Skip to content

Bump pan-domain-node to 1.2.0#20

Merged
waisingyiu merged 2 commits intomainfrom
wsy/bump-pan-domain-node
Jul 28, 2025
Merged

Bump pan-domain-node to 1.2.0#20
waisingyiu merged 2 commits intomainfrom
wsy/bump-pan-domain-node

Conversation

@waisingyiu
Copy link
Contributor

@waisingyiu waisingyiu commented Jul 25, 2025

What does this change?

This pull request is part of the work to address the FSBP high severity issue about the bucket pan-domain-auth-settings not blocking public access. We observed that some S3 objects (specifically, the public key files) in this bucket were accessed via direct HTTP URL without any credential using pan-domain-node library.

We changed the pan-domain-node library (guardian/pan-domain-node#47) to get the public key files with AWS SDK that requires AWS credentials in the execution environment. This change was published to the NPM repository as version 1.1.0.

This pull request bumps the pan-domain-node dependency to version 1.2.0 (the latest version that includes the change described above) so that it reads the public key files by AWS SDK rather than unauthenticated direct HTTP request.

How to test

On CODE, we can open the gudoc page - https://gudocs.code.dev-gutools.co.uk/ successfully.

How can we measure success?

Make progress towards enabling "block all public access" on the S3 bucket "pan-domain-auth-settings".

Have we considered potential risks?

Should be minimal because the same bucket is shared between CODE and PROD. If the application can access the public key file on CODE, it should be able to do it on PROD.

@waisingyiu waisingyiu marked this pull request as ready for review July 28, 2025 08:41
Copy link
Contributor

@SHession SHession left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good and CODE also looks good!

@waisingyiu waisingyiu merged commit 08c69ac into main Jul 28, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bump pan-domain-node in gudocs2 to load public settings using AWS SDK

2 participants

Comments