[PR] [fix][ci] Fix security vulnerabilities and upgrade CI toolchain [pulsar-client-node]

Wed, 04 Mar 2026 02:18:59 -0800 


shibd opened a new pull request, #465:
URL: https://github.com/apache/pulsar-client-node/pull/465

   ### Motivation
   
   The project has several security vulnerabilities in dev dependencies (2 
critical, 3 high, 3 moderate) reported by `npm audit`. Additionally, `dtslint` 
(archived by Microsoft since Nov 2023) is no longer functional in fresh CI 
environments — it installs `typescript@next` (6.0.0-dev) into version-specific 
directories, causing type-checking failures with `DateTimeRangeFormatPart` 
errors. The CI also uses Node.js 18 which has reached EOL.
   
   ### Modifications
   
   - **Fix CVE vulnerabilities**: Added npm `overrides` in `package.json` to 
force secure versions of transitive dev dependencies:
     - `form-data@^4.0.1` (fixes 
[GHSA-fjxv-7rqg-78g4](https://github.com/advisories/GHSA-fjxv-7rqg-78g4) - 
critical)
     - `qs@^6.14.1` (fixes 
[GHSA-6rw7-vpxm-498p](https://github.com/advisories/GHSA-6rw7-vpxm-498p) - 
moderate)
     - `tough-cookie@^4.1.3` (fixes 
[GHSA-72xf-g2v4-qvf3](https://github.com/advisories/GHSA-72xf-g2v4-qvf3) - 
moderate)
     - `tar@^7.5.8` (fixes multiple high severity CVEs)
   
   - **Replace deprecated `dtslint` with `tsc --noEmit`**: As [recommended by 
Microsoft](https://aka.ms/type-testing-tools), replaced the archived `dtslint` 
package with standard TypeScript compilation check. Removed `dtslint` and 
`@definitelytyped/utils` from devDependencies, deleted `tslint.json`.
   
   - **Upgrade Node.js 18 → 22** in CI workflows (`ci-pr-validation.yml`, 
`ci-build-release-napi.yml`) since Node.js 18 has reached EOL.
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   - `npm audit` now reports **0 vulnerabilities** (was 8)
   - `npm run dtslint` (`tsc --noEmit`) passes locally
   - No changes to runtime code, published package content, or public API
   
   ### Documentation
   
   - [x] `doc-not-needed`
   (Infrastructure/toolchain changes only, no user-facing API changes)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to