Skip to content

fix(deps): remove 19 stale resolutions (audit 2026-05-18)#225

Open
mluena wants to merge 19 commits into
developfrom
fix/deps/audit-2026-05-18
Open

fix(deps): remove 19 stale resolutions (audit 2026-05-18)#225
mluena wants to merge 19 commits into
developfrom
fix/deps/audit-2026-05-18

Conversation

@mluena

@mluena mluena commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Override-hygiene pass per /vizz-core:fix-vulnerabilities guidelines §3. Removed 19 stale entries from root package.json resolutions that no longer affect audit outcomes — each as its own atomic commit, independently revertable.

Removed (19)

Scoped overrides (7) — parent's semver range now resolves to a patched transitive natively:

  • socks>ip-address (→ 10.2.0)
  • css-loader>postcss (→ 8.5.14)
  • sanitize-html>postcss (→ 8.5.14)
  • tailwindcss>postcss (→ 8.5.14)
  • axios>follow-redirects (→ 1.16.0)
  • http-proxy>follow-redirects (→ 1.16.0)
  • resolve-protobuf-schema>protocol-buffers-schema (→ 3.6.1)

Blanket overrides (7) — pin matched current latest, removal is a no-op or audit-safe:

  • lodash, lodash-es, node-forge, handlebars, braces, fast-uri, @babel/plugin-transform-modules-systemjs

Version-keyed (5) — audit no longer flags the targeted version, or natural semver picks patched:

  • semver@7.5.1, path-to-regexp@6.2.1, path-to-regexp@~0.1.12, brace-expansion@^2.0.1, ws@8.13.0

Kept (load-bearing)

  • @strapi/plugin-upload>sharp — blocked behind Strapi v5 migration
  • @stoplight/spectral-core>minimatch — parent pins minimatch: 3.1.2 exact
  • koa — Strapi v4 pins koa: 2.13.4 exact (vulnerable)
  • fast-xml-parser@aws-sdk/core pins 4.2.5 exact (ReDoS); removal regressed the tree, reverted in-session
  • findup-sync>micromatch, @orval/core>esbuild, esbuild-loader>esbuild — parent ranges still resolve to vulnerable transitives

Deferred — Strapi v4 → v5 migration

Two open advisories remain (both require Strapi major upgrade — explicit user approval required per guidelines §8, and migration is out of scope for a dep-audit PR):

Pkg Sev Advisory
@strapi/strapi Critical GHSA-rjg2-95x7-8qmx — sensitive data leak via relational filtering
@strapi/plugin-users-permissions Moderate GHSA-7mqx-wwh4-f9fw — rate-limit bypass via attacker-controlled email keying

Track Strapi v5 migration separately (content-type schemas, document service API, cms/src/plugins/map-field/, third-party Strapi plugins, Node engine pin).

Test plan

  • yarn install succeeds; lockfile coherent
  • yarn npm audit -A in client/ → only the 2 deferred Strapi advisories
  • yarn npm audit -A in cms/ → only the 2 deferred Strapi advisories
  • uvx uv-secure in data-processing/ → 0 vulnerabilities (175 deps)
  • yarn test in client/ → 6 Playwright tests pass
  • yarn check-types in client/ → 35 errors, identical to develop baseline (pre-existing, not introduced here)
  • CI green
  • cms build sanity-check on review

mluena added 19 commits May 19, 2026 06:01
@mluena
fix(deps): remove stale socks>ip-address override
a990433 
socks@2.8.7 declares ip-address ^10.0.1, which now naturally resolves
to 10.2.0 (patched). The scoped resolution is redundant.
@mluena
fix(deps): remove stale css-loader>postcss override
1890abf 
css-loader@6.11.0 declares postcss ^8.4.33, which now resolves to
8.5.14 (patched). The scoped resolution is redundant.
@mluena
fix(deps): remove stale sanitize-html>postcss override
169a44a 
sanitize-html@2.10.0 declares postcss ^8.3.11, which now resolves to
8.5.14 (patched). The scoped resolution is redundant.
@mluena
fix(deps): remove stale tailwindcss>postcss override
bafd9fc 
tailwindcss@3.3.2 declares postcss ^8.4.23, which now resolves to
8.5.14 (patched). The scoped resolution is redundant.
@mluena
fix(deps): remove stale axios>follow-redirects override
ba957d6 
axios@1.16.0 declares follow-redirects ^1.16.0, which resolves to
the patched 1.16.0 (current latest). The scoped resolution is redundant.
@mluena
fix(deps): remove stale http-proxy>follow-redirects override
1a9fcf6 
follow-redirects naturally resolves to the patched 1.16.0 (latest)
via dedup with axios's narrower ^1.16.0 constraint. The scoped
http-proxy override is redundant.
@mluena
fix(deps): remove stale resolve-protobuf-schema>protocol-buffers-sche…
4f6e37f 
…ma override

resolve-protobuf-schema@2.1.0 declares protocol-buffers-schema ^3.3.1,
which now resolves to the patched 3.6.1. The scoped resolution is redundant.
@mluena
fix(deps): remove stale lodash blanket resolution
d4af4af 
Audit stays clean: parents pulling lodash@4.17.x now resolve naturally
(4.17.21 and 4.17.23 are not vulnerable), and ranges `^4.17.x` pick
the current latest 4.18.1. The blanket override is redundant.
@mluena
fix(deps): remove stale lodash-es blanket resolution
836dc12 
Audit stays clean: lodash-es resolves naturally to current latest (4.18.1)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale node-forge blanket resolution
443a96e 
Audit stays clean: node-forge resolves naturally to current latest (1.4.0)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale handlebars blanket resolution
d63de78 
Audit stays clean: handlebars resolves naturally to current latest (4.7.9)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale braces blanket resolution
ef4343f 
Audit stays clean: braces resolves naturally to current latest (3.0.3)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale fast-uri blanket resolution
d46e22c 
Audit stays clean: fast-uri resolves naturally to current latest (3.1.2)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale @babel/plugin-transform-modules-systemjs reso…
e87d6d5 
…lution

Audit stays clean: the plugin resolves naturally to current latest (7.29.4)
via parents' semver ranges. The blanket override is redundant.
@mluena
fix(deps): remove stale semver@7.5.1 version-keyed resolution
f7e3ecc 
Audit no longer flags semver@7.5.1 (transitive via Strapi v4). The
version-keyed override is redundant under current advisory data.
@mluena
fix(deps): remove stale path-to-regexp@6.2.1 version-keyed resolution
f61c320 
Audit no longer flags path-to-regexp@6.2.1 (transitive via Strapi v4).
The version-keyed override is redundant under current advisory data.
@mluena
fix(deps): remove stale path-to-regexp@~0.1.12 version-keyed resolution
30d20be 
path-to-regexp resolves naturally to 0.1.13 (patched) via the parent's
~0.1.12 range. The version-keyed override is redundant.
@mluena
fix(deps): remove stale brace-expansion@^2.0.1 version-keyed resolution
c777f5e 
brace-expansion now resolves to 2.1.0 (patched) via the ^2.0.1 range
in the maintenance-v2 line. The version-keyed override is redundant.
@mluena
fix(deps): remove stale ws@8.13.0 version-keyed resolution
0a5d9bc 
Audit no longer flags ws@8.13.0 (transitive via Strapi v4). The
version-keyed override is redundant under current advisory data.
@vercel

vercel Bot commented May 19, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
esa-client Ready Ready Preview, Comment May 19, 2026 9:49am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mluena