Skip to content
This repository was archived by the owner on Feb 9, 2026. It is now read-only.

Commit 689c88c

Browse files
andibeugeCopilot
andauthored
Resolve 52 security vulnerabilities + add AI agent maintenance guide (#37) (#38)
* Initial plan * Initial analysis of security vulnerabilities * Update dependencies to fix all security vulnerabilities * Add comprehensive AI agent guide for security vulnerability fixes --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
1 parent 6479f8b commit 689c88c

4 files changed

Lines changed: 5141 additions & 5142 deletions

File tree

AI_AGENT_README.md

Lines changed: 298 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,298 @@
1+
# AI Agent Guide: Security Vulnerability Fixes
2+
3+
This document provides a strategic guide for AI agents tasked with fixing security vulnerabilities in the parcellab-utilities repository.
4+
5+
## 📋 Task Overview
6+
7+
**Goal**: Address all security vulnerabilities reported by Dependabot/npm audit while maintaining code functionality and test coverage.
8+
9+
**Repository**: parcelLab/parcellab-utilities
10+
**Tech Stack**: Node.js, Babel, Mocha, ESLint
11+
**Package Manager**: npm
12+
13+
## 🎯 Strategy & Approach
14+
15+
### Phase 1: Discovery & Analysis (5-10 minutes)
16+
17+
1. **Understand the repository structure**
18+
```bash
19+
cd /home/runner/work/parcellab-utilities/parcellab-utilities
20+
ls -la
21+
cat package.json
22+
```
23+
24+
2. **Establish baseline**
25+
```bash
26+
npm install # Install current dependencies
27+
npm audit # Identify all vulnerabilities
28+
npm test # Verify tests pass before changes
29+
npm run build # Verify build works
30+
npm run lint # Verify linter passes
31+
```
32+
33+
3. **Analyze vulnerability report**
34+
- Count total vulnerabilities by severity (critical, high, moderate, low)
35+
- Identify vulnerable packages (direct vs transitive dependencies)
36+
- Note which vulnerabilities can be auto-fixed
37+
38+
### Phase 2: Automated Fixes (2-5 minutes)
39+
40+
1. **Apply automatic fixes first**
41+
```bash
42+
npm audit fix --dry-run # Preview what will be fixed
43+
npm audit fix # Apply automatic fixes
44+
npm audit # Check remaining vulnerabilities
45+
```
46+
47+
2. **Verify automatic fixes didn't break anything**
48+
```bash
49+
npm test
50+
npm run build
51+
npm run lint
52+
```
53+
54+
### Phase 3: Manual Dependency Updates (10-20 minutes)
55+
56+
**Key Insight**: Most vulnerabilities in this repo come from transitive dependencies through semantic-release packages.
57+
58+
1. **Identify the root cause packages**
59+
- Check `npm ls <vulnerable-package>` to understand dependency tree
60+
- Focus on updating parent packages rather than trying to update transitive deps directly
61+
62+
2. **Strategic update order** (learned from experience):
63+
64+
a. **@semantic-release packages** - These are the main culprits:
65+
```bash
66+
npm install --save-dev @semantic-release/git@latest
67+
```
68+
This single update typically cascades to:
69+
- `semantic-release` (the core)
70+
- `@semantic-release/npm`
71+
- `@semantic-release/github`
72+
- All `@octokit/*` packages
73+
- Many other transitive dependencies
74+
75+
b. **Babel packages** - Usually auto-fixed, but if needed:
76+
```bash
77+
npm update @babel/core @babel/cli @babel/preset-env @babel/register
78+
```
79+
80+
c. **Test framework packages**:
81+
```bash
82+
npm update mocha nyc
83+
```
84+
85+
d. **Other dev dependencies** as needed
86+
87+
3. **Verify after each major update**
88+
```bash
89+
npm audit
90+
npm test
91+
```
92+
93+
### Phase 4: Verification (5-10 minutes)
94+
95+
1. **Run full test suite**
96+
```bash
97+
npm test
98+
```
99+
- Should see: "103 passing"
100+
- Coverage should remain stable (~90% statements)
101+
102+
2. **Build the project**
103+
```bash
104+
npm run build
105+
```
106+
- Should compile successfully
107+
- Check that `lib/` directory contains updated files
108+
- Minor changes in generated code (e.g., Babel helpers) are expected and normal
109+
110+
3. **Run linter**
111+
```bash
112+
npm run lint
113+
```
114+
- Should pass with no errors
115+
116+
