|
| 1 | +# AI Agent Guide: Security Vulnerability Fixes |
| 2 | + |
| 3 | +This document provides a strategic guide for AI agents tasked with fixing security vulnerabilities in the parcellab-utilities repository. |
| 4 | + |
| 5 | +## 📋 Task Overview |
| 6 | + |
| 7 | +**Goal**: Address all security vulnerabilities reported by Dependabot/npm audit while maintaining code functionality and test coverage. |
| 8 | + |
| 9 | +**Repository**: parcelLab/parcellab-utilities |
| 10 | +**Tech Stack**: Node.js, Babel, Mocha, ESLint |
| 11 | +**Package Manager**: npm |
| 12 | + |
| 13 | +## 🎯 Strategy & Approach |
| 14 | + |
| 15 | +### Phase 1: Discovery & Analysis (5-10 minutes) |
| 16 | + |
| 17 | +1. **Understand the repository structure** |
| 18 | + ```bash |
| 19 | + cd /home/runner/work/parcellab-utilities/parcellab-utilities |
| 20 | + ls -la |
| 21 | + cat package.json |
| 22 | + ``` |
| 23 | + |
| 24 | +2. **Establish baseline** |
| 25 | + ```bash |
| 26 | + npm install # Install current dependencies |
| 27 | + npm audit # Identify all vulnerabilities |
| 28 | + npm test # Verify tests pass before changes |
| 29 | + npm run build # Verify build works |
| 30 | + npm run lint # Verify linter passes |
| 31 | + ``` |
| 32 | + |
| 33 | +3. **Analyze vulnerability report** |
| 34 | + - Count total vulnerabilities by severity (critical, high, moderate, low) |
| 35 | + - Identify vulnerable packages (direct vs transitive dependencies) |
| 36 | + - Note which vulnerabilities can be auto-fixed |
| 37 | + |
| 38 | +### Phase 2: Automated Fixes (2-5 minutes) |
| 39 | + |
| 40 | +1. **Apply automatic fixes first** |
| 41 | + ```bash |
| 42 | + npm audit fix --dry-run # Preview what will be fixed |
| 43 | + npm audit fix # Apply automatic fixes |
| 44 | + npm audit # Check remaining vulnerabilities |
| 45 | + ``` |
| 46 | + |
| 47 | +2. **Verify automatic fixes didn't break anything** |
| 48 | + ```bash |
| 49 | + npm test |
| 50 | + npm run build |
| 51 | + npm run lint |
| 52 | + ``` |
| 53 | + |
| 54 | +### Phase 3: Manual Dependency Updates (10-20 minutes) |
| 55 | + |
| 56 | +**Key Insight**: Most vulnerabilities in this repo come from transitive dependencies through semantic-release packages. |
| 57 | + |
| 58 | +1. **Identify the root cause packages** |
| 59 | + - Check `npm ls <vulnerable-package>` to understand dependency tree |
| 60 | + - Focus on updating parent packages rather than trying to update transitive deps directly |
| 61 | + |
| 62 | +2. **Strategic update order** (learned from experience): |
| 63 | + |
| 64 | + a. **@semantic-release packages** - These are the main culprits: |
| 65 | + ```bash |
| 66 | + npm install --save-dev @semantic-release/git@latest |
| 67 | + ``` |
| 68 | + This single update typically cascades to: |
| 69 | + - `semantic-release` (the core) |
| 70 | + - `@semantic-release/npm` |
| 71 | + - `@semantic-release/github` |
| 72 | + - All `@octokit/*` packages |
| 73 | + - Many other transitive dependencies |
| 74 | + |
| 75 | + b. **Babel packages** - Usually auto-fixed, but if needed: |
| 76 | + ```bash |
| 77 | + npm update @babel/core @babel/cli @babel/preset-env @babel/register |
| 78 | + ``` |
| 79 | + |
| 80 | + c. **Test framework packages**: |
| 81 | + ```bash |
| 82 | + npm update mocha nyc |
| 83 | + ``` |
| 84 | + |
| 85 | + d. **Other dev dependencies** as needed |
| 86 | + |
| 87 | +3. **Verify after each major update** |
| 88 | + ```bash |
| 89 | + npm audit |
| 90 | + npm test |
| 91 | + ``` |
| 92 | + |
| 93 | +### Phase 4: Verification (5-10 minutes) |
| 94 | + |
| 95 | +1. **Run full test suite** |
| 96 | + ```bash |
| 97 | + npm test |
| 98 | + ``` |
| 99 | + - Should see: "103 passing" |
| 100 | + - Coverage should remain stable (~90% statements) |
| 101 | + |
| 102 | +2. **Build the project** |
| 103 | + ```bash |
| 104 | + npm run build |
| 105 | + ``` |
| 106 | + - Should compile successfully |
| 107 | + - Check that `lib/` directory contains updated files |
| 108 | + - Minor changes in generated code (e.g., Babel helpers) are expected and normal |
| 109 | + |
| 110 | +3. **Run linter** |
