prisma-taurus: npm-internal bundled deps are monitor-only (no clean override)#2000
Merged
Merged
Conversation
…verride) Record the verified finding without changing master's correct stance. - SKILL.md: add a classification row for /usr/lib/node_modules/npm/node_modules/ (was mis-bucketed as an OS package) routing to "bump npm / monitor", and an "npm-internal bundled deps" section. Exclude /usr/lib/node_modules/ from the OS-package row. - vulnerability_history.md: document that `cd /usr/lib/node_modules/npm && npm install <dep>@<fixed>` does NOT work (npm re-resolves its own package.json and 404s on unpublished workspace dep @npmcli/docs) — verified failing in taurus build #571 and taurus-cloud MOB-51270 build #1. The only override is the brittle manual file-copy (cross-spawn mistake), so the rule stays bump-npm-or-monitor. Supersedes the reverted "allow guarded override" idea (local branch prisma-taurus-npm-bundled-deps, not merged). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2000 +/- ##
=======================================
Coverage 88.08% 88.08%
=======================================
Files 73 73
Lines 20935 20935
=======================================
Hits 18439 18439
Misses 2496 2496 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Documents and codifies the remediation policy for CVEs reported in dependencies bundled inside the globally installed npm CLI (under /usr/lib/node_modules/npm/node_modules/), clarifying that these are only remediable by upgrading npm itself; otherwise they should be monitored.
Changes:
- Updates the path-to-fix-type classification table to correctly bucket
/usr/lib/node_modules/npm/node_modules/as “npm-internal bundled deps” (bump npm or monitor), and excludes/usr/lib/node_modules/from the generic OS-package bucket. - Adds a dedicated “npm-internal bundled deps” section explaining why
cd /usr/lib/node_modules/npm && npm install <dep>@<fixed>is not a viable/clean override and records the verified@npmcli/docs404 failure. - Extends vulnerability history guidance and worked example to reflect the “bump npm or monitor” conclusion.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .claude/skills/prisma-taurus/vulnerability_history.md | Records the verified build failure of in-place npm overrides and formalizes the “bump npm or monitor” rule for npm-bundled dependencies. |
| .claude/skills/prisma-taurus/SKILL.md | Updates the remediation classification table and adds an operational section documenting npm-internal bundled dependency handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
henrychv
reviewed
Jun 26, 2026
Make the OS-package row exclusion match the npm-internal row exactly: /usr/lib/node_modules/ -> /usr/lib/node_modules/npm/node_modules/. Addresses henrychv's review comment; all path references now consistent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
henrychv
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
prisma-taurus skill: npm-internal bundled deps are monitor-only
Records a verified finding without changing master's (correct) stance: CVEs in deps bundled inside the global
npmCLI (undici,glob,cross-spawn, …, under/usr/lib/node_modules/npm/node_modules/) are fixed only by bumping npm; if the latest npm still bundles the vulnerable version, the correct action is monitor.Why
An attempt to allow a "guarded in-place override" (
cd /usr/lib/node_modules/npm && npm install <dep>@<fixed>) was proven unbuildable: npm re-resolves its ownpackage.json, which references unpublished internal workspace deps (@npmcli/docs), so the install fails with a registry404and the Docker build dies. Verified failing twice on 2026-06-26:taurus-branch-builderbuild Extract Selenium's virtual display to a service #571CRANE-TAURUS-CLOUD-CI/MOB-51270-manual-undici-fixbuild abstract #1The only mechanism that would swap the dep is copying a temp-installed folder over npm's bundled one — the brittle "manual unpack" the cross-spawn lesson (commit #4) warns against. So the rule stays bump npm or monitor.
Changes
/usr/lib/node_modules/npm/node_modules/(previously mis-bucketed as an OS package) routing to bump-npm/monitor; exclude/usr/lib/node_modules/from the OS-package row; add an "npm-internal bundled deps" section documenting that the in-placenpm installfails.@npmcli/docs404 failure and the monitor-only conclusion (supersedes the reverted "guarded override" idea, kept on local branchprisma-taurus-npm-bundled-deps, not merged).Docs-only; no code or Dockerfile changes.
🤖 Generated with Claude Code