Skip to content

fix(deps): replace archiver with yazl#95

Merged
jsteinich merged 3 commits intoopen-constructs:mainfrom
dnwlf:fix/940fix-lodash-cve
Apr 16, 2026
Merged

fix(deps): replace archiver with yazl#95
jsteinich merged 3 commits intoopen-constructs:mainfrom
dnwlf:fix/940fix-lodash-cve

Conversation

@dnwlf
Copy link
Copy Markdown
Contributor

@dnwlf dnwlf commented Apr 9, 2026
edited
Loading

Related issue

Fixes #94

Description

This PR replaces CDKTN's dependency on archiver which includes a dependency on a version of lodash vulnerable to CVE-2026-4800, with a dependency on yazl, which looks to be a small stable package with minimal dependencies. Not sure if this will be considered a pro or a con, but VS Code has a dependency on it.

Checklist

  • I have updated the PR title to match CDKTN's style guide
  • I have run the linter on my code locally
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation if applicable
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works if applicable
  • New and existing unit tests pass locally with my changes

@dnwlf dnwlf requested a review from a team as a code owner April 9, 2026 17:24
@dnwlf dnwlf marked this pull request as draft April 9, 2026 19:27
@dnwlf dnwlf marked this pull request as ready for review April 9, 2026 21:40
jsteinich
jsteinich approved these changes Apr 10, 2026
View reviewed changes
Comment thread jest.preset.js Outdated
Comment thread package.json Outdated
@jsteinich jsteinich enabled auto-merge (squash) April 11, 2026 16:07
@jsteinich
Copy link
Copy Markdown
Collaborator

jsteinich commented Apr 14, 2026

@dnwlf I'm seeing at least 2 current test failures:

  1. Integration test setup. Probably just need to update test/yarn.lock, but could definitely be further failures.
  2. Provider integration test babel. This could be a problem with the central config, or perhaps we'll need to update test setups. As that could translate into breaking changes for end users, we'll want to investigate further.

auto-merge was automatically disabled April 16, 2026 01:24

Head branch was pushed to by a user without write access

@dnwlf dnwlf force-pushed the fix/940fix-lodash-cve branch from 339484d to 3eef2f6 Compare April 16, 2026 01:24
@dnwlf dnwlf changed the title fix(deps): replace archiver with archiver-node to resolve CVE-2026-4800 fix(deps): replace archiver with yazl Apr 16, 2026
jsteinich
jsteinich requested changes Apr 16, 2026
View reviewed changes
Comment thread packages/cdktn/package.json Outdated
Comment thread test-output.txt Outdated
sheplu
sheplu reviewed Apr 16, 2026
View reviewed changes
Comment thread packages/cdktn/package.json Outdated
sheplu
sheplu reviewed Apr 16, 2026
View reviewed changes
Comment thread packages/cdktn/test/archive.test.ts
sheplu
sheplu reviewed Apr 16, 2026
View reviewed changes
Comment thread packages/cdktn/test/archive.test.ts
@dnwlf dnwlf requested a review from jsteinich April 16, 2026 14:11
@jsteinich jsteinich merged commit d227765 into open-constructs:main Apr 16, 2026
429 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheplu sheplu sheplu left review comments

@so0k so0k so0k left review comments

@jsteinich jsteinich jsteinich approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: lodash CVE-2026-4800

4 participants

@dnwlf @jsteinich @sheplu @so0k