npm - @codyswann/lisa - Versions diffs - 1.46.4 → 1.47.0 - Mend

@codyswann/lisa 1.46.4 → 1.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/typescript/copy-overwrite/.github/workflows/create-sentry-issue-on-failure.yml ADDED Viewed

@@ -0,0 +1,269 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+# -----------------------------------------------------------------------------
+# Sentry Issue Creation Workflow
+# -----------------------------------------------------------------------------
+# ⚠️ WARNING: THIS FILE IS AUTO-GENERATED. DO NOT EDIT MANUALLY! ⚠️
+# Any changes may be overwritten by the generation process.
+# This workflow creates a Sentry issue when another workflow fails.
+# It captures details about the failure and creates a standardized issue
+# to help track and resolve CI/CD problems in Sentry.
+#
+# Example usage in another workflow:
+# ```yaml
+# create_sentry_issue_on_failure:
+#   if: failure()
+#   uses: ./.github/workflows/create-sentry-issue-on-failure.yml
+#   with:
+#     workflow_name: 'My Workflow'
+#     failed_job: 'build_and_test'
+#     SENTRY_ORG: ${{ vars.SENTRY_ORG }}
+#     SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
+#   secrets:
+#     SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+# ```
+name: 🔴 Sentry Issue on Workflow Failure
+on:
+  workflow_call:
+    inputs:
+      workflow_name:
+        required: true
+        type: string
+        description: 'Name of the workflow that failed'
+      failed_job:
+        required: false
+        type: string
+        description: 'Name of the job that failed (optional)'
+      SENTRY_ORG:
+        required: true
+        type: string
+        description: 'Sentry organization slug (e.g., your-company)'
+      SENTRY_PROJECT:
+        required: true
+        type: string
+        description: 'Sentry project slug (e.g., serverless-knowledge-platform)'
+      environment:
+        required: false
+        type: string
+        default: 'production'
+        description: 'Environment where the failure occurred'
+      level:
+        required: false
+        type: string
+        default: 'error'
+        description: 'Sentry issue level (debug, info, warning, error, fatal)'
+      node_version:
+        description: 'Node.js version to use'
+        required: false
+        default: '22.21.1'
+        type: string
+      package_manager:
+        description: 'Package manager to use (npm, yarn, or bun)'
+        required: false
+        default: 'npm'
+        type: string
+      working_directory:
+        description: 'Directory to run commands in (if not root)'
+        required: false
+        default: ''
+        type: string
+    secrets:
+      SENTRY_AUTH_TOKEN:
+        required: true
+        description: 'Sentry Auth Token with project:write scope'
+# Concurrency is managed by the parent workflow that calls this one
+# This avoids deadlocks between parent and child workflows
+jobs:
+  create_sentry_issue:
+    name: 📝 Create Sentry Issue
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v4
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+      - name: 🔴 Create Sentry Issue
+        id: create_sentry_issue
+        run: |
+          cd "${{ inputs.working_directory || '.' }}"
+          # Set variables
+          WORKFLOW_NAME="${{ inputs.workflow_name }}"
+          FAILED_JOB="${{ inputs.failed_job || 'Unknown' }}"
+          ENVIRONMENT="${{ inputs.environment }}"
+          LEVEL="${{ inputs.level }}"
+          RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          # Get commit message, handling special characters properly
+          COMMIT_MESSAGE="${{ github.event.head_commit.message || 'N/A' }}"
+          # Create error message
+          if [ "$FAILED_JOB" != "Unknown" ]; then
