Skip to content

fix(deps): remediate socket-redis production dependencies#9

Open
Neha0461 wants to merge 1 commit into
masterfrom
fix/socket-redis-critical-deps
Open

fix(deps): remediate socket-redis production dependencies#9
Neha0461 wants to merge 1 commit into
masterfrom
fix/socket-redis-critical-deps

Conversation

@Neha0461

@Neha0461 Neha0461 commented Jun 24, 2026

Copy link
Copy Markdown

What

Remediates the production dependency issues in socket-redis so downstream repos can move to a safe package tag. This updates the Node runtime baseline from Node 6 to Node 10, upgrades vulnerable production dependencies, replaces the vulnerable optimist/old minimist CLI path, and patches runtime compatibility issues found during validation.

Changes

  • Dependency remediation
    • Upgrades redis to 3.1.2, outside the vulnerable >=2.6.0 <3.1.1 range.
    • Replaces optimist with direct minimist@1.2.8 CLI parsing.
    • Upgrades underscore, sockjs, validator, log4js, and supporting dependency locks.
    • Keeps package-lock.json at lockfile version 1 so Node 10/npm 6 can consume it.
  • Runtime compatibility
    • Preserves existing CLI flags and defaults through lib/cli-options.js.
    • Updates log4js file logging configuration for the 6.x API.
    • Sanitizes Redis client options so redis@3 does not receive password: null.
    • Preserves Redis channel names and message envelopes for socket-redis-up / socket-redis-down.
    • Tightens worker subscribe.start validation to avoid accepting coerced values such as null, booleans, arrays, whitespace, or decimals.
  • Test coverage
    • Adds CLI parser regression tests.
    • Adds worker validation regression tests.
    • Adds Redis option sanitizer coverage.
    • Updates worker integration tests to use an ephemeral port instead of hardcoded 9090, avoiding local port collisions.

Files Changed

  • .travis.yml, Dockerfile, README.md
  • package.json, package-lock.json
  • bin/socket-redis.js, lib/cli-options.js
  • lib/server.js, lib/utils.js, lib/worker-connection.js
  • test/cli-options.js, test/server-redis-options.js, test/server.js, test/worker.js, test/worker-connection-validation.js

Links

  • Linear: N/A
  • Notion: N/A
  • Figma: N/A
  • GitHub Issue: N/A
  • Related PRs: none
  • Related alert context: frontend-core Dependabot rollout depends on a new socket-redis tag after this lands.

Testing

  • /Users/nehatiwari/.nvm/versions/node/v10.24.1/bin/node node_modules/mocha/bin/mocha test/worker.js test/server-redis-options.js test/worker-connection-validation.js test/cli-options.js
    • Passed: 12 passing
  • npm audit --omit=dev
    • Passed for the target severity: zero critical/high production findings remain.
    • Remaining audit output is two moderate uuid findings. The suggested fix requires npm audit fix --force and a breaking uuid@14 upgrade via sockjs, so it is intentionally left for a separate risk review.
  • docker-compose build socket-redis
    • Passed; local Docker image built from this branch with Node 10 and npm ci --only=production.
  • docker-compose run --rm --volume $(pwd):/opt/socket-redis socket-redis ./script/test.sh
    • Passed: 29 passing.
  • node -e "var p=require('./package-lock.json'); console.log('lockfileVersion=' + p.lockfileVersion); ..."
    • Confirmed lockfileVersion=1.
    • Confirmed resolved versions: redis@3.1.2, underscore@1.13.8, minimist@1.2.8, sockjs@0.3.24, sockjs-client@1.5.2, validator@13.15.35, log4js@6.9.1, websocket-extensions@0.1.4.
  • hr-agents validate socket-redis-critical-deps
    • Passed for backend output with no state/output drift.

Risks & Follow-ups

  • After merge, publish a new socket-redis tag and update downstream consumers such as frontend-core, app-server, candidate-site-frontend, and codepair-frontend.
  • Remaining moderate uuid findings require a breaking force upgrade path and should be handled separately from this critical/high remediation.

[tokens used: —]

Proof of Work

Proof of Work — Task Graph 
graph TD
    A["backend-developer<br/>status: done<br/>invocations: 3"]
    B["backend-developer-spec-review<br/>status: failed then fixed<br/>invocations: 2"]
    A --> B
    style A fill:#22c55e,color:#fff
    style B fill:#22c55e,color:#fff
Loading
Proof of Work — Files Changed 
graph LR
    subgraph dependency_remediation
        F1["package.json"]
        F2["package-lock.json"]
        F3["Dockerfile"]
        F4[".travis.yml"]
        F5["README.md"]
    end
    subgraph runtime_compatibility
        F6["bin/socket-redis.js"]
        F7["lib/cli-options.js"]
        F8["lib/server.js"]
        F9["lib/utils.js"]
        F10["lib/worker-connection.js"]
    end
    subgraph tests
        F11["test/cli-options.js"]
        F12["test/server-redis-options.js"]
        F13["test/server.js"]
        F14["test/worker.js"]
        F15["test/worker-connection-validation.js"]
    end
Loading
Proof of Work — Execution Flow 
flowchart LR
    S1["1 Intake ✓"] --> S2["2 Analysis ✓"]
    S2 --> S3["3 Planning ✓"]
    S3 --> S4["4 Prepare ✓"]
    S4 --> S5["5 Implement ✓"]
    S5 --> S6["6 Review ✓"]
    S6 --> S7["7 PR ✓"]
    style S1 fill:#22c55e,color:#fff
    style S2 fill:#22c55e,color:#fff
    style S3 fill:#22c55e,color:#fff
    style S4 fill:#22c55e,color:#fff
    style S5 fill:#22c55e,color:#fff
    style S6 fill:#22c55e,color:#fff
    style S7 fill:#22c55e,color:#fff
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Neha0461