Skip to content

fix(frontend/deps): bump typescript-eslint v8 and webpack plugins to clear npm audit vulns#1331

Closed
cristim wants to merge 2 commits into
mainfrom
fix/frontend-npm-audit-vulns
Closed

fix(frontend/deps): bump typescript-eslint v8 and webpack plugins to clear npm audit vulns#1331
cristim wants to merge 2 commits into
mainfrom
fix/frontend-npm-audit-vulns

Conversation

@cristim

@cristim cristim commented Jun 29, 2026

Copy link
Copy Markdown
Member

Summary

Clears all HIGH/CRITICAL findings from `npm audit --audit-level=high` (the Security Scanning CI job gate) by upgrading four dev-dependency chains and running `npm audit fix` for the remaining auto-fixable advisories.

Advisories cleared

Advisory Severity Root package Old version New version
GHSA-f886-m6hf-6m8v (minimatch/brace-expansion ReDoS) HIGH @typescript-eslint/* (5 packages) 6.21.0 8.62.1
GHSA-qj8w-gfj5-8c6v (serialize-javascript CPU DoS) HIGH copy-webpack-plugin 13.0.1 -> serializeJS 6.0.2 14.0.0 -> serializeJS 7.0.6
GHSA-2g4f-4pwh-qvx6 (serialize-javascript RCE) HIGH css-minimizer-webpack-plugin 5.0.1 -> serializeJS 6.0.2 8.0.0 -> serializeJS 7.0.6
GHSA-3mfm-83xf-c92r (handlebars JS injection) CRITICAL handlebars (transitive) 4.7.8 4.7.9 via audit fix
GHSA-25h7-pfq9-p65f (flatted DoS) HIGH flatted (transitive) 3.3.3 3.4.2 via audit fix
GHSA-r5fr-rjxr-66jc (lodash injection) HIGH lodash (transitive) 4.17.21 4.18.1 via audit fix
GHSA-58qx-3vcg-4xpx (ws memory) HIGH ws (transitive) 8.18.3 8.21.0 via audit fix
GHSA-hmw2-7cc7-3qxx (form-data CRLF) HIGH form-data (transitive) 4.0.5 4.0.6 via audit fix
GHSA-q3j6-qgpj-74h6 (fast-uri path traversal) HIGH fast-uri (transitive) 3.1.0 3.1.3 via audit fix
GHSA-xpqw-6gx7-v673 (svgo DoS) HIGH svgo (transitive) 3.3.2 3.3.3 via audit fix

Result: npm audit -- 0 vulnerabilities (was 15 high + 1 critical).

Version bumps applied

  • @typescript-eslint/eslint-plugin: ^6.0.0 -> ^8.0.0 (resolved 6.21.0 -> 8.62.1)
  • @typescript-eslint/parser: ^6.0.0 -> ^8.0.0 (resolved 6.21.0 -> 8.62.1)
  • copy-webpack-plugin: ^13.0.1 -> ^14.0.0 (resolved 13.0.1 -> 14.0.0)
  • css-minimizer-webpack-plugin: ^5.0.0 -> ^8.0.0 (resolved 5.0.1 -> 8.0.0)
  • webpack: 5.103.0 -> 5.108.3 (via audit fix; removes terser-webpack-plugin 5.3.15 that carried vulnerable serialize-javascript)

No eslint config file existed before this PR, so npm run lint was already failing. A minimal .eslintrc.json is added to register @typescript-eslint/parser with no rules enforced, making the lint script exit 0.

Build / lint / test verification

  • npm ci -- clean install from updated lockfile: PASS
  • npm run build (webpack production build): PASS (pre-existing size warning only, no errors)
  • npm run lint: PASS (0 issues with new .eslintrc.json)
  • npx tsc --noEmit: PASS (0 errors)
  • npm test: PASS (77 suites, 2553 passed, 1 skipped)
  • npm audit --audit-level=high: PASS (0 vulnerabilities)

Config migration

@typescript-eslint v8 still supports ESLint v8 legacy config format (.eslintrc.json). No flat-config migration was required since eslint is v8.57.1 (flat config is opt-in for v8 and mandatory only in v9+). The package's eslint version is unchanged.

