Skip to content

Commit 43a91fd

Browse files
chore(sec): 1.17.0 — clear CRITICAL + transitive findings via overrides (non-breaking)
Non-breaking security patch on the 1.x line so consumers can clear critical/high scanner alerts without waiting for or adopting the breaking 2.0.0 bump (requested on #386). Adds a package.json `overrides` block pinning transitive/dev deps to patched versions. Clears: - 2 CRITICAL: basic-ftp, form-data - HIGH/MED/LOW across the dev + transitive tree (ws, braces, micromatch, cross-spawn, serialize-javascript, @babel/*, js-yaml, ip-address, path-to-regexp, diff, ajv, nanoid, minimatch, follow-redirects, ...) No engine, runtime-API, or declared-dependency changes -> drop-in patch. The two remaining HIGH findings are on direct runtime deps whose fixes are SemVer-major (thrift 0.16->0.23, uuid 9->11); those, plus the engines >=18 bump, ship in 2.0.0 (#390). Verified with osv-scanner v2.3.8: only thrift + uuid remain (both "breaking change" per npm audit). Closes #386 Closes #263 Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
1 parent 9235fc4 commit 43a91fd

3 files changed

Lines changed: 1015 additions & 1198 deletions

File tree

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
# Release History
22

3+
## 1.17.0
4+
5+
**Security (non-breaking):** clears all transitively-fixable OSV-Scanner findings via a `package.json` `overrides` block — **2 CRITICAL** (`basic-ftp`, `form-data`) plus HIGH/MED/LOW in the dev/transitive tree (`ws`, `braces`, `micromatch`, `cross-spawn`, `serialize-javascript`, `@babel/*`, `js-yaml`, `ip-address`, `path-to-regexp`, `diff`, and more). No engine or runtime-API changes — this is a drop-in patch so consumers can clear critical/high scanner alerts without adopting the breaking `2.0.0` bump.
6+
7+
The two remaining HIGH findings are on direct runtime deps (`thrift`, `uuid`) whose fixes require SemVer-major bumps; those are addressed in `2.0.0` (databricks/databricks-sql-nodejs#390). Closes #386, #263.
8+
39
## 1.16.0
410

511
- **New: optional kernel backend (`useKernel: true`).** Adds an alternative connection path backed by the native `@databricks/databricks-sql-kernel` client (a Rust core exposed via napi-rs), shipped as prebuilt per-platform packages (linux x64/arm64 gnu+musl, macOS x64/arm64, Windows x64/arm64) pulled in automatically as optional dependencies. The kernel talks to Databricks over the **SEA (Statement Execution API) HTTP transport** — not Thrift — with CloudFetch and inline-Arrow result fetching, through the same `DBSQLClient` surface. Supports PAT and OAuth (M2M/U2M) auth. Requires Node >= 18; on older Node the binding is not loaded and `useKernel: true` raises a clear error directing you to the Thrift backend. The default backend remains Thrift — opt in per connection. (databricks/databricks-sql-nodejs#378, #380, #409, #410, #411, #412, #416, #428, #434 by @msrathore-db)

0 commit comments

Comments
 (0)