+            ERROR_MESSAGE="CI/CD Workflow Failure: ${WORKFLOW_NAME} - ${FAILED_JOB}"
+          else
+            ERROR_MESSAGE="CI/CD Workflow Failure: ${WORKFLOW_NAME}"
+          fi
+          # Get current timestamp in ISO format
+          TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z")
+          # Create JSON payload for Sentry API using jq for proper escaping
+          PAYLOAD=$(jq -n \
+            --arg message "${ERROR_MESSAGE}" \
+            --arg level "${LEVEL}" \
+            --arg timestamp "${TIMESTAMP}" \
+            --arg workflow_name "${WORKFLOW_NAME}" \
+            --arg failed_job "${FAILED_JOB}" \
+            --arg run_url "${RUN_URL}" \
+            --arg repository "${{ github.repository }}" \
+            --arg commit "${{ github.sha }}" \
+            --arg commit_message "${COMMIT_MESSAGE}" \
+            --arg triggered_by "${{ github.actor }}" \
+            --arg environment "${ENVIRONMENT}" \
+            --arg ref "${{ github.ref }}" \
+            --arg run_id "${{ github.run_id }}" \
+            '{
+              "message": $message,
+              "level": $level,
+              "timestamp": $timestamp,
+              "platform": "other",
+              "sdk": {
+                "name": "github-actions",
+                "version": "1.0.0"
+              },
+              "logger": "github-actions.ci",
+              "environment": $environment,
+              "tags": {
+                "workflow": $workflow_name,
+                "job": $failed_job,
+                "repository": $repository,
+                "triggered_by": $triggered_by,
+                "ref": $ref,
+                "source": "github-actions"
+              },
+              "extra": {
+                "workflow_run_url": $run_url,
+                "commit_sha": $commit,
+                "commit_message": $commit_message,
+                "run_id": $run_id,
+                "failure_type": "ci_cd_workflow"
+              },
+              "contexts": {
+                "runtime": {
+                  "name": "github-actions",
+                  "version": "latest"
+                },
+                "os": {
+                  "name": "ubuntu-latest"
+                }
+              },
+              "fingerprint": ["github-actions", $workflow_name, $failed_job]
+            }')
+          # Debug: Print the payload to see what'\''s being sent (without sensitive data)
+          echo "Debug: Generated payload:"
+          echo "$PAYLOAD" | jq 'del(.extra.commit_message)' | head -20
+          # Debug: Print Sentry configuration
+          echo "Debug: SENTRY_ORG=${{ inputs.SENTRY_ORG }}"
+          echo "Debug: SENTRY_PROJECT=${{ inputs.SENTRY_PROJECT }}"
+          echo "Debug: API URL=https://sentry.io/api/0/projects/${{ inputs.SENTRY_ORG }}/${{ inputs.SENTRY_PROJECT }}/store/"
+          # First, let's get the DSN for this project
+          DSN_RESPONSE=$(curl -s -w "\n%{http_code}" \
+            -H "Authorization: Bearer ${{ secrets.SENTRY_AUTH_TOKEN }}" \
+            "https://sentry.io/api/0/projects/${{ inputs.SENTRY_ORG }}/${{ inputs.SENTRY_PROJECT }}/keys/")
+          DSN_STATUS=$(echo "$DSN_RESPONSE" | tail -n1)
+          DSN_BODY=$(echo "$DSN_RESPONSE" | head -n -1)
+          if [ "$DSN_STATUS" = "200" ]; then
+            # Extract the DSN from the first key
+            DSN=$(echo "$DSN_BODY" | jq -r '.[0].dsn.public // empty')
+            echo "Debug: Found DSN: ${DSN:0:50}..." # Show first 50 chars for security
+            # Parse DSN to get the project ID and key
+            if [[ $DSN =~ https://([^@]+)@([^/]+)/([0-9]+) ]]; then
+              SENTRY_KEY="${BASH_REMATCH[1]}"
+              SENTRY_HOST="${BASH_REMATCH[2]}"
+              PROJECT_ID="${BASH_REMATCH[3]}"
