Patch npm vulnerabilities via overrides for build tooling#602
Merged
Conversation
Add npm overrides forcing patched (same-major) versions for transitive
build/dev-tooling dependencies flagged by Dependabot. None of these ship
in the runtime app bundle; they are only present in package-lock.json.
Cleared (13 advisories, incl. all 9 high-severity):
- form-data 2.5.5 -> ^2.5.6 (CRLF injection)
- undici 6.26 -> ^6.27.0 (4 advisories: header injection, DoS, queue
poisoning, cookie downgrade)
- hono 4.12.23-> ^4.12.27 (5 advisories: path traversal, CORS, body
limit bypass, header handling)
- joi 17.13.3-> ^17.13.4 (RangeError DoS)
- protobufjs 7.6.1 -> ^7.6.3 (prototype shadowing)
- tar 7.5.15 -> ^7.5.16 (file smuggling)
Not changed (risk-accepted): uuid and js-yaml only have patches that
require a major bump on build tooling; both moderate and not exploitable
in this context.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H86E5iMTSRYsjFcD7pJBxE
Force patched versions for the last two transitive dev/build-tooling advisories via npm overrides: - uuid 3.4.0/7.0.3/8.3.2/9.0.1 -> ^11.1.1 (GHSA-w5hq-g745-h8pq) - js-yaml 3.14.2/4.1.1 -> ^4.2.0 (GHSA-h67p-54hq-rp68) npm audit now reports 0 vulnerabilities. Verified clean install (patch-package passed) and tsc --noEmit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01H86E5iMTSRYsjFcD7pJBxE
fix: patch 13 Dependabot npm vulnerabilities via overrides
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.