Re: [PR] [fix][ci] Fix security vulnerabilities and upgrade CI toolchain [pulsar-client-node]

Wed, 04 Mar 2026 19:09:02 -0800 


Copilot commented on code in PR #465:
URL: 
https://github.com/apache/pulsar-client-node/pull/465#discussion_r2887322458


##########
package.json:
##########
@@ -7,6 +7,12 @@
   "resolutions": {
     "minimatch": "^9.0.0"
   },
+  "overrides": {
+    "form-data": "^4.0.1",
+    "qs": "^6.14.1",

Review Comment:
   `overrides` is an npm-only feature; the repo’s PR workflow also runs `yarn 
install` (see `.github/workflows/ci-pr-validation.yml`), and Yarn classic will 
ignore this block. As a result, the security pinning here won’t apply to the 
Yarn install path (and `yarn.lock` currently still resolves `form-data` to 
3.x). Consider adding equivalent `resolutions` (or migrating to a Yarn version 
that supports `overrides`) so both package managers get the patched transitive 
versions.
   
   Also, `qs` doesn’t appear in either lockfile after this update; if it’s no 
longer in the dependency tree, removing that override would reduce confusion.
   ```suggestion
       "minimatch": "^9.0.0",
       "form-data": "^4.0.1",
       "tough-cookie": "^4.1.3",
       "tar": "^7.5.8"
     },
     "overrides": {
       "form-data": "^4.0.1",
   ```



##########
package.json:
##########
@@ -68,5 +72,12 @@
     "host": "https://archive.apache.org/dist/pulsar/pulsar-client-node/";,
     "remote_path": "pulsar-client-node-{version}",
     "package_name": "napi-{platform}-{libc}-{arch}.tar.gz"
+  },
+  "jest": {
+    "moduleNameMapper": {
+      "^consola/basic$": "consola/dist/basic.cjs",
+      "^consola/core$": "consola/dist/core.cjs",
+      "^consola/utils$": "consola/dist/utils.cjs"
+    }

Review Comment:
   The PR description focuses on dependency security fixes and replacing 
`dtslint`, but this adds a Jest `moduleNameMapper` for `consola/*` subpaths. 
Since there are no in-repo imports of `consola` (tests don’t reference it) and 
this mapping relies on internal file paths (`consola/dist/*.cjs`), it’s 
potentially brittle across `consola` upgrades. Please either document why this 
mapping is needed (e.g., a specific failing test stack trace) or drop it to 
keep the change set aligned with the stated motivation.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to