+              # Call Sentry API to create issue using the store endpoint with proper auth
+              RESPONSE=$(curl -s -w "\n%{http_code}" \
+                -H "X-Sentry-Auth: Sentry sentry_version=7, sentry_key=$SENTRY_KEY" \
+                -H "Content-Type: application/json" \
+                -X POST \
+                --data "${PAYLOAD}" \
+                "https://${SENTRY_HOST}/api/${PROJECT_ID}/store/")
+            else
+              echo "Error: Could not parse DSN"
+              exit 1
+            fi
+          else
+            echo "Error: Could not retrieve project DSN. Status: $DSN_STATUS"
+            echo "Response: $DSN_BODY"
+            exit 1
+          fi
+          # Extract HTTP status code from response
+          HTTP_STATUS=$(echo "$RESPONSE" | tail -n1)
+          RESPONSE_BODY=$(echo "$RESPONSE" | head -n -1)
+          echo "HTTP Status: $HTTP_STATUS"
+          if [ "$HTTP_STATUS" = "200" ] || [ "$HTTP_STATUS" = "201" ]; then
+            # Extract issue ID from response
+            ISSUE_ID=$(echo "$RESPONSE_BODY" | jq -r '.id // empty')
+            if [ -n "$ISSUE_ID" ] && [ "$ISSUE_ID" != "null" ]; then
+              echo "Successfully created Sentry issue: $ISSUE_ID"
+              echo "issue_id=$ISSUE_ID" >> $GITHUB_OUTPUT
+              echo "issue_url=https://sentry.io/organizations/${{ inputs.SENTRY_ORG }}/issues/?project=${{ inputs.SENTRY_PROJECT }}&query=$ISSUE_ID" >> $GITHUB_OUTPUT
+            else
+              echo "Issue created but no ID returned. Response:"
+              echo "$RESPONSE_BODY" | jq . || echo "$RESPONSE_BODY"
+            fi
+          else
+            echo "Failed to create Sentry issue. API response:"
+            echo "Status: $HTTP_STATUS"
+            echo "Body: $RESPONSE_BODY"
+            # Provide helpful error messages
+            if [ "$HTTP_STATUS" = "400" ]; then
+              echo "Error: Bad request. Please check the payload format."
+            elif [ "$HTTP_STATUS" = "401" ]; then
+              echo "Error: Authentication failed. Please check SENTRY_AUTH_TOKEN."
+            elif [ "$HTTP_STATUS" = "403" ]; then
+              echo "Error: Permission denied. Please check token permissions (needs project:write)."
+            elif [ "$HTTP_STATUS" = "404" ]; then
+              echo "Error: Project not found. Please check SENTRY_ORG and SENTRY_PROJECT."
+            elif [ "$HTTP_STATUS" = "429" ]; then
+              echo "Error: Rate limit exceeded. Please try again later."
+            fi
+            exit 1
+          fi
+      - name: 📢 Report Issue Creation
+        if: steps.create_sentry_issue.outputs.issue_id
+        run: |
+          cd "${{ inputs.working_directory || '.' }}"
+          echo "Created Sentry issue: ${{ steps.create_sentry_issue.outputs.issue_id }}"
+          echo "Issue URL: ${{ steps.create_sentry_issue.outputs.issue_url }}"
+      - name: 📢 Report Creation Attempt
+        if: steps.create_sentry_issue.conclusion == 'success' && !steps.create_sentry_issue.outputs.issue_id
+        run: |
+          cd "${{ inputs.working_directory || '.' }}"
+          echo "Sentry event was sent successfully, but issue ID was not returned."
+          echo "Check your Sentry dashboard: https://sentry.io/organizations/${{ inputs.SENTRY_ORG }}/issues/?project=${{ inputs.SENTRY_PROJECT }}"

package/typescript/copy-overwrite/.github/workflows/quality.yml CHANGED Viewed

@@ -964,30 +964,53 @@ jobs:
           fi
         working-directory: ${{ inputs.working_directory || '.' }}
-      - name: 🔒 Run security audit
+      - name: 📋 Load audit exclusions
+        id: audit_exclusions
         run: |
-          if [ "${{ inputs.package_manager }}" = "npm" ]; then
-            # Run npm audit in JSON mode and filter out known false positives before failing.
