fix(deps): set engines.node to >=20.19.0 and clear prod audit high/criticals#5631
Open
DavertMik wants to merge 1 commit into
Open
fix(deps): set engines.node to >=20.19.0 and clear prod audit high/criticals#5631DavertMik wants to merge 1 commit into
DavertMik wants to merge 1 commit into
Conversation
…iticals The 4.x dependency set already requires Node 20.19+ at runtime (chokidar@5 declares `engines.node >= 20.19.0`, commander/glob require >=20), but package.json still advertised `node: >=16.0` — so Node 16-18 users got a clean install and then broke inside dependencies. Raise the floor to match what CI actually tests, and sync the documented minimum. Audit hygiene (npm audit --omit=dev, no --force): - multer ^2.0.2 -> ^2.1.1 (out of the <=2.1.0 advisory range; only consumer is a comment in lib/test-server.js) - uuid 11.1.0 -> 11.1.1 (patch, clears the buffer-bounds advisory) - tmp override 0.2.5 -> 0.2.6 (advisory wants <0.2.6 gone) - npm audit fix (within ranges) for the rest Result: prod npm audit goes from 38 vulnerabilities (2 critical, 16 high) to 3 (0 critical, 1 high). The remaining 3 all route through mocha@11.7.5's pinned transitive deps (diff@7.0.0 via `^7.0.0`, serialize-javascript@6.0.2 via `^6.0.2`); the patched versions cross mocha's declared ranges and npm's only offered fix is `--force` to mocha@11.3.0 (a breaking change), deferred as a deliberate major-bump decision. They are DoS-class issues in a test runner's diff/serialization, low exploitability in normal use. Docs: state Node 20.19+ in migration-4.md and mcp.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two pre-GA dependency-hygiene fixes for 4.x.
1. Correct the Node engines floor
package.jsonadvertisednode: >=16.0, but the 4.x dependency set already requires Node 20.19+ at runtime:chokidar@5→engines.node >= 20.19.0commander@15/glob@11→>=20A user on Node 16–18 got a clean
npm install(warning only) and then broke inside dependencies at runtime — the worst version error, during an RC when early adopters are exactly who's installing.>=20.19.0matches what CI already tests (Node 26.x / 20.x).Docs updated to state Node 20.19+ (
docs/migration-4.md,docs/mcp.md).2. Clear high/critical production audit findings (no
--force)npm audit --omit=dev:Changes (all within-range / patch / override — no
--force, no direct-dep major bump):multer^2.0.2→^2.1.1(out of the<=2.1.0advisory; the only consumer is a comment inlib/test-server.js)uuid11.1.0→11.1.1(patch; clears the buffer-bounds advisory)tmpoverride0.2.5→0.2.6(advisory wants<0.2.6gone)npm audit fix(within existing ranges) for the restRemaining 3 findings — justified (no non-breaking fix)
All route through
mocha@11.7.5's pinned transitive deps:diff@7.0.0(mocha pins^7.0.0) — jsdiff DoS; patched in 8.0.3+/9 (crosses mocha's major range)serialize-javascript@6.0.2(mocha pins^6.0.2) — patched in 7.0.5 (crosses mocha's major range)mocha@11.7.5is already the latest mocha; npm's only offered fix is--forcetomocha@11.3.0(a breaking change), which is a deliberate major-bump decision deferred per the plan. These are DoS-class issues in a test runner's diff/serialization of test output — low exploitability in CodeceptJS's usage.Verification
npm run test:unit→ 727 passed, 0 failed, 11 skippednpm run test:runner→ 273 passed, 0 failed, 2 skippednpm run lint→ cleannpm run test:rest→ 38 passed, 1 failed —JSONResponse … parse JSON responseshits the local mock server at:3001/api/comments/1, which returns 404 in this sandbox (the mock only serves/api/users). Environmental/local infra, not caused by these dependency changes (a 404 from a mock server is independent of multer/uuid/tmp); passes in CI's REST environment.Notes for reviewers
package-lock.jsonis gitignored in this repo, so it is not part of the diff; the fixes propagate via thepackage.jsonranges/overrides on fresh install.lib//bin/source changed. The package.json diff is only version bumps + engines + thetmpoverride.🤖 Generated with Claude Code