy link

ch-code-analysis commented Feb 24, 2026

Image build success

@marcransome marcransome merged commit b811b6a into master Mar 2, 2026
2 checks passed
@marcransome marcransome deleted the upstream-updates branch March 2, 2026 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcullerton bcullerton bcullerton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marcransome @ch-code-analysis @bcullerton