-            # npm audit lacks a native --ignore flag, so we parse JSON and exclude by GHSA ID.
-            # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-            # Nested dep in aws-cdk-lib; fix requires minimatch v10 (incompatible with ^3.1.2)
-            # Risk: None - dev-time CDK tooling, no production runtime exposure
-            # Excluding GHSA-7r86-cg39-jmmj: minimatch ReDoS via multiple non-adjacent GLOBSTAR segments
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26
-            # Risk: None - only devDependency tooling, never processes untrusted user input
+          GHSA_IDS=""
+          CVE_IDS=""
+          for config_file in audit.ignore.config.json audit.ignore.local.json; do
+            if [ -f "$config_file" ]; then
+              FILE_IDS=$(jq -r '.exclusions[].id' "$config_file" 2>/dev/null)
+              if [ -n "$FILE_IDS" ]; then
+                GHSA_IDS="$GHSA_IDS $FILE_IDS"
+              fi
+              FILE_CVES=$(jq -r '.exclusions[] | select(.cve != null) | .cve' "$config_file" 2>/dev/null)
+              if [ -n "$FILE_CVES" ]; then
+                CVE_IDS="$CVE_IDS $FILE_CVES"
+              fi
+            fi
+          done
+          GHSA_IDS=$(echo "$GHSA_IDS" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' ')
+          CVE_IDS=$(echo "$CVE_IDS" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' ')
+          echo "ghsa_ids=$GHSA_IDS" >> $GITHUB_OUTPUT
+          echo "cve_ids=$CVE_IDS" >> $GITHUB_OUTPUT
+          echo "Loaded GHSA exclusions: $GHSA_IDS"
+          echo "Loaded CVE exclusions: $CVE_IDS"
+        working-directory: ${{ inputs.working_directory || '.' }}
-            # Excluding GHSA-23c5-xmqv-rm74: minimatch ReDoS via nested *() extglobs
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26
-            # Risk: None - only devDependency tooling, never processes untrusted user input
+      - name: 🔒 Run security audit
+        run: |
+          GHSA_IDS="${{ steps.audit_exclusions.outputs.ghsa_ids }}"
+          CVE_IDS="${{ steps.audit_exclusions.outputs.cve_ids }}"
-            # Excluding GHSA-2g4f-4pwh-qvx6: ajv ReDoS with $data option
-            # Nested dep in aws-cdk-lib and eslint; no fix available via npm
-            # Risk: Low - $data option not used in this application
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            # Build jq exclusion filter for npm audit GHSA IDs
+            NPM_EXCLUDE_FILTER=""
+            for _id in $GHSA_IDS; do
+              if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+                NPM_EXCLUDE_FILTER="$NPM_EXCLUDE_FILTER or . == \"$_id\""
+              else
+                NPM_EXCLUDE_FILTER=". == \"$_id\""
+              fi
+            done
             AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
-            UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | map(select(. == "GHSA-3ppc-4f35-3m26" or . == "GHSA-7r86-cg39-jmmj" or . == "GHSA-23c5-xmqv-rm74" or . == "GHSA-2g4f-4pwh-qvx6" | not)) | length')
+            if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+              UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq "[.vulnerabilities | to_entries[] | select(.value.severity == \"high\" or .value.severity == \"critical\") | .value.via[] | select(type == \"object\") | .url | ltrimstr(\"https://github.com/advisories/\")] | unique | map(select($NPM_EXCLUDE_FILTER | not)) | length")
+            else
+              UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | length')
+            fi
             if [ "$UNFIXED_HIGH" -gt 0 ]; then
               echo "::warning::Found high or critical vulnerabilities (after excluding known false positives)"
               npm audit --production --audit-level=high || true
@@ -995,26 +1018,42 @@ jobs:
             fi
             echo "::notice::No high or critical vulnerabilities found (excluding known false positives)"
           elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
-            # Yarn audit outputs newline-delimited JSON, so we need to parse each line
-            # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-            # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-            # We only use glob as a library through Babel and other tools - never invoke CLI
