prototype for sm manage permissions

[maxkpower]

Prototype for adding a Manage permission to Secrets Manager access policies, enabling a dedicated tier for administering who can access projects and secrets separate from Read/Write data access.

This PR should not be merged.

Related PR with more context: bitwarden/clients#19613

[github-actions]

Checkmarx One – Scan Summary & Details – ff90d46a-35bd-4372-8b8c-7bfe365364c6

---

New Issues (8)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-25547	Npm-@isaacs/brace-expansion-5.0.0	details Recommended version: 5.0.1 Description: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-27699	Npm-basic-ftp-5.0.5	details Recommended version: 5.2.0 Description: The `basic-ftp` FTP client library for Node.js contains a Path Traversal vulnerability in versions prior to 5.2.0 in the `downloadToDir()`method. A... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-64756	Npm-glob-11.0.3	details Recommended version: 11.1.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
4		CVE-2026-25639	Npm-axios-1.13.2	details Recommended version: 1.13.5 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-26996	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-27903	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-27904	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2025-13465	Npm-lodash-4.17.21	details Recommended version: 4.17.23 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: sm-prototype-for-manage-permissions (89af9be)
Completed: 2026-03-17 22:11:48 UTC
Total Time: 245s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow