Release JavaScript SDK v17.4.1#997
Open
stas-schaller wants to merge 18 commits into
Open
Conversation
stas-schaller
changed the title
KSM-901: add IL5 region mapping (il5.keepersecurity.us)
…7-4-1 KSM-758: replace rollup-plugin-sourcemaps with rollup-plugin-sourcemaps2
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
…add KSM-758 entry
…VE, 4.0.0-4.58.0)
…e picomatch HIGH (dev only)
- OTT parser: 4-segment IL5 format (IL5:clientKey:keyId:pubKey); save both serverPublicKeyId and serverPublicKey; non-IL5 regions unchanged - Rotation suppression: ignore server-pushed key_id hints when serverPublicKey is in storage (override mode) to prevent bricking - Constructor: add serverPublicKeyId to SecretManagerOptions; persist alongside serverPublicKey on first use - Tests: update Layer 2/3 tests for new format; add non-IL5 isolation test and rotation suppression test (16 tests pass) Closes KSM-901
KSM-901: JavaScript IL5 dynamic server public key support
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.
Once the cap resets or is raised, push a new commit or reopen this pull request to trigger a review.
- Add top-level permissions: contents: read - Pin actions/checkout and actions/setup-node to SHAs (v6.0.2, v6.3.0) - Add persist-credentials: false to all checkout steps - Pin ksm-action to SHA 37abbada (KSM-872 ReDoS fix) - Bump Node.js from EOL 18 to 22 in build and publish jobs - Bump Syft v1.18.1 -> v1.32.0; Manifest CLI v0.18.3 -> v0.31.0 - Pin actions/upload-artifact to SHA (v7.0.1) - Add get-version job to extract version once and share via outputs - Add test job (Node 22+24 matrix) as gate before build and SBOM - Add validate-version job to abort if version already on npm
There was a problem hiding this comment.
An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.
Once the cap resets or is raised, push a new commit or reopen this pull request to trigger a review.
validate-version now runs unconditionally (not just when publish=true) and both test and generate-sbom depend on it. A duplicate-version error fails fast before the test matrix or SBOM generation starts.
keeper.ts:
- Validate IL5 OTT token: reject >4 segments, non-integer keyId, short
public key; fixes silent misconfiguration on malformed tokens
- Throw clear error when server rejects a custom IL5 public key instead
of surfacing raw JSON error message
- Persist serverPublicKeyId in postQuery so write operations
(createSecret, updateSecret, etc.) honour the option, not only getSecrets
- Keep writes in fetchAndDecryptSecrets so they are available before
prepareGetPayload runs
keeper.test.ts:
- Replace bare catch{} in Layer 3 test with explicit rejects.toThrow
- Update rotation suppression test comment to note e2e coverage gap
- Replace localConfigStorage() with inMemoryStorage({}) in e2e test
- Remove unused localConfigStorage import
- Add IL5 OTT negative-path tests: >4 segments, non-integer keyId,
short public key, lowercase il5 prefix
test.js.yml: add Node 20 to test matrix (still Active LTS)
package.json: add engines field (node >=20)
CHANGELOG.md: document IL5 dynamic key injection feature (was missing)
publish.npm.yml: remove unused artifact upload from build-npm job;
add permissions:{} to validate-version job
manifest sbom CLI does not forward --version to Syft's --source-version flag, so Syft infers the version from git and produces a Go pseudo-version (v0.0.0-YYYYMMDDHHMMSS-hash) in the SPDX root package versionInfo field. Use the -- passthrough to explicitly set --source-name and --source-version on the Syft invocation so the SPDX document root reflects the real version. Also add get-version to generate-sbom needs so VERSION output is accessible.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release branch for JavaScript SDK v17.4.1 — patch release adding IL5 (DoD Impact Level 5) region support, a rollup build toolchain fix, and a security bump for rollup itself.
Changes
New Features
Maintenance
Security
Breaking Changes
None.
Related Issues