fix: patch moderate/high security vulnerabilities in JS/TS apps#272
Open
Nick Robinson (nickrobinson) wants to merge 1 commit intomainfrom
Open
fix: patch moderate/high security vulnerabilities in JS/TS apps#272Nick Robinson (nickrobinson) wants to merge 1 commit intomainfrom
Nick Robinson (nickrobinson) wants to merge 1 commit intomainfrom
Conversation
Adds npm overrides (and yarn resolutions for react-native-expo) to force safe transitive dependency versions across javascript-tui, javascript-web, and react-native-expo. Packages patched: - @xmldom/xmldom 0.8.11 → 0.8.13 (GHSA-2v35-w6hq-6mfw, GHSA-f6ww-3ggp-fr8h, GHSA-x6wf-f3px-wcqx, GHSA-j759-j44w-7fr8, GHSA-wh4c-j3r5-mjhp — HIGH) - brace-expansion 1.1.12/2.0.2 → 1.1.14 (GHSA-f886-m6hf-6m8v — moderate) - uuid 7.0.3 → 14.0.0 (GHSA-w5hq-g745-h8pq — moderate) - postcss 8.5.8 → 8.5.12 (GHSA-qx2v-qp2m-jg93 — moderate, javascript-web direct dep) - yaml 2.8.2 → 2.8.3 (GHSA-48c2-rrv3-qjmp — moderate, javascript-web) - fast-xml-parser 5.5.6 → 5.7.2 (GHSA-jp2q-39xq-3w4g, GHSA-gh4j-gqv2-49f6 — moderate, react-native-expo) - lodash 4.17.23 → 4.18.1 (GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh — high/moderate, react-native-expo) Residual (not fixable via minor/patch bumps): - postcss@8.4.49 bundled inside @dittolive/ditto tarball — unreachable by npm overrides - jest-expo test-dep chain (@tootallnate/once) — requires major jest-expo version change https://claude.ai/code/session_011cdL3SUj4mqfkMSk26HwQR
Nick Robinson (nickrobinson)
requested a review
from Kristopher Johnson (kristopherjohnson)
as a code owner
Copilot started reviewing on behalf of
Nick Robinson (nickrobinson)
April 27, 2026 18:53
View session
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate moderate/high severity npm audit findings across multiple JS/TS apps by pinning vulnerable transitive dependencies to known-safe versions via npm overrides (and Yarn resolutions for the Expo app).
Changes:
- Add/expand dependency pinning for vulnerable transitive packages (e.g.,
@xmldom/xmldom,postcss,yaml,fast-xml-parser,uuid,lodash) usingoverrides/resolutions. - Regenerate lockfiles (
package-lock.json,yarn.lock) to reflect updated dependency graphs.
Reviewed changes
Copilot reviewed 3 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| react-native-expo/package.json | Adds Yarn resolutions + npm overrides to force patched transitive versions. |
| react-native-expo/yarn.lock | Updates Yarn lock to reflect new resolutions and upgraded transitive packages. |
| react-native-expo/package-lock.json | Updates npm lockfile to reflect overrides and patched transitive versions. |
| javascript-web/package.json | Bumps postcss and adds additional npm overrides for vulnerable transitives. |
| javascript-web/