-            # Risk: None - vulnerable code path is not executed in our application
-            # Excluding GHSA-w532-jxjh-hjhj (CVE-2025-29907): jsPDF ReDoS in addImage
-            # Excluding GHSA-8mvj-3j78-4qmw (CVE-2025-57810): jsPDF DoS in addImage
-            # These require user control of addImage input with malicious data
-            # Our usage is controlled and doesn't expose this attack vector
-            # Tracked for upgrade in separate security remediation ticket
-            # Excluding GHSA-36jr-mh4h-2g58: d3-color ReDoS
-            # Transitive dependency through react-native-svg-charts (unmaintained)
-            # Replacement charting library evaluation in progress
-            # Risk: Low - color parsing is not user-controlled in our implementation
-            # Filter by both GHSA ID and CVE ID for robustness
-            yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | select((.data.advisory.github_advisory_id == "GHSA-5j98-mcp5-4vw2" or .data.advisory.github_advisory_id == "GHSA-w532-jxjh-hjhj" or .data.advisory.github_advisory_id == "GHSA-8mvj-3j78-4qmw" or .data.advisory.github_advisory_id == "GHSA-36jr-mh4h-2g58" or (.data.advisory.cves | any(. == "CVE-2025-64756" or . == "CVE-2025-29907" or . == "CVE-2025-57810"))) | not) | .data.advisory' > high_vulns.json
+            # Build jq filter for GHSA IDs
+            GHSA_FILTER=""
+            for _id in $GHSA_IDS; do
+              if [ -n "$GHSA_FILTER" ]; then
+                GHSA_FILTER="$GHSA_FILTER or .data.advisory.github_advisory_id == \"$_id\""
+              else
+                GHSA_FILTER=".data.advisory.github_advisory_id == \"$_id\""
+              fi
+            done
+            # Build jq filter for CVE IDs
+            CVE_FILTER=""
+            for _cve in $CVE_IDS; do
+              if [ -n "$CVE_FILTER" ]; then
+                CVE_FILTER="$CVE_FILTER or . == \"$_cve\""
+              else
+                CVE_FILTER=". == \"$_cve\""
+              fi
+            done
+            # Combine GHSA and CVE filters
+            COMBINED_FILTER=""
+            if [ -n "$GHSA_FILTER" ] && [ -n "$CVE_FILTER" ]; then
+              COMBINED_FILTER="($GHSA_FILTER or (.data.advisory.cves | any($CVE_FILTER)))"
+            elif [ -n "$GHSA_FILTER" ]; then
+              COMBINED_FILTER="($GHSA_FILTER)"
+            elif [ -n "$CVE_FILTER" ]; then
+              COMBINED_FILTER="((.data.advisory.cves | any($CVE_FILTER)))"
+            fi
+            if [ -n "$COMBINED_FILTER" ]; then
+              yarn audit --groups dependencies --json | jq -r "select(.type == \"auditAdvisory\") | select(.data.advisory.severity == \"high\" or .data.advisory.severity == \"critical\") | select(($COMBINED_FILTER) | not) | .data.advisory" > high_vulns.json
+            else
+              yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | .data.advisory' > high_vulns.json
+            fi
             if [ -s high_vulns.json ]; then
               echo "::error::Found high or critical vulnerabilities:"
               cat high_vulns.json
@@ -1023,64 +1062,13 @@ jobs:
               echo "::notice::No high or critical vulnerabilities found (excluding known false positives)"
             fi
           elif [ "${{ inputs.package_manager }}" = "bun" ]; then
-            # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-            # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-            # We only use glob as a library through Babel and other tools - never invoke CLI
-            # Excluding GHSA-8qq5-rm4j-mr97: node-tar path sanitization vulnerability
-            # Nested dependency in @expo/cli - bun resolves to patched version but audit still flags it
-            # Risk: Low - only affects tar extraction with malicious filenames, not our use case
-            # Excluding GHSA-37qj-frw5-hhjh: fast-xml-parser RangeError DoS with numeric entities
-            # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
-            # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
-            # Risk: None - CLI build tool, not a production runtime dependency
-            # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-            # Transitive dependency in devDependencies (eslint, jest, nodemon, ts-morph, etc.)