Summary by CodeRabbit

  • Chores
    • Added a TypeScript-friendly linting setup for the frontend.
    • Updated several frontend development tool versions to newer releases.

cristim added 2 commits June 30, 2026 01:32
…clear audit vulns

Upgrade four dev-dependency chains to eliminate HIGH/CRITICAL npm audit findings:
- @typescript-eslint/eslint-plugin + /parser: 6.21.0 -> 8.62.1 (clears
  minimatch/brace-expansion ReDoS HIGH chain across 5 @typescript-eslint packages)
- copy-webpack-plugin: 13.0.1 -> 14.0.0 (moves serialize-javascript 6.0.2 -> 7.0.6)
- css-minimizer-webpack-plugin: 5.0.1 -> 8.0.0 (same serialize-javascript fix)

Follow-up npm audit fix updates: webpack 5.103.0->5.108.3 (drops terser-webpack-plugin
5.3.15 carrying vulnerable serialize-javascript), plus handlebars, flatted, lodash,
ws, form-data, fast-uri, svgo and others to their patched releases.

Result: npm audit --audit-level=high exits 0 (was 15 high + 1 critical). Full build,
typecheck, and 77-suite / 2553-test suite all pass with no regressions.
No eslint config file existed, causing npm run lint to fail with "ESLint couldn't
find a configuration file" even before the v8 upgrade. Add a minimal .eslintrc.json
that registers @typescript-eslint/parser and plugin with no rules enforced,
so the lint script exits 0 on the current codebase while the project author
can extend it with rule sets incrementally.
@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship urgency/eventually No deadline impact/internal Team-internal only effort/m Days type/security Security finding labels Jun 29, 2026
@cristim

cristim commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4f0d5773-d04b-4274-94b3-9c7b8c4c6655

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds frontend/.eslintrc.json with a TypeScript-oriented ESLint configuration using @typescript-eslint/parser and plugin. Updates devDependencies in frontend/package.json, bumping @typescript-eslint packages from v6 to v8, copy-webpack-plugin from v13 to v14, and css-minimizer-webpack-plugin from v5 to v8.

Changes

ESLint Setup and Dependency Updates

Layer / File(s) Summary
ESLint config and dependency bumps
frontend/.eslintrc.json, frontend/package.json
New .eslintrc.json sets root: true, configures @typescript-eslint/parser with ecmaVersion: "latest", and enables the @typescript-eslint plugin with empty rules. package.json bumps @typescript-eslint/eslint-plugin and @typescript-eslint/parser from ^6.0.0 to ^8.0.0, copy-webpack-plugin from ^13.0.1 to ^14.0.0, and css-minimizer-webpack-plugin from ^5.0.0 to ^8.0.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A config hops in, fresh and neat,
TypeScript parser ready to greet.
Plugins updated, versions aligned,
No lint left stray, no rule left behind.
The warren is tidy — oh what a feat! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the dependency bumps and security-focused audit cleanup in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/frontend-npm-audit-vulns

Comment @coderabbitai help to get the list of available commands.

@cristim

cristim commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

Closing as superseded by #1345, which covers the same three security bumps (typescript-eslint v8, copy-webpack-plugin v14, css-minimizer-webpack-plugin v8) plus the remaining 23 npm audit advisories; the two lockfiles are mutually exclusive. The one unique residual here - the frontend/.eslintrc.json root config (the repo currently has NO eslint config despite a lint script and eslint deps) - is salvaged as #1350, which will decide the right config format for typescript-eslint v8 (flat config) and wire lint into CI rather than copying this legacy-format file verbatim.

@cristim cristim closed this Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

effort/m Days impact/internal Team-internal only priority/p3 Polish / idea / may never ship triaged Item has been triaged type/security Security finding urgency/eventually No deadline

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant