Skip to content

chore(google-docs-eval): merge to master, add internal docs, fix fast-xml-parser CVEs []#11060

Merged
Mitch Goudy (mgoudy91) merged 4 commits into
masterfrom
chore/google-docs-eval-wip
Jul 7, 2026
Merged

chore(google-docs-eval): merge to master, add internal docs, fix fast-xml-parser CVEs []#11060
Mitch Goudy (mgoudy91) merged 4 commits into
masterfrom
chore/google-docs-eval-wip

Conversation

@mgoudy91

Copy link
Copy Markdown
Contributor

Summary

This PR brings the google-docs-eval app from its long-lived unmerged branch into master. The app is an internal eval tool used by the Applied AI Solutions team (10pines) to score Drive Integration agent runs — it is not customer-facing and will not be published to the Marketplace.

Keeping it off master was causing real problems: Wiz couldn't scan the deployed Lambda, and the branch was invisible to the rest of the team (see: Tyler having to hunt for it to fix vulns).

  • Merges chore/google-docs-eval-wip up to current master
  • Adds an internal-only banner to the README making ownership and purpose explicit; removes AWS account numbers, internal hostnames, and Bedrock ARNs from the public README
  • Adds npm overrides to pin fast-xml-parser >= 5.5.6 in the Lambda, resolving 4 Wiz findings:

All four were transitive via @aws-sdk/client-bedrock-runtime. The override resolves to 5.9.3.

Test plan

  • Confirm npm ls fast-xml-parser in apps/google-docs-eval/lambda shows >= 5.5.6
  • Confirm Wiz findings for fast-xml-parser 5.2.5 resolve after next scan following redeploy
  • Confirm README no longer contains AWS account numbers or internal hostnames

🤖 Generated with Claude Code

Mitch Goudy (mgoudy91) and others added 4 commits April 28, 2026 13:51
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ambda URLs

Makes it clear to anyone browsing the repo that this is an Applied AI Solutions
team eval tool, not a customer app, and surfaces the key ops info (AWS account,
deployed endpoints) that was previously only findable via tribal knowledge.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tails from README

Adds npm overrides to force fast-xml-parser out of the vulnerable 5.2.5 range
pulled in transitively by @aws-sdk/client-bedrock-runtime, resolving CVE-2026-25896
(Critical), CVE-2026-33036 (High), CVE-2026-26278 (High), and CVE-2026-25128 (High).

Also removes AWS account numbers, internal hostnames, and Bedrock ARNs from the
README — those belong in internal docs, not the public repo.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mgoudy91 Mitch Goudy (mgoudy91) requested review from a team as code owners July 7, 2026 18:58
@wiz-inc-38d59fb8d7

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations 1 High 15 Medium 2 Low
SAST Finding SAST Findings 4 Low
Software Management Finding Software Management Findings -
Total 1 High 15 Medium 6 Low

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

"Properties": {
"Name": "test-sls-apps-google-docs-eval",
"EndpointConfiguration": {
"Types": [

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High IaC Finding

REST API Gateway APIs should be accessible only through private API endpoints
on resource Resources.ApiGatewayRestApi.Properties.EndpointConfiguration.Types

More Details
This rule checks whether APIs created with Amazon API Gateway are configured to use private endpoints, making the APIs accessible only from your Amazon VPC. With private endpoints, traffic to private APIs uses TLSv1.2 and is isolated from the public internet as it does not leave the Amazon network. The private APIs are accessed through interface VPC endpoints for API Gateway. Ensure the API Gateway APIs are accessible only via private endpoints to prevent unnecessary external exposure.

Expected

'Resources.ApiGatewayRestApi.EndpointConfiguration.Types' should contain 'PRIVATE'

Found

'Resources.ApiGatewayRestApi.EndpointConfiguration.Types' does not contain 'PRIVATE'

Security Frameworks: wf-id-3, wf-id-5, wf-id-39, wf-id-1, wf-id-4, wf-id-105, wf-id-13, wf-id-16, deeab6d1-f599-42f1-8f2d-3bab70d9ed09


Rule ID: 71b83995-634b-42dd-b5b8-398f93a57030


To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

@mgoudy91 Mitch Goudy (mgoudy91) changed the title chore(google-docs-eval): merge to master, add internal docs, fix fast-xml-parser CVEs chore(google-docs-eval): merge to master, add internal docs, fix fast-xml-parser CVEs [] Jul 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mgoudy91 Mitch Goudy (mgoudy91) merged commit f5fe60e into master Jul 7, 2026
14 of 15 checks passed
@mgoudy91 Mitch Goudy (mgoudy91) deleted the chore/google-docs-eval-wip branch July 7, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants