Skip to content

Release JavaScript GCP KMS Storage v1.0.0#874

Merged
maksimu merged 1 commit intomasterfrom
release/storage/javascript/gcp-kms/v1.0.0
Apr 7, 2026
Merged

Release JavaScript GCP KMS Storage v1.0.0#874
maksimu merged 1 commit intomasterfrom
release/storage/javascript/gcp-kms/v1.0.0

Conversation

@stas-schaller
Copy link
Copy Markdown
Contributor

@stas-schaller stas-schaller commented Nov 21, 2025
edited
Loading

Release of @keeper-security/secrets-manager-gcp v1.0.0

Google Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.

Dependencies:

  • @keeper-security/secrets-manager-core v17.3.0
  • @google-cloud/kms v4.5.0

Bug Fixes

  • KSM-867: Fix getKeyDetails() silently swallowing errors — the catch block logged but did not rethrow, leaving key metadata (keyType, encryptionAlgorithm, isAsymmetric) uninitialized when getCryptoKey() fails (bad credentials, non-existent key, network error). init() now propagates the real GCP error. Regression tests for PERMISSION_DENIED and NOT_FOUND scenarios.
  • KSM-837: Fix contains()key in Object.keys(config) checked numeric array indices and always returned false for real config keys. Corrected to key in config. Add regression tests.
  • KSM-840: Fix delete() — truthy check if (config[key]) silently skipped deletion of keys with falsy values ("", 0). Corrected to if (key in config). Add regression tests.
  • KSM-847: Fix encryption/decryption error propagation — encryptBuffer() and decryptBuffer() in utils.ts returned empty values (Buffer.alloc(0) / "") on GCP KMS failure instead of rethrowing, silently discarding authentication failures, invalid key IDs, and permission errors; saveConfig() also caught and discarded errors without rethrowing; both layers now rethrow, making saveString(), saveBytes(), saveObject(), and changeKey() propagate GCP KMS failures as expected; changeKey()'s rollback path (key and crypto client restoration) is now reachable; removed vestigial blob.length > 0 guards in saveConfig() and createConfigFileIfMissing(), and dead plaintext.length > 0 guard in decryptConfig().
  • KSM-849: Fix getBytes() — falsy check if (bytesString) treated an empty base64 string ("", produced by saving a zero-length Uint8Array) as absent, returning undefined instead of Uint8Array(0). Corrected to if (bytesString !== undefined). Add regression tests.
  • KSM-858: Replace fast-crc32c with @aws-crypto/crc32cfast-crc32c native C++ addon segfaults on ARM64 and was incorrectly listed in devDependencies, causing MODULE_NOT_FOUND for consumers. Replaced with @aws-crypto/crc32c (pure JS, AWS-maintained, no native addon).
  • Normalize 5 methods from private to public to match Azure and AWS: contains(), isEmpty(), deleteAll(), readStorage(), saveStorage().

Code Quality (KSM-868)

  • Replace console.warn with this.logger.warn() in saveConfig()
  • Fix "KCP KMS" typo → "GCP KMS" in utils.ts error message
  • Fix misleading "encrypt" log messages in decrypt contexts (decryptConfig(), loadConfig())
  • Remove dead readStorage() null check (config initialized to {}, condition never triggers)
  • Remove unused OAEP_PADDINg constant with typo and its crypto import
  • Fix broken eslint.config.mjs glob pattern (src/*.ts}src/**/*.ts)

Documentation (KSM-868)

  • CHANGELOG: Add entries for KSM-867, KSM-837, KSM-840, KSM-849
  • README: Remove debug console.log from examples, fix "an GCP" → "a GCP" grammar, replace bankAccount with password field type, fix heading indentation

Maintenance

  • Update axios from 1.13.2 to 1.7.9 to resolve high severity SSRF vulnerability (CVE-2025-27152). One low severity transitive finding remains (@tootallnate/once@2.0.0 via @google-cloud/kms) — unfixable without upstream GCP SDK update, accepted as low risk. Grype rescan: 1 low finding.
  • Fix jest TypeScript configuration — add tsconfig.test.json with @types/jest types and update jest.config.js to pass the test tsconfig to ts-jest, resolving LSP errors in test files.

Closes https://keeper.atlassian.net/browse/KSM-704
Closes https://keeper.atlassian.net/browse/KSM-837
Closes https://keeper.atlassian.net/browse/KSM-840
Closes https://keeper.atlassian.net/browse/KSM-847
Closes https://keeper.atlassian.net/browse/KSM-849
Closes https://keeper.atlassian.net/browse/KSM-858
Closes https://keeper.atlassian.net/browse/KSM-867
Closes https://keeper.atlassian.net/browse/KSM-868

github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 21, 2025
View reviewed changes
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
Comment thread .github/workflows/test.javascript.storage.gcp.kms.yml
Comment on lines +19 to +38
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./sdk/javascript/packages/gcp
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
cache-dependency-path: sdk/javascript/packages/gcp/package-lock.json

- name: Install dependencies
run: npm ci

- name: Run tests
run: npm test

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 5 months ago

To address the issue, the workflow YAML should be updated to specify a permissions block at the job or workflow root, stating the minimal necessary privileges. Since this workflow simply checks out code and runs tests — and does not perform write operations to the repository or PRs — the safest default is to set contents: read. This should be added as a new block immediately after the name: directive and before the on: directive (workflow root), or alternatively inside the test job. For clarity and to avoid unexpected privilege inheritance, the recommended location is at the workflow root; this will apply minimal permissions to all jobs.

