Skip to content

fix(frontend): npm audit failures keep Security Scanning red after Go CVE fix #1344

Description

@cristim

Discovered while fixing #1339 (PR #1343): the "Security Scanning" job in CI - Build & Test also runs npm audit on the frontend, which fails with multiple advisories independent of the Go-side govulncheck failure (which #1343 resolves via the pgx bump). Current highlights from run 28664972267: @babel/plugin-transform-modules-systemjs (high, GHSA-fv7c-fp4j-7gwp), fast-uri path traversal (high), flatted unbounded recursion (high), ajv ReDoS (moderate), brace-expansion (moderate), @tootallnate/once, and more - most flagged "fix available via npm audit fix".

Fix for real per the no-masking-CI-debt directive: run npm audit fix (no --force without reviewing breaking bumps), verify typecheck/build/tests, and handle any advisories that need manual major bumps individually. Until this lands, Security Scanning stays red even after #1343.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions