Bumping deps to avoid CVE (13/11/2025) (part 2)

[liranmauda]

Explain the Changes

• Bumping deps to avoid CVE (13/11/2025) (part 2)

Summary by CodeRabbit

• Chores
  • Updated cloud SDKs and storage client packages (AWS SDK v3, Azure Storage, Google Cloud Storage and related libraries) to newer stable versions, providing security patches, maintenance updates and potential performance/stability improvements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Bumped dependency versions in package.json: multiple AWS SDK v3 clients and related AWS packages, @smithy/node-http-handler, Azure Storage Blob, and Google Cloud Storage; no code, script, or exported API changes.

Changes

Cohort / File(s)	Summary
Dependency version updates package.json	Updated multiple AWS SDK v3 packages (e.g., @aws-sdk/*) from ~3.893.0 → 3.937.0 (with STS/credential-providers/lib-storage adjustments to 3.936.0/3.937.0 where applicable); bumped @smithy/node-http-handler 4.2.1→4.4.5; @azure/storage-blob 12.29.0→12.29.1; @google-cloud/storage 7.17.1→7.17.3; devDependency @aws-sdk/client-iam → 3.936.0. No structural/script changes.

Sequence Diagram(s)

(omitted — changes are dependency/version updates only; no control-flow changes)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Pay attention to AWS SDK package pairing (some packages moved to 3.936.0 vs 3.937.0) and any potential minor behavioral changes.
• Verify lockfile/installation and check smithy changelog for runtime-impacting fixes.

Possibly related PRs

• Bumping deps to avoid CVE (21/09/2025) #9224 — Similar dependency bumps for AWS SDK v3 and cloud storage packages.
• Bumping deps to avoid CVE (24/07/2025) #9157 — Updates of AWS SDK and cloud SDK versions in package.json.
• Bumping deps to avoid CVE (10/06/2025) #9071 — Concurrent package.json updates targeting AWS SDK packages.

Suggested labels

size/M

Suggested reviewers

• nimrod-becker
• jackyalbo

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping dependencies to avoid CVE vulnerabilities, with a date reference and part notation indicating this is part of a larger security update effort.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b6b8fa and 5e53011.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d3c091e and 700a6d7.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9229
File: .github/workflows/ibm-nightly-provision-dispatcher.yaml:13-13
Timestamp: 2025-09-30T08:56:55.478Z
Learning: In the noobaa-core repository, PR #9229 (nightly IBM VM provision dispatcher) has a dependency on `.github/ibm-warp-runner-config.yaml` which is provided in PR #9230, requiring PR #9230 to be merged first.

📚 Learning: 2025-09-30T10:27:57.996Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9230
File: tools/ibm_runner_helpers/slack_notifier.js:4-4
Timestamp: 2025-09-30T10:27:57.996Z
Learning: In the noobaa-core repository, the `tools/ibm_runner_helpers/slack_notifier.js` script depends on `slack/webhook`, which is installed globally via `npm -g install 'slack/webhook'` in `.github/ibm-warp-runner-config.yaml` (cloud-init configuration) rather than being declared in package.json, since the script runs on IBM Cloud VMs provisioned by cloud-init.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation
• GitHub Check: Build Noobaa Image

🔇 Additional comments (2)

package.json (2)

75-84: Test dependency updates to ensure functionality and CVE resolution.

After bumping these dependencies, ensure that:

1. The application builds and starts without errors.
2. S3, STS, and storage operations function correctly with the new SDK versions.
3. The specific CVEs targeted in this update are confirmed as resolved.

Consider running the test suite (lint, mocha, jest) against these changes to catch any regressions early.

---

75-79: Verify AWS SDK package version consistency and confirm CVE references.

The git diff shows AWS SDK packages upgraded from 3.893.0 to mixed versions: client-s3, lib-storage, and s3-request-presigner at 3.937.0, while client-sts and credential-providers remain at 3.936.0. Confirm whether this version split is intentional or should be aligned.

Additionally, your commit message references "(part 2)" but provides no specific CVE identifiers or details. The release notes for v3.936.0 and v3.937.0 do not list security fixes. Clarify which specific CVEs you are addressing and provide a reference to the corresponding "part 1" PR or security advisory to ensure these versions actually contain the necessary fixes.

Also applies to: line 129 (@aws-sdk/client-iam at 3.936.0)