No new methods or imports are needed to implement this; simply add the following YAML block in the right place:

permissions:
  contents: read
Suggested changeset 1
.github/workflows/test.javascript.storage.gcp.kms.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test.javascript.storage.gcp.kms.yml b/.github/workflows/test.javascript.storage.gcp.kms.yml
--- a/.github/workflows/test.javascript.storage.gcp.kms.yml
+++ b/.github/workflows/test.javascript.storage.gcp.kms.yml
@@ -1,4 +1,6 @@
 name: Test JavaScript Storage - GCP KMS
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: Test JavaScript Storage - GCP KMS
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Nov 21, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​typescript-eslint/​parser@​8.47.01001007196100
Addednpm/​typescript-eslint@​8.47.01001007498100
Addednpm/​@​aws-crypto/​crc32c@​5.2.01001007482100
Addednpm/​@​babel/​preset-env@​7.28.5971007795100
Addednpm/​@​babel/​core@​7.28.5971008094100
Addednpm/​@​typescript-eslint/​eslint-plugin@​8.47.0991008096100
Addednpm/​@​types/​node@​22.19.11001008196100
Addednpm/​rimraf@​6.1.29910010085100
Addednpm/​pino-pretty@​13.1.29910010086100
Addednpm/​eslint@​9.39.18910010097100
Addednpm/​@​google-cloud/​kms@​5.4.09710010089100
Addednpm/​axios@​1.13.59110010094100
Addednpm/​pino@​10.1.09910010092100
Addednpm/​ts-jest@​29.4.5971009496100

View full report

@stas-schaller stas-schaller marked this pull request as ready for review November 24, 2025 21:28
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 26, 2025
View reviewed changes
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 27, 2026
View reviewed changes
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
@stas-schaller stas-schaller force-pushed the release/storage/javascript/gcp-kms/v1.0.0 branch from 628a3fc to 9b588ed Compare March 10, 2026 16:26
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 12, 2026
View reviewed changes
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 12, 2026
View reviewed changes
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
Comment thread .github/workflows/publish.npm.storage.gcp.kms.yml Fixed
@stas-schaller stas-schaller force-pushed the release/storage/javascript/gcp-kms/v1.0.0 branch from 8922cf4 to 046814c Compare March 27, 2026 18:28
@stas-schaller stas-schaller force-pushed the release/storage/javascript/gcp-kms/v1.0.0 branch from 2b58784 to a2373f6 Compare April 7, 2026 01:35
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 7, 2026
View reviewed changes
Comment thread .github/workflows/test.cli.yml Fixed
@stas-schaller stas-schaller force-pushed the release/storage/javascript/gcp-kms/v1.0.0 branch from a2373f6 to bdce57f Compare April 7, 2026 18:40
@stas-schaller
feat(storage/gcp): release GCP KMS JavaScript storage v1.0.0
63e8e6a 
Initial release of the GCP Cloud KMS storage backend for the KSM
JavaScript SDK with pre-publish bug fixes, CVE remediations, and
workflow hardening.

Bug fixes:
- KSM-858: replace fast-crc32c with @aws-crypto/crc32c
- KSM-847: rethrow KMS errors in encryptBuffer/decryptBuffer/saveConfig
- KSM-840: fix delete() skipping keys with falsy values
- KSM-837: correct in operator usage in contains(); normalize method visibility
- fix getKeyDetails() swallowing errors — now propagates to init()
- fix getBytes() returning undefined for zero-length Uint8Array

Maintenance:
- remove package-level publish workflow (superseded by root-level workflow)
- upgrade @google-cloud/kms to 5.2.1 (CVE-2025-65945)
- upgrade pino to v10 (CVE-2025-57319)
- upgrade @isaacs/brace-expansion to 5.0.1
- upgrade axios to 1.7.9
- remove brace-expansion override breaking rimraf on Node 24
- update npm publish workflow: Node.js 24, Syft v1.32.0, new KSM config secret, ksm-action SHA 560d170b
@stas-schaller stas-schaller force-pushed the release/storage/javascript/gcp-kms/v1.0.0 branch from bdce57f to 63e8e6a Compare April 7, 2026 18:42
@maksimu maksimu merged commit 1dc291a into master Apr 7, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maksimu maksimu maksimu approved these changes

@idimov-keeper idimov-keeper Awaiting requested review from idimov-keeper

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stas-schaller @maksimu @github-advanced-security