| 111 | + ```bash |
| 112 | + npm run lint |
| 113 | + ``` |
| 114 | + - Should pass with no errors |
| 115 | + |
| 116 | +4. **Final security audit** |
| 117 | + ```bash |
| 118 | + npm audit |
| 119 | + ``` |
| 120 | + - Target: "found 0 vulnerabilities" |
| 121 | + |
| 122 | +5. **Code quality checks** |
| 123 | + - Run code review tool |
| 124 | + - Run CodeQL security scanner |
| 125 | + - Both should report no issues |
| 126 | + |
| 127 | +### Phase 5: Documentation & Commit (5 minutes) |
| 128 | + |
| 129 | +1. **Create comprehensive commit message** |
| 130 | + - List specific packages updated |
| 131 | + - Note vulnerabilities fixed (count by severity) |
| 132 | + - Mention verification steps completed |
| 133 | + |
| 134 | +2. **Report progress regularly** |
| 135 | + - Use report_progress after establishing baseline |
| 136 | + - Use report_progress after successful fixes |
| 137 | + - Use report_progress for final completion |
| 138 | + |
| 139 | +## 💡 Key Learnings & Tips |
| 140 | + |
| 141 | +### Critical Success Factors |
| 142 | + |
| 143 | +1. **Update parent dependencies, not transitive ones** |
| 144 | + - ❌ Don't try: `npm install marked@latest` (if it's bundled in npm package) |
| 145 | + - ✅ Do try: `npm install @semantic-release/git@latest` (which updates semantic-release) |
| 146 | + |
| 147 | +2. **Bundled dependencies cannot be directly fixed** |
| 148 | + - npm package bundles many dependencies |
| 149 | + - These will show warnings like "is a bundled dependency... cannot be fixed automatically" |
| 150 | + - Solution: Update the parent package or wait for upstream fix |
| 151 | + |
| 152 | +3. **Single strategic update can fix many vulnerabilities** |
| 153 | + - Updating `@semantic-release/git` from v9 to v10 resolved 47 vulnerabilities |
| 154 | + - Always check the dependency tree before making multiple updates |
| 155 | + |
| 156 | +4. **Test early and often** |
| 157 | + - Run tests after each significant update |
| 158 | + - Don't wait until the end to discover breaking changes |
| 159 | +
|
| 160 | +5. **Generated code changes are normal** |
| 161 | + - Babel may generate slightly different code with newer versions |
| 162 | + - As long as tests pass, these changes are safe |
| 163 | + - Example: `lib/geo.js` had minor helper function changes |
| 164 | +
|
| 165 | +### Common Pitfalls to Avoid |
| 166 | +
|
| 167 | +❌ **Don't skip the baseline** |
| 168 | +- Always run tests/build/lint BEFORE making changes |
| 169 | +- You need to know what failures are pre-existing vs. caused by your changes |
| 170 | + |
| 171 | +❌ **Don't update all packages blindly** |
| 172 | +- Start with strategic packages (semantic-release family) |
| 173 | +- Verify after each major update |
| 174 | +- Only update what's necessary |
| 175 | + |
| 176 | +❌ **Don't ignore test failures** |
| 177 | +- All 103 tests must pass |
| 178 | +- If tests fail, investigate before proceeding |
| 179 | +- May need to revert and try a different approach |
| 180 | +
|
| 181 | +❌ **Don't forget to rebuild** |
| 182 | +- After updating Babel, always run `npm run build` |
| 183 | +- Commit the updated `lib/` directory |
| 184 | +- This is part of the package's release process |
| 185 | +
|
| 186 | +❌ **Don't leave security checks for the end** |
| 187 | +- Run code review and CodeQL before finalizing |
| 188 | +- Address any findings immediately |
| 189 | + |
| 190 | +## 🔍 Troubleshooting Guide |
| 191 | + |
| 192 | +### Problem: Vulnerabilities remain after npm audit fix |
| 193 | + |
| 194 | +**Solution**: Check if vulnerabilities are in bundled dependencies (npm package). Update the parent package instead. |
| 195 | + |
| 196 | +### Problem: Tests fail after dependency update |
| 197 | + |
| 198 | +**Solution**: |
| 199 | +1. Check error messages carefully |
| 200 | +2. Revert the problematic update: `git checkout package.json package-lock.json` |
| 201 | +3. Try updating packages one at a time |
| 202 | +4. Look for breaking changes in package changelogs |
| 203 | + |
| 204 | +### Problem: Build fails with new Babel version |
| 205 | + |
