fix(security): resolve code scanning & Dependabot alerts (workflow permissions + uuid override)#71
Merged
Conversation
Code scanning (CodeQL actions/missing-workflow-permissions, 4 alerts): add least-privilege top-level `permissions: contents: read` to the four workflows that lacked one (ci-react, ci-functions, cd-firebase-mainnet, cd-firebase-testnet). They only checkout/build/deploy via FIREBASE_TOKEN, so no write/packages/id-token scopes are needed. Matches pinact.yml. Dependabot (GHSA-w5hq-g745-h8pq uuid <11.1.1, 2 alerts): the vulnerable uuid is transitive via firebase-tools->gaxios@6 (root) and firebase-admin->@google-cloud/*->gaxios/teeny-request (functions). firebase-tools is already at its latest and still pins gaxios@6, and firebase-admin@14 is a breaking major that still pulls vulnerable uuid, so a parent-package bump cannot fix this. Force patched uuid via npm overrides instead: - root: uuid 14.0.0 (also satisfies universal-analytics' ^14 -> clean tree) - functions: uuid 11.1.1 (no ^14 consumer; conservative legacy-11 line) Verified: npm ls uuid clean (exit 0), npm audit 0 vulnerabilities in both packages, root typecheck+build and functions build all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughFour GitHub Actions workflows now declare read-only repository permissions at the top level, and both root and functions ChangesSystem Configuration Hardening
🎯 1 (Trivial) | ⏱️ ~3 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR addresses GitHub security findings by (1) tightening GitHub Actions workflow token permissions to least-privilege and (2) remediating uuid vulnerability alerts via npm overrides in both the root app and functions/.
Changes:
- Add top-level
permissions: contents: readto 4 workflows flagged by code scanning. - Add
npm overridesto force patcheduuidversions (root:14.0.0, functions:11.1.1). - Regenerate/update both
package-lock.jsonfiles to reflect the overridden dependency trees.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds a root overrides entry to force uuid@14.0.0. |
| package-lock.json | Updates root lockfile to remove vulnerable uuid resolutions and use uuid@14.0.0. |
| functions/package.json | Extends existing overrides to pin uuid@11.1.1 in Functions workspace. |
| functions/package-lock.json | Updates Functions lockfile to remove vulnerable uuid resolutions and use uuid@11.1.1. |
| .github/workflows/ci-react.yml | Sets minimal workflow token permissions (contents: read). |
| .github/workflows/ci-functions.yml | Sets minimal workflow token permissions (contents: read). |
| .github/workflows/cd-firebase-testnet.yml | Sets minimal workflow token permissions (contents: read). |
| .github/workflows/cd-firebase-mainnet.yml | Sets minimal workflow token permissions (contents: read). |
Files not reviewed (1)
- functions/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address Copilot review on #71: the global `uuid: 14.0.0` override forced firebase-tools (which declares uuid ^11.1.1) onto a major beyond its range. Root's only vulnerable uuid is gaxios -> uuid@9.0.1; firebase-tools' direct uuid (11.1.1) and universal-analytics' uuid (14.0.0) are already patched. Scope the override to `gaxios -> uuid: 11.1.1` so only the vulnerable chain moves, every package stays within its declared range, and npm ls is clean (no ELSPROBLEMS). functions keeps its flat 11.1.1 override since all its uuid instances are vulnerable and 11.1.1 is the minimum patched version. Verified: npm ci exit 0, npm ls uuid clean (exit 0), npm audit 0 vulnerabilities, typecheck + build pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
GitHub セキュリティ機能の検出結果 6 件 に対応します。
A. Code scanning — 4 件(
actions/missing-workflow-permissions, medium)トップレベル
permissions:が無い 4 ワークフローに最小権限contents: readを追加。いずれも checkout/build(+FIREBASE_TOKENでの deploy)のみで GITHUB_TOKEN の書き込み・packages・id-token 権限は不要。既存pinact.ymlのパターンに揃えています。ci-react.yml/ci-functions.yml/cd-firebase-mainnet.yml/cd-firebase-testnet.ymlB. Dependabot — 2 件(GHSA-w5hq-g745-h8pq: uuid
<11.1.1, moderate)脆弱な uuid は推移的依存:
firebase-tools→gaxios@6→uuid@9.0.1firebase-admin→@google-cloud/*→gaxios/teeny-request/google-gax→uuid@8.3.2/9.0.1親パッケージ更新案は無効(比較検証済み):
firebase-toolsは既に最新で今もgaxios@6を固定、firebase-admin@14は破壊的メジャーかつ依然脆弱な uuid を引く。よってnpm overridesで patched 版を強制します。脆弱な連鎖のみを最小限に置き換える方針で、各パッケージは宣言された semver 範囲内に保ちます:gaxios → uuidのみ11.1.1にスコープ。root で脆弱なのはgaxios → uuid@9.0.1の連鎖だけで、firebase-tools直下のuuid@11.1.1とuniversal-analyticsのuuid@14.0.0は既にパッチ済みのため据え置き(範囲外への major jump を回避)。uuidを11.1.1に固定(フラット)。functions 側は全 uuid 実体(8.3.2/9.0.1)が脆弱で、11.1.1が advisory のパッチ最小版のため。検証
npm ci… root / functions ともに exit 0(lockfile 同期確認)npm ls uuid… 脆弱版が消え exit 0(clean tree、ELSPROBLEMS なし)npm audit… 両パッケージで 0 vulnerabilitiesnpm run typecheck&npm run build、functionsnpm run build… すべて成功prettier --check… 変更ファイルすべて適合🤖 Generated with Claude Code