Release JavaScript Oracle KMS Storage v1.0.0#873
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+19
to
+38
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/oracle | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/oracle/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, add a permissions: block either at the root of the workflow file (which will apply to all jobs) or at the jobs.test level if additional jobs are added in the future with different requirements. The minimal required permission for this workflow is likely contents: read, as the workflow only checks out code and runs tests. Add this block immediately after the workflow name: and before on: (for workflow-wide settings), or at the same indentation level as runs-on: inside the test job block.
No new methods, imports, or definitions are required.
Suggested changeset
1
.github/workflows/test.javascript.storage.oracle.kms.yml
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - Oracle KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
stas-schaller
force-pushed
the
release/storage/javascript/oracle-kms/v1.0.0
branch
from
4b5b8eb to
cbf95a1
Compare
stas-schaller
force-pushed
the
release/storage/javascript/oracle-kms/v1.0.0
branch
from
9c309e5 to
35cb649
Compare
stas-schaller
force-pushed
the
release/storage/javascript/oracle-kms/v1.0.0
branch
from
185b644 to
8726b69
Compare
Initial release of the Oracle KMS storage backend for the KSM JavaScript SDK with pre-publish bug fixes, CVE remediations, and workflow hardening. Bug fixes: - KSM-870: use CRC-32 (IEEE) for checksum verification - KSM-857: replace fast-crc32c with @aws-crypto/crc32c - KSM-848: rethrow KMS errors in encryptBuffer/decryptBuffer/saveConfig - KSM-841: fix delete() skipping keys with falsy values - KSM-838: correct in operator usage in contains(); normalize method visibility - fix inverted checksum verification logic in decryptBuffer - fix getBytes() returning undefined for zero-length Uint8Array Maintenance: - upgrade oci-common + oci-keymanagement 2.124.0 → 2.127.0 (CVE-2026-4800 High, CVE-2026-2950 Medium lodash via jsonwebtoken) - upgrade oci-keymanagement to 2.124.0 (CVE-2025-65945, CVE-2025-13465) - upgrade pino to v10 (CVE-2025-57319) - upgrade @isaacs/brace-expansion to 5.0.1 - remove unused deps: crc-32, node-fetch, oci-vault; add explicit oci-common - standardize license to MIT; update README examples - update npm publish workflow: Node.js 24, Syft v1.32.0, new KSM config secret, ksm-action SHA 560d170b
stas-schaller
force-pushed
the
release/storage/javascript/oracle-kms/v1.0.0
branch
from
8726b69 to
129e514
Compare
maksimu
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release of @keeper-security/secrets-manager-oracle-kv v1.0.0
Oracle Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Bug Fixes
decryptBuffer()—verifyDecryption()returnstruewhen checksums match (valid data), but the caller threw ontrue, rejecting valid data and passing corrupted data. Negated the condition. Regression tests use realzlib.crc32computation to prove both valid and corrupted paths.verifyDecryption()— replaced@aws-crypto/crc32c(CRC-32C/Castagnoli) with Node.js built-inzlib.crc32(CRC-32/IEEE) to match the algorithm Oracle KMS actually uses forplaintextChecksum; also fix type mismatch where strict equality betweennumberandstringalways returnedfalseeven with the correct algorithm. Remove@aws-crypto/crc32cdependency (no longer needed).contains()—key in Object.keys(config)checked numeric array indices and always returnedfalsefor real config keys. Corrected tokey in config. Add regression tests.delete()— truthy checkif (config[key])silently skipped deletion of keys with falsy values ("",0). Corrected toif (key in config). Add regression tests.encryptBuffer()anddecryptBuffer()inutils.tsreturned empty values (Buffer.alloc(0)/"") on Oracle OCI KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors;saveConfig()also caught and discarded errors without rethrowing; both layers now rethrow, makingsaveString(),saveBytes(),saveObject(), andchangeKey()propagate Oracle KMS failures as expected;changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigialblob.length > 0guards insaveConfig()andcreateConfigFileIfMissing().getBytes()— falsy checkif (bytesString)treated an empty base64 string ("", produced by saving a zero-lengthUint8Array) as absent, returningundefinedinstead ofUint8Array(0). Corrected toif (bytesString !== undefined). Add regression tests.fast-crc32cwith@aws-crypto/crc32c—fast-crc32cnative C++ addon segfaults on ARM64 and was incorrectly listed indevDependencies, causingMODULE_NOT_FOUNDfor consumers. Replaced with@aws-crypto/crc32c(pure JS, AWS-maintained, no native addon).privatetopublicto match Azure and AWS:contains(),isEmpty(),deleteAll(),readStorage(),saveStorage().Code Quality (KSM-869)
console.errorwithlogger.error()inencryptBuffer()anddecryptBuffer()crc-32,node-fetch,oci-vault) — reduces install size and attack surfaceoci-commonas explicit dependency (previously transitive viaoci-vault)@babel/core,@babel/preset-env,@babel/preset-typescript,babel-jest,@types/node-fetch)eslint.config.mjsglob pattern (src/*.ts}→src/**/*.ts)Documentation (KSM-869)
bankAccountwithpasswordfield type, remove debugconsole.logstatements, fix heading casingMaintenance
tsconfig.test.jsonwith@types/jesttypes and updatejest.config.jsto pass the test tsconfig to ts-jest, resolving LSP errors in test files.Closes https://keeper.atlassian.net/browse/KSM-705
Closes https://keeper.atlassian.net/browse/KSM-838
Closes https://keeper.atlassian.net/browse/KSM-841
Closes https://keeper.atlassian.net/browse/KSM-848
Closes https://keeper.atlassian.net/browse/KSM-852
Closes https://keeper.atlassian.net/browse/KSM-857
Closes https://keeper.atlassian.net/browse/KSM-866
Closes https://keeper.atlassian.net/browse/KSM-869
Closes https://keeper.atlassian.net/browse/KSM-870