Skip to content

fix(deps): update transitive dependencies to fix npm vulnerabilities#2108

Open
skjnldsv wants to merge 1 commit into
mainfrom
fix/npm-vulnerabilities
Open

fix(deps): update transitive dependencies to fix npm vulnerabilities#2108
skjnldsv wants to merge 1 commit into
mainfrom
fix/npm-vulnerabilities

Conversation

@skjnldsv

@skjnldsv skjnldsv commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Run npm update on vulnerable transitive dependencies to fix 7 non-breaking vulnerabilities (37 → 30)
  • Only package-lock.json changed, no package.json modifications
  • Lockfile verified with npm ci (no --legacy-peer-deps needed)

Fixed

Package Severity Issue
axios high Multiple prototype pollution, SSRF, header injection
dompurify moderate FORBID_TAGS bypass, XSS
follow-redirects moderate Auth header leak on redirect
postcss moderate XSS via unescaped style tags
ws moderate Uninitialized memory disclosure
fast-uri high Path traversal, host confusion
brace-expansion moderate Numeric range DoS
systeminformation high Command injection
qs moderate DoS via null entries
tmp moderate Path traversal
ajv moderate ReDoS

Remaining (30 vulnerabilities, locked by parent package version pins)

  • vue 2.7.16 (low, x17): ReDoS in parseHTML, unfixable without Vue 3 migration
  • elliptic (low): deep in crypto-browserify chain
  • esbuild (high): needs vite 8.x, blocked by @nextcloud/vite-config
  • picomatch@2.3.1 (high): locked by rollup-plugin-license/fdir
  • fast-xml-parser@4.x (moderate): locked by webdav
  • uuid@8.x (low): locked by cypress
  • @babel/helpers (moderate): locked by @babel/core

Test plan

  • Verify npm ci passes (no --legacy-peer-deps needed)
  • Verify build works (npm run build)
  • Verify tests pass (npm test)

@skjnldsv skjnldsv added the bug Something isn't working label Jun 14, 2026
@skjnldsv skjnldsv self-assigned this Jun 14, 2026
@skjnldsv skjnldsv added dependencies Pull requests that update a dependency file 3. to review Waiting for reviews labels Jun 14, 2026
@skjnldsv skjnldsv force-pushed the fix/npm-vulnerabilities branch from 9684387 to f8930c6 Compare June 14, 2026 05:25
@skjnldsv
fix(deps): update transitive dependencies to fix npm vulnerabilities
f8127f9 
Run `npm update` on vulnerable transitive dependencies to resolve
non-breaking vulnerabilities without changing package.json.

Fixed: axios, dompurify, follow-redirects, postcss, ws, fast-uri,
brace-expansion, systeminformation, qs, tmp, ajv.

Remaining vulnerabilities require parent package upgrades or breaking
changes (elliptic, esbuild, vue 2, picomatch, fast-xml-parser, uuid,
@babel/helpers).

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
@skjnldsv skjnldsv force-pushed the fix/npm-vulnerabilities branch from f8930c6 to f8127f9 Compare June 14, 2026 06:00
@codecov

codecov Bot commented Jun 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.30%. Comparing base (ff8d1d8) to head (f8127f9).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2108   +/-   ##
=======================================
  Coverage   36.30%   36.30%           
=======================================
  Files          17       17           
  Lines         774      774           
  Branches      145      145           
=======================================
  Hits          281      281           
  Misses        480      480           
  Partials       13       13

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@skjnldsv skjnldsv requested a review from susnux June 14, 2026 06:03
@skjnldsv

skjnldsv commented Jun 14, 2026

Copy link
Copy Markdown
Contributor Author

Cypress failure already known ⚠️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susnux susnux susnux approved these changes

Assignees

@skjnldsv skjnldsv

Labels

3. to review Waiting for reviews bug Something isn't working dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skjnldsv @susnux