From 953d347b47393c6da0a7bb8319fb404bf82ad8aa Mon Sep 17 00:00:00 2001 From: Mario Castro Squella Date: Tue, 17 Mar 2026 18:31:41 -0300 Subject: [PATCH 1/2] Bump @azure/identity from ~4.7.0 to ~4.13.0 Resolves high severity vulnerability (GHSA-869p-cjfg-cm3x) where jws@4.0.0 had improper HMAC signature verification. The newer @azure/identity drops the jws dependency entirely. Co-Authored-By: Claude Opus 4.6 (1M context) --- common/config/rush/pnpm-lock.yaml | 142 +++++++----------- .../package.json | 2 +- .../framework-provider-azure/package.json | 2 +- 3 files changed, 60 insertions(+), 86 deletions(-) diff --git a/common/config/rush/pnpm-lock.yaml b/common/config/rush/pnpm-lock.yaml index 1ba9293cf..1928319e4 100644 --- a/common/config/rush/pnpm-lock.yaml +++ b/common/config/rush/pnpm-lock.yaml @@ -16,7 +16,7 @@ importers: specifier: 3.7.13 version: 3.7.13(graphql@16.12.0)(react@17.0.2)(subscriptions-transport-ws@0.11.0(graphql@16.12.0)) '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -47,7 +47,7 @@ importers: version: 8.18.0 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/jsonwebtoken': specifier: 9.0.8 @@ -104,10 +104,10 @@ importers: ../../packages/cli: dependencies: '@boostercloud/framework-core': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-core '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -150,10 +150,10 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/application-tester': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../application-tester '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@oclif/test': specifier: ^4.1.10 @@ -264,7 +264,7 @@ importers: ../../packages/framework-common-helpers: dependencies: '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -280,7 +280,7 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/chai': specifier: 4.2.18 @@ -370,10 +370,10 @@ importers: ../../packages/framework-core: dependencies: '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect/cli': specifier: 0.56.2 @@ -437,10 +437,10 @@ importers: version: 8.18.0 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@boostercloud/metadata-booster': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../metadata-booster '@types/chai': specifier: 4.2.18 @@ -545,22 +545,22 @@ importers: ../../packages/framework-integration-tests: dependencies: '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-core': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-core '@boostercloud/framework-provider-aws': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-aws '@boostercloud/framework-provider-azure': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-azure '@boostercloud/framework-provider-local': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-local '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -618,25 +618,25 @@ importers: specifier: 3.7.13 version: 3.7.13(graphql@16.12.0)(react@17.0.2)(subscriptions-transport-ws@0.11.0(graphql@16.12.0)) '@boostercloud/application-tester': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../application-tester '@boostercloud/cli': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../cli '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@boostercloud/framework-provider-aws-infrastructure': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-aws-infrastructure '@boostercloud/framework-provider-azure-infrastructure': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-azure-infrastructure '@boostercloud/framework-provider-local-infrastructure': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-local-infrastructure '@boostercloud/metadata-booster': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../metadata-booster '@seald-io/nedb': specifier: 4.0.2 @@ -777,10 +777,10 @@ importers: ../../packages/framework-provider-aws: dependencies: '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -790,7 +790,7 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/aws-lambda': specifier: 8.10.48 @@ -943,13 +943,13 @@ importers: specifier: ^1.170.0 version: 1.204.0 '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-provider-aws': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-aws '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -983,7 +983,7 @@ importers: version: 1.10.2 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/archiver': specifier: 5.1.0 @@ -1091,16 +1091,16 @@ importers: specifier: ^4.0.0 version: 4.11.0 '@azure/identity': - specifier: ~4.7.0 - version: 4.7.0 + specifier: ~4.13.0 + version: 4.13.0 '@azure/web-pubsub': specifier: ~1.1.0 version: 1.1.4 '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -1110,7 +1110,7 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/chai': specifier: 4.2.18 @@ -1203,19 +1203,19 @@ importers: specifier: ^4.3.0 version: 4.9.1 '@azure/identity': - specifier: ~4.7.0 - version: 4.7.0 + specifier: ~4.13.0 + version: 4.13.0 '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-core': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-core '@boostercloud/framework-provider-azure': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-azure '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@cdktf/provider-azurerm': specifier: 14.23.1 @@ -1285,7 +1285,7 @@ importers: version: 11.0.5 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/chai': specifier: 4.2.18 @@ -1366,10 +1366,10 @@ importers: ../../packages/framework-provider-local: dependencies: '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -1385,7 +1385,7 @@ importers: version: 8.18.0 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/chai': specifier: 4.2.18 @@ -1481,13 +1481,13 @@ importers: ../../packages/framework-provider-local-infrastructure: dependencies: '@boostercloud/framework-common-helpers': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-common-helpers '@boostercloud/framework-provider-local': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-provider-local '@boostercloud/framework-types': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../framework-types '@effect-ts/core': specifier: ^0.60.4 @@ -1506,7 +1506,7 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/chai': specifier: 4.2.18 @@ -1642,10 +1642,10 @@ importers: version: 8.18.0 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@boostercloud/metadata-booster': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../metadata-booster '@types/chai': specifier: 4.2.18 @@ -1739,7 +1739,7 @@ importers: version: 2.8.1 devDependencies: '@boostercloud/eslint-config': - specifier: workspace:^4.0.0 + specifier: workspace:^4.0.1 version: link:../../tools/eslint-config '@types/node': specifier: ^20.17.17 @@ -2775,9 +2775,9 @@ packages: resolution: {integrity: sha512-J0We2gav3YZFLO9pJlXDKUSOT0r/DzkUaJTaruhm8pwoSMbi4zjsS5N6fARrTel+IBCm77hlD0IgZSKSWvVpUw==} engines: {node: '>=20.0'} - '@azure/identity@4.7.0': - resolution: {integrity: sha512-6z/S2KorkbKaZ0DgZFVRdu7RCuATmMSTjKpuhj7YpjxkJ0vnJ7kTM3cpNgzFgk9OPYfZ31wrBEtC/iwAS4jQDA==} - engines: {node: '>=18.0.0'} + '@azure/identity@4.13.0': + resolution: {integrity: sha512-uWC0fssc+hs1TGGVkkghiaFkkS7NkTxfnCH+Hdg+yTehTpMcehpok4PgUKKdyCH+9ldu6FhiHRv84Ntqj1vVcw==} + engines: {node: '>=20.0.0'} '@azure/keyvault-common@2.0.0': resolution: {integrity: sha512-wRLVaroQtOqfg60cxkzUkGKrKMsCP6uYXAOomOIysSMyt1/YM0eUn9LqieAWM8DLcU4+07Fio2YGpPeqUbpP9w==} @@ -5815,9 +5815,6 @@ packages: jwa@1.4.2: resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==} - jwa@2.0.1: - resolution: {integrity: sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==} - jwks-rsa@3.1.0: resolution: {integrity: sha512-v7nqlfezb9YfHHzYII3ef2a2j1XnGeSE/bK3WfumaYCqONAIstJbrEGapz4kadScZzEt7zYCN7bucj8C0Mv/Rg==} engines: {node: '>=14'} @@ -5825,9 +5822,6 @@ packages: jws@3.2.3: resolution: {integrity: sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g==} - jws@4.0.1: - resolution: {integrity: sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==} - jwt-decode@2.2.0: resolution: {integrity: sha512-86GgN2vzfUu7m9Wcj63iUkuDzFNYFVmjeDm2GzWpUk+opB0pEpMsw6ePCMrhYkumz2C1ihqtZzOMAg7FiXcNoQ==} @@ -7175,10 +7169,6 @@ packages: resolution: {integrity: sha512-eLoXW/DHyl62zxY4SCaIgnRhuMr6ri4juEYARS8E6sCEqzKpOiE521Ucofdx+KnDZl5xmvGYaaKCk5FEOxJCoQ==} engines: {node: '>= 0.4'} - stoppable@1.1.0: - resolution: {integrity: sha512-KXDYZ9dszj6bzvnEMRYvxgeTHU74QBFL54XKtP3nyMuJ81CFYtABZ3bAzL2EdFUaEwJOBOgENyFj3R7oTzDyyw==} - engines: {node: '>=4', npm: '>=6'} - stream-buffers@3.0.3: resolution: {integrity: sha512-pqMqwQCso0PBJt2PQmDO0cFj0lyqmiwOMiMSkVtRokl7e+ZTRYgDHKnuZNbqjiJXgsg4nuqtD/zxuo9KqTp0Yw==} engines: {node: '>= 0.10.0'} @@ -8814,7 +8804,7 @@ snapshots: cookie: 0.7.2 long: 4.0.0 - '@azure/identity@4.7.0': + '@azure/identity@4.13.0': dependencies: '@azure/abort-controller': 2.1.2 '@azure/core-auth': 1.10.1 @@ -8825,10 +8815,7 @@ snapshots: '@azure/logger': 1.3.0 '@azure/msal-browser': 4.28.1 '@azure/msal-node': 3.8.6 - events: 3.3.0 - jws: 4.0.1 open: 10.2.0 - stoppable: 1.1.0 tslib: 2.8.1 transitivePeerDependencies: - supports-color @@ -12717,12 +12704,6 @@ snapshots: ecdsa-sig-formatter: 1.0.11 safe-buffer: 5.2.1 - jwa@2.0.1: - dependencies: - buffer-equal-constant-time: 1.0.1 - ecdsa-sig-formatter: 1.0.11 - safe-buffer: 5.2.1 - jwks-rsa@3.1.0: dependencies: '@types/express': 4.17.25 @@ -12739,11 +12720,6 @@ snapshots: jwa: 1.4.2 safe-buffer: 5.2.1 - jws@4.0.1: - dependencies: - jwa: 2.0.1 - safe-buffer: 5.2.1 - jwt-decode@2.2.0: {} jwt-decode@3.1.2: {} @@ -14229,8 +14205,6 @@ snapshots: es-errors: 1.3.0 internal-slot: 1.1.0 - stoppable@1.1.0: {} - stream-buffers@3.0.3: {} stream-chain@2.2.5: {} diff --git a/packages/framework-provider-azure-infrastructure/package.json b/packages/framework-provider-azure-infrastructure/package.json index 5e59975d8..dea52bcbd 100644 --- a/packages/framework-provider-azure-infrastructure/package.json +++ b/packages/framework-provider-azure-infrastructure/package.json @@ -52,7 +52,7 @@ "sinon-chai": "3.5.0", "tslib": "^2.4.0", "uuid": "11.0.5", - "@azure/identity": "~4.7.0", + "@azure/identity": "~4.13.0", "@effect-ts/core": "^0.60.4" }, "scripts": { diff --git a/packages/framework-provider-azure/package.json b/packages/framework-provider-azure/package.json index ee4668a4f..788120278 100644 --- a/packages/framework-provider-azure/package.json +++ b/packages/framework-provider-azure/package.json @@ -25,7 +25,7 @@ "dependencies": { "@azure/cosmos": "^4.3.0", "@azure/functions": "^4.0.0", - "@azure/identity": "~4.7.0", + "@azure/identity": "~4.13.0", "@azure/event-hubs": "5.11.1", "@boostercloud/framework-common-helpers": "workspace:^4.0.1", "@boostercloud/framework-types": "workspace:^4.0.1", From a69c1fd2c1948f9d03172088b959372f4097a052 Mon Sep 17 00:00:00 2001 From: Mario Castro Squella Date: Tue, 17 Mar 2026 18:32:57 -0300 Subject: [PATCH 2/2] Add rush changeset for @azure/identity bump (patch) Co-Authored-By: Claude Opus 4.6 (1M context) --- .../bump-azure-identity_2026-03-17-21-32.json | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 common/changes/@boostercloud/framework-core/bump-azure-identity_2026-03-17-21-32.json diff --git a/common/changes/@boostercloud/framework-core/bump-azure-identity_2026-03-17-21-32.json b/common/changes/@boostercloud/framework-core/bump-azure-identity_2026-03-17-21-32.json new file mode 100644 index 000000000..c5ddcabef --- /dev/null +++ b/common/changes/@boostercloud/framework-core/bump-azure-identity_2026-03-17-21-32.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "comment": "Bump @azure/identity to ~4.13.0 to fix jws vulnerability", + "type": "patch", + "packageName": "@boostercloud/framework-core" + } + ], + "packageName": "@boostercloud/framework-core", + "email": "mario@theagilemonkeys.com" +} \ No newline at end of file