4. **Final security audit**
117+
```bash
118+
npm audit
119+
```
120+
- Target: "found 0 vulnerabilities"
121+
122+
5. **Code quality checks**
123+
- Run code review tool
124+
- Run CodeQL security scanner
125+
- Both should report no issues
126+
127+
### Phase 5: Documentation & Commit (5 minutes)
128+
129+
1. **Create comprehensive commit message**
130+
- List specific packages updated
131+
- Note vulnerabilities fixed (count by severity)
132+
- Mention verification steps completed
133+
134+
2. **Report progress regularly**
135+
- Use report_progress after establishing baseline
136+
- Use report_progress after successful fixes
137+
- Use report_progress for final completion
138+
139+
## 💡 Key Learnings & Tips
140+
141+
### Critical Success Factors
142+
143+
1. **Update parent dependencies, not transitive ones**
144+
- ❌ Don't try: `npm install marked@latest` (if it's bundled in npm package)
145+
- ✅ Do try: `npm install @semantic-release/git@latest` (which updates semantic-release)
146+
147+
2. **Bundled dependencies cannot be directly fixed**
148+
- npm package bundles many dependencies
149+
- These will show warnings like "is a bundled dependency... cannot be fixed automatically"
150+
- Solution: Update the parent package or wait for upstream fix
151+
152+
3. **Single strategic update can fix many vulnerabilities**
153+
- Updating `@semantic-release/git` from v9 to v10 resolved 47 vulnerabilities
154+
- Always check the dependency tree before making multiple updates
155+
156+
4. **Test early and often**
157+
- Run tests after each significant update
158+
- Don't wait until the end to discover breaking changes
159+
160+
5. **Generated code changes are normal**
161+
- Babel may generate slightly different code with newer versions
162+
- As long as tests pass, these changes are safe
163+
- Example: `lib/geo.js` had minor helper function changes
164+
165+
### Common Pitfalls to Avoid
166+
167+
❌ **Don't skip the baseline**
168+
- Always run tests/build/lint BEFORE making changes
169+
- You need to know what failures are pre-existing vs. caused by your changes
170+
171+
**Don't update all packages blindly**
172+
- Start with strategic packages (semantic-release family)
173+
- Verify after each major update
174+
- Only update what's necessary
175+
176+
**Don't ignore test failures**
177+
- All 103 tests must pass
178+
- If tests fail, investigate before proceeding
179+
- May need to revert and try a different approach
180+
181+
❌ **Don't forget to rebuild**
182+
- After updating Babel, always run `npm run build`
183+
- Commit the updated `lib/` directory
184+
- This is part of the package's release process
185+
186+
❌ **Don't leave security checks for the end**
187+
- Run code review and CodeQL before finalizing
188+
- Address any findings immediately
189+
190+
## 🔍 Troubleshooting Guide
191+
192+
### Problem: Vulnerabilities remain after npm audit fix
193+
194+
**Solution**: Check if vulnerabilities are in bundled dependencies (npm package). Update the parent package instead.
195+
196+
### Problem: Tests fail after dependency update
197+
198+
**Solution**:
199+
1. Check error messages carefully
200+
2. Revert the problematic update: `git checkout package.json package-lock.json`
201+
3. Try updating packages one at a time
202+
4. Look for breaking changes in package changelogs
203+
204+
### Problem: Build fails with new Babel version
205+
206+
**Solution**:
207+
1. Check `.babelrc` configuration
208+
2. Ensure all Babel packages are compatible versions
209+
3. Update all Babel packages together: `npm update @babel/core @babel/cli @babel/preset-env @babel/register`
210+
211+
### Problem: npm audit shows 0 vulnerabilities but Dependabot still shows alerts
212+
213+
**Solution**:
214+
- Dependabot may be checking different things
215+
- Check the Dependabot URL: https://github.com/parcelLab/parcellab-utilities/security/dependabot
216+
- May need to wait for Dependabot to re-scan after your changes are merged
217+
218+
## 📊 Success Metrics
219+
220+
- ✅ npm audit reports: "found 0 vulnerabilities"
221+
- ✅ All 103 tests passing
222+
- ✅ Build completes successfully
223+
- ✅ Linter passes with no errors