-            # Fix requires minimatch v10 which changes export shape (object vs function),
-            # breaking test-exclude (used by Jest coverage). No production code path is affected.
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-            # Excluding GHSA-jmr7-xgp7-cmfj: fast-xml-parser DoS through entity expansion in DOCTYPE
-            # Transitive dependency via AWS SDK (@aws-sdk/xml-builder) and snowflake-sdk
-            # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - XML parsing of untrusted DOCTYPE content not in our code paths
-            # Excluding GHSA-m7jm-9gc2-mpf2: fast-xml-parser entity encoding bypass via regex injection
-            # Same transitive path as GHSA-jmr7-xgp7-cmfj (AWS SDK, snowflake-sdk)
-            # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - no untrusted XML with DOCTYPE entity names processed
-            # Excluding GHSA-r6q2-hw4h-h46w: node-tar race condition via Unicode Ligature Collisions on macOS APFS
-            # Transitive via @nestjs/apollo > @apollo/gateway > make-fetch-happen > cacache > tar
-            # Resolution to ^7.5.8 set in package.json but bun audit still flags intermediate ranges
-            # Risk: None - tar extraction not used in production runtime
-            # Excluding GHSA-34x7-hfp2-rc4v: node-tar arbitrary file creation via hardlink path traversal
-            # Same transitive path as GHSA-r6q2-hw4h-h46w
-            # Risk: None - tar extraction not used in production runtime
-            # Excluding GHSA-83g3-92jg-28cx: node-tar arbitrary file read/write via hardlink target escape
-            # Same transitive path as GHSA-r6q2-hw4h-h46w
-            # Risk: None - tar extraction not used in production runtime
-            # Excluding GHSA-3h5v-q93c-6h6q: ws DoS when handling request with many HTTP headers
-            # Transitive via @nestjs/graphql, graphql-ws, openai, serverless-offline, serverless-esbuild
-            # Resolution to ^8.17.1 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - WebSocket servers behind API Gateway which limits headers
-            # Excluding GHSA-7r86-cg39-jmmj: minimatch ReDoS via multiple non-adjacent GLOBSTAR segments
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-            # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-            # Excluding GHSA-23c5-xmqv-rm74: minimatch ReDoS via nested *() extglobs
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-            # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26 --ignore GHSA-jmr7-xgp7-cmfj --ignore GHSA-m7jm-9gc2-mpf2 --ignore GHSA-r6q2-hw4h-h46w --ignore GHSA-34x7-hfp2-rc4v --ignore GHSA-83g3-92jg-28cx --ignore GHSA-3h5v-q93c-6h6q --ignore GHSA-7r86-cg39-jmmj --ignore GHSA-23c5-xmqv-rm74; then
+            # Build --ignore flags dynamically from exclusion list
+            BUN_IGNORE_FLAGS=""
+            for _id in $GHSA_IDS; do
+              BUN_IGNORE_FLAGS="$BUN_IGNORE_FLAGS --ignore $_id"
+            done
+            if ! bun audit --audit-level=high $BUN_IGNORE_FLAGS; then
               echo "::warning::Found high or critical vulnerabilities"
               exit 1
             fi

package/typescript/copy-overwrite/audit.ignore.config.json ADDED Viewed

@@ -0,0 +1,87 @@
+{
+  "exclusions": [
+    {
+      "id": "GHSA-5j98-mcp5-4vw2",
+      "cve": "CVE-2025-64756",