| 206 | +**Solution**: |
| 207 | +1. Check `.babelrc` configuration |
| 208 | +2. Ensure all Babel packages are compatible versions |
| 209 | +3. Update all Babel packages together: `npm update @babel/core @babel/cli @babel/preset-env @babel/register` |
| 210 | + |
| 211 | +### Problem: npm audit shows 0 vulnerabilities but Dependabot still shows alerts |
| 212 | + |
| 213 | +**Solution**: |
| 214 | +- Dependabot may be checking different things |
| 215 | +- Check the Dependabot URL: https://github.com/parcelLab/parcellab-utilities/security/dependabot |
| 216 | +- May need to wait for Dependabot to re-scan after your changes are merged |
| 217 | + |
| 218 | +## 📊 Success Metrics |
| 219 | + |
| 220 | +- ✅ npm audit reports: "found 0 vulnerabilities" |
| 221 | +- ✅ All 103 tests passing |
| 222 | +- ✅ Build completes successfully |
| 223 | +- ✅ Linter passes with no errors |
| 224 | +- ✅ Code review finds no issues |
| 225 | +- ✅ CodeQL reports 0 security alerts |
| 226 | +- ✅ Test coverage remains stable (~90%) |
| 227 | + |
| 228 | +## ⏱️ Estimated Time |
| 229 | + |
| 230 | +- **Simple case** (npm audit fix resolves everything): 15-20 minutes |
| 231 | +- **Complex case** (manual dependency updates needed): 30-45 minutes |
| 232 | +- **This case** (strategic @semantic-release update): 25 minutes |
| 233 | + |
| 234 | +## 📝 Checklist Template |
| 235 | + |
| 236 | +Use this checklist when reporting progress: |
| 237 | + |
| 238 | +```markdown |
| 239 | +- [ ] Install dependencies and establish baseline |
| 240 | +- [ ] Run npm audit to identify vulnerabilities |
| 241 | +- [ ] Apply npm audit fix for automatic fixes |
| 242 | +- [ ] Identify root cause packages for remaining vulnerabilities |
| 243 | +- [ ] Update strategic parent packages (e.g., @semantic-release/git) |
| 244 | +- [ ] Verify all tests pass (103 tests) |
| 245 | +- [ ] Verify build succeeds |
| 246 | +- [ ] Verify linter passes |
| 247 | +- [ ] Confirm npm audit shows 0 vulnerabilities |
| 248 | +- [ ] Run code review |
| 249 | +- [ ] Run CodeQL security scan |
| 250 | +- [ ] Document changes and commit |
| 251 | +``` |
| 252 | + |
| 253 | +## 🔄 Maintenance Notes |
| 254 | + |
| 255 | +**For future updates:** |
| 256 | +- This guide reflects the state as of February 2026 |
| 257 | +- Dependency update strategies may evolve |
| 258 | +- Always check npm/Node.js best practices for the current year |
| 259 | +- Review this guide periodically and update based on new learnings |
| 260 | + |
| 261 | +## 📚 Useful Commands Reference |
| 262 | + |
| 263 | +```bash |
| 264 | +# Audit commands |
| 265 | +npm audit # Show all vulnerabilities |
| 266 | +npm audit --json # JSON format for parsing |
| 267 | +npm audit fix # Auto-fix what's possible |
| 268 | +npm audit fix --force # Force updates (use with caution) |
| 269 | +
|
| 270 | +# Dependency inspection |
| 271 | +npm ls <package-name> # Show dependency tree |
| 272 | +npm outdated # Show outdated packages |
| 273 | +npm view <package-name> versions # Show available versions |
| 274 | +
|
| 275 | +# Update commands |
| 276 | +npm update <package-name> # Update to wanted version |
| 277 | +npm install <package>@latest # Update to latest version |
| 278 | +npm install --save-dev <package> # Update dev dependency |
| 279 | +
|
| 280 | +# Verification commands |
| 281 | +npm test # Run tests |
| 282 | +npm run build # Build the project |
| 283 | +npm run lint # Run linter |
| 284 | +git diff package.json # See what changed |
| 285 | +git status # Check working tree status |
| 286 | +``` |
| 287 | + |
| 288 | +## 🎓 Learning Resources |
| 289 | + |
| 290 | +- [npm audit documentation](https://docs.npmjs.com/cli/v8/commands/npm-audit) |
| 291 | +- [Semantic versioning](https://semver.org/) |
| 292 | +- [Dependabot documentation](https://docs.github.com/en/code-security/dependabot) |
| 293 | + |
| 294 | +--- |
| 295 | + |
| 296 | +**Last Updated**: February 6, 2026 |
| 297 | +**Last Successful Run**: Fixed 52 vulnerabilities (4 critical, 32 high, 14 moderate, 2 low) |
| 298 | +**Key Update**: @semantic-release/git v9.0.1 → v10.0.1 |
0 commit comments