224+
- ✅ Code review finds no issues
225+
- ✅ CodeQL reports 0 security alerts
226+
- ✅ Test coverage remains stable (~90%)
227+
228+
## ⏱️ Estimated Time
229+
230+
- **Simple case** (npm audit fix resolves everything): 15-20 minutes
231+
- **Complex case** (manual dependency updates needed): 30-45 minutes
232+
- **This case** (strategic @semantic-release update): 25 minutes
233+
234+
## 📝 Checklist Template
235+
236+
Use this checklist when reporting progress:
237+
238+
```markdown
239+
- [ ] Install dependencies and establish baseline
240+
- [ ] Run npm audit to identify vulnerabilities
241+
- [ ] Apply npm audit fix for automatic fixes
242+
- [ ] Identify root cause packages for remaining vulnerabilities
243+
- [ ] Update strategic parent packages (e.g., @semantic-release/git)
244+
- [ ] Verify all tests pass (103 tests)
245+
- [ ] Verify build succeeds
246+
- [ ] Verify linter passes
247+
- [ ] Confirm npm audit shows 0 vulnerabilities
248+
- [ ] Run code review
249+
- [ ] Run CodeQL security scan
250+
- [ ] Document changes and commit
251+
```
252+
253+
## 🔄 Maintenance Notes
254+
255+
**For future updates:**
256+
- This guide reflects the state as of February 2026
257+
- Dependency update strategies may evolve
258+
- Always check npm/Node.js best practices for the current year
259+
- Review this guide periodically and update based on new learnings
260+
261+
## 📚 Useful Commands Reference
262+
263+
```bash
264+
# Audit commands
265+
npm audit # Show all vulnerabilities
266+
npm audit --json # JSON format for parsing
267+
npm audit fix # Auto-fix what's possible
268+
npm audit fix --force # Force updates (use with caution)
269+
270+
# Dependency inspection
271+
npm ls <package-name> # Show dependency tree
272+
npm outdated # Show outdated packages
273+
npm view <package-name> versions # Show available versions
274+
275+
# Update commands
276+
npm update <package-name> # Update to wanted version
277+
npm install <package>@latest # Update to latest version
278+
npm install --save-dev <package> # Update dev dependency
279+
280+
# Verification commands
281+
npm test # Run tests
282+
npm run build # Build the project
283+
npm run lint # Run linter
284+
git diff package.json # See what changed
285+
git status # Check working tree status
286+
```
287+
288+
## 🎓 Learning Resources
289+
290+
- [npm audit documentation](https://docs.npmjs.com/cli/v8/commands/npm-audit)
291+
- [Semantic versioning](https://semver.org/)
292+
- [Dependabot documentation](https://docs.github.com/en/code-security/dependabot)
293+
294+
---
295+
296+
**Last Updated**: February 6, 2026
297+
**Last Successful Run**: Fixed 52 vulnerabilities (4 critical, 32 high, 14 moderate, 2 low)
298+
**Key Update**: @semantic-release/git v9.0.1 → v10.0.1

lib/geo.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,7 @@ exports.resolveCountryToISO3 = resolveCountryToISO3;
88
var Country = _interopRequireWildcard(require("countryjs"));
99
var _lodash = require("lodash");
1010
var _logger = require("./logger");
11-
function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return null; var r = new WeakMap(), t = new WeakMap(); return (_getRequireWildcardCache = function (e) { return e ? t : r; })(e); }
12-
function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != typeof e && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
11+
function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r = new WeakMap(), n = new WeakMap(); return (_interopRequireWildcard = function (e, t) { if (!t && e && e.__esModule) return e; var o, i, f = { __proto__: null, default: e }; if (null === e || "object" != typeof e && "function" != typeof e) return f; if (o = t ? n : r) { if (o.has(e)) return o.get(e); o.set(e, f); } for (const t in e) "default" !== t && {}.hasOwnProperty.call(e, t) && ((i = (o = Object.defineProperty) && Object.getOwnPropertyDescriptor(e, t)) && (i.get || i.set) ? o(f, t, i) : f[t] = e[t]); return f; })(e, t); }
1312
/**
1413
* takes unidentified country info and tries to get the ISO2/ISO3 Code
1514
* @param {String} countryInfo some text about the country

0 commit comments

Comments
 (0)