+      "package": "glob",
+      "reason": "CLI command injection — only affects glob CLI --cmd flag, not library usage"
+    },
+    {
+      "id": "GHSA-8qq5-rm4j-mr97",
+      "package": "node-tar",
+      "reason": "Path sanitization vulnerability — nested in @expo/cli, tar extraction not in our code path"
+    },
+    {
+      "id": "GHSA-37qj-frw5-hhjh",
+      "package": "fast-xml-parser",
+      "reason": "RangeError DoS with numeric entities — transitive via React Native CLI, build tool only"
+    },
+    {
+      "id": "GHSA-3ppc-4f35-3m26",
+      "package": "minimatch",
+      "reason": "ReDoS via repeated wildcards — devDeps only, fix requires breaking minimatch v10"
+    },
+    {
+      "id": "GHSA-7r86-cg39-jmmj",
+      "package": "minimatch",
+      "reason": "ReDoS via multiple non-adjacent GLOBSTAR segments — devDeps only, fix requires minimatch >=3.1.3"
+    },
+    {
+      "id": "GHSA-23c5-xmqv-rm74",
+      "package": "minimatch",
+      "reason": "ReDoS via nested *() extglobs — devDeps only, fix requires minimatch >=3.1.3"
+    },
+    {
+      "id": "GHSA-2g4f-4pwh-qvx6",
+      "package": "ajv",
+      "reason": "ReDoS with $data option — $data option not used, nested in aws-cdk-lib/eslint"
+    },
+    {
+      "id": "GHSA-jmr7-xgp7-cmfj",
+      "package": "fast-xml-parser",
+      "reason": "DoS through entity expansion in DOCTYPE — transitive via AWS SDK, no untrusted XML parsing"
+    },
+    {
+      "id": "GHSA-m7jm-9gc2-mpf2",
+      "package": "fast-xml-parser",
+      "reason": "Entity encoding bypass via regex injection — same path as GHSA-jmr7-xgp7-cmfj"
+    },
+    {
+      "id": "GHSA-r6q2-hw4h-h46w",
+      "package": "node-tar",
+      "reason": "Race condition via Unicode Ligature Collisions on macOS APFS — transitive via NestJS/Apollo, tar not used in production"
+    },
+    {
+      "id": "GHSA-34x7-hfp2-rc4v",
+      "package": "node-tar",
+      "reason": "Arbitrary file creation via hardlink path traversal — same path as GHSA-r6q2-hw4h-h46w"
+    },
+    {
+      "id": "GHSA-83g3-92jg-28cx",
+      "package": "node-tar",
+      "reason": "Arbitrary file read/write via hardlink target escape — same path as GHSA-r6q2-hw4h-h46w"
+    },
+    {
+      "id": "GHSA-3h5v-q93c-6h6q",
+      "package": "ws",
+      "reason": "DoS via many HTTP headers — WebSocket servers behind API Gateway which limits headers"
+    },
+    {
+      "id": "GHSA-w532-jxjh-hjhj",
+      "cve": "CVE-2025-29907",
+      "package": "jsPDF",
+      "reason": "ReDoS in addImage — controlled usage only, no user-controlled input to addImage"
+    },
+    {
+      "id": "GHSA-8mvj-3j78-4qmw",
+      "cve": "CVE-2025-57810",
+      "package": "jsPDF",
+      "reason": "DoS in addImage — controlled usage only, no user-controlled input to addImage"
+    },
+    {
+      "id": "GHSA-36jr-mh4h-2g58",
+      "package": "d3-color",
+      "reason": "ReDoS — transitive via react-native-svg-charts, color parsing not user-controlled"
+    }
+  ]
+}

package/typescript/copy-overwrite/eslint.ignore.config.json CHANGED Viewed

@@ -70,6 +70,9 @@
     "scripts/**",
     "lib/**/*.js",
-    "cdk.out/**"
+    "cdk.out/**",
+    "audit.ignore.config.json",
+    "audit.ignore.local.json"
   ]
 }

package/typescript/create-only/audit.ignore.local.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "exclusions": []
+}