Skip to content

prisma-taurus: npm-internal bundled deps are monitor-only (no clean override)#2000

Merged
RafaelGuevaraCA merged 2 commits into
masterfrom
prisma-taurus-npm-internal-monitor
Jun 26, 2026
Merged

prisma-taurus: npm-internal bundled deps are monitor-only (no clean override)#2000
RafaelGuevaraCA merged 2 commits into
masterfrom
prisma-taurus-npm-internal-monitor

Conversation

@RafaelGuevaraCA

Copy link
Copy Markdown
Collaborator

prisma-taurus skill: npm-internal bundled deps are monitor-only

Records a verified finding without changing master's (correct) stance: CVEs in deps bundled inside the global npm CLI (undici, glob, cross-spawn, …, under /usr/lib/node_modules/npm/node_modules/) are fixed only by bumping npm; if the latest npm still bundles the vulnerable version, the correct action is monitor.

Why

An attempt to allow a "guarded in-place override" (cd /usr/lib/node_modules/npm && npm install <dep>@<fixed>) was proven unbuildable: npm re-resolves its own package.json, which references unpublished internal workspace deps (@npmcli/docs), so the install fails with a registry 404 and the Docker build dies. Verified failing twice on 2026-06-26:

The only mechanism that would swap the dep is copying a temp-installed folder over npm's bundled one — the brittle "manual unpack" the cross-spawn lesson (commit #4) warns against. So the rule stays bump npm or monitor.

Changes

  • SKILL.md — add a classification row for /usr/lib/node_modules/npm/node_modules/ (previously mis-bucketed as an OS package) routing to bump-npm/monitor; exclude /usr/lib/node_modules/ from the OS-package row; add an "npm-internal bundled deps" section documenting that the in-place npm install fails.
  • vulnerability_history.md — record the verified @npmcli/docs 404 failure and the monitor-only conclusion (supersedes the reverted "guarded override" idea, kept on local branch prisma-taurus-npm-bundled-deps, not merged).

Docs-only; no code or Dockerfile changes.

🤖 Generated with Claude Code

…verride)

Record the verified finding without changing master's correct stance.
- SKILL.md: add a classification row for /usr/lib/node_modules/npm/node_modules/
  (was mis-bucketed as an OS package) routing to "bump npm / monitor", and an
  "npm-internal bundled deps" section. Exclude /usr/lib/node_modules/ from the
  OS-package row.
- vulnerability_history.md: document that `cd /usr/lib/node_modules/npm && npm
  install <dep>@<fixed>` does NOT work (npm re-resolves its own package.json and
  404s on unpublished workspace dep @npmcli/docs) — verified failing in taurus
  build #571 and taurus-cloud MOB-51270 build #1. The only override is the brittle
  manual file-copy (cross-spawn mistake), so the rule stays bump-npm-or-monitor.

Supersedes the reverted "allow guarded override" idea (local branch
prisma-taurus-npm-bundled-deps, not merged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.08%. Comparing base (eb4981e) to head (1bf00d1).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2000   +/-   ##
=======================================
  Coverage   88.08%   88.08%           
=======================================
  Files          73       73           
  Lines       20935    20935           
=======================================
  Hits        18439    18439           
  Misses       2496     2496           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documents and codifies the remediation policy for CVEs reported in dependencies bundled inside the globally installed npm CLI (under /usr/lib/node_modules/npm/node_modules/), clarifying that these are only remediable by upgrading npm itself; otherwise they should be monitored.

Changes:

  • Updates the path-to-fix-type classification table to correctly bucket /usr/lib/node_modules/npm/node_modules/ as “npm-internal bundled deps” (bump npm or monitor), and excludes /usr/lib/node_modules/ from the generic OS-package bucket.
  • Adds a dedicated “npm-internal bundled deps” section explaining why cd /usr/lib/node_modules/npm && npm install <dep>@<fixed> is not a viable/clean override and records the verified @npmcli/docs 404 failure.
  • Extends vulnerability history guidance and worked example to reflect the “bump npm or monitor” conclusion.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.claude/skills/prisma-taurus/vulnerability_history.md Records the verified build failure of in-place npm overrides and formalizes the “bump npm or monitor” rule for npm-bundled dependencies.
.claude/skills/prisma-taurus/SKILL.md Updates the remediation classification table and adds an operational section documenting npm-internal bundled dependency handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .claude/skills/prisma-taurus/SKILL.md Outdated
Make the OS-package row exclusion match the npm-internal row exactly:
/usr/lib/node_modules/ -> /usr/lib/node_modules/npm/node_modules/.
Addresses henrychv's review comment; all path references now consistent.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@RafaelGuevaraCA RafaelGuevaraCA merged commit f69a12b into master Jun 26, 2026
3 checks passed
@RafaelGuevaraCA RafaelGuevaraCA deleted the prisma-taurus-npm-internal-monitor branch June 26, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants