Release JavaScript AWS KMS Storage v1.0.0#875
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/aws | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/aws/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To resolve the issue, an explicit permissions block should be added to limit the permissions granted to the workflow's jobs. The least-privilege starting point is typically contents: read, which allows jobs to clone and read the repository content but does not permit write operations. This block can be added either at the root level of the workflow, applying to all jobs, or just to the specific job. Since the workflow contains only one job (test), either location is acceptable, but best practice is to place it at the root for future extensibility. The modification involves editing .github/workflows/test.javascript.storage.aws.kms.yml by inserting the following block after the name: and before the on: section:
permissions:
contents: readNo new imports, methods, or definitions are required beyond adding this block.
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - AWS KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
stas-schaller
force-pushed
the
release/storage/javascript/aws-kms/v1.0.0
branch
from
2b0abbc to
3f9e401
Compare
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
stas-schaller
force-pushed
the
release/storage/javascript/aws-kms/v1.0.0
branch
from
bd1a395 to
13873ed
Compare
stas-schaller
force-pushed
the
release/storage/javascript/aws-kms/v1.0.0
branch
from
0c8b15e to
fe77624
Compare
Initial release of the AWS KMS storage backend for the KSM JavaScript SDK with pre-publish bug fixes, CVE remediations, and workflow hardening. Bug fixes: - KSM-846: rethrow KMS errors in encryptBuffer/decryptBuffer and saveConfig - KSM-839: fix delete() skipping keys with falsy values - KSM-836: correct in operator usage in contains(); normalize method visibility - fix getBytes() returning undefined for zero-length Uint8Array Maintenance: - upgrade @aws-sdk/client-kms to 3.975.0 (GHSA-6475-r3vj-m8vf) - upgrade pino to v10 (CVE-2025-57319) - upgrade @isaacs/brace-expansion to 5.0.1 - update npm publish workflow: Node.js 24, Syft v1.32.0, new KSM config secret, ksm-action SHA 560d170b - harden CI: pin action SHAs, add permissions blocks, persist-credentials: false
stas-schaller
force-pushed
the
release/storage/javascript/aws-kms/v1.0.0
branch
from
fe77624 to
03a4e75
Compare
3 participants
Release of @keeper-security/secrets-manager-aws v1.0.0
AWS Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Bug Fixes
contains()—key in Object.keys(config)checked numeric array indices and always returnedfalsefor real config keys. Corrected tokey in config. Add regression tests.delete()— truthy checkif (config[key])silently skipped keys holding falsy values ("",0,false,null). Corrected tokey in config. Add regression tests.encryptBuffer()anddecryptBuffer()inutils.tsreturned empty values (Buffer.alloc(0)/"") on AWS KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors;saveConfig()also caught and discarded errors without rethrowing; both layers now rethrow, makingsaveString(),saveBytes(),saveObject(), andchangeKey()propagate AWS KMS failures as expected;changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigialblob.length > 0guards insaveConfig()andcreateConfigFileIfMissing().getBytes()— falsy checkif (bytesString)treated an empty base64 string ("", produced by saving a zero-lengthUint8Array) as absent, returningundefinedinstead ofUint8Array(0). Corrected toif (bytesString !== undefined). Add regression tests.getKeyDetails()from implicit public toprivate, aligning with all other JS KMS storage packages (Azure, GCP, Oracle).Maintenance
npm audit fix— fixed 1 critical (fast-xml-parser), 3 high (minimatch), 1 medium (ajv). Grype rescan: 0 findings.tsconfig.test.jsonwith@types/jesttypes and updatejest.config.jsto pass the test tsconfig to ts-jest, resolving LSP errors in test files.Closes https://keeper.atlassian.net/browse/KSM-703
Closes https://keeper.atlassian.net/browse/KSM-836
Closes https://keeper.atlassian.net/browse/KSM-839
Closes https://keeper.atlassian.net/browse/KSM-846
Closes https://keeper.atlassian.net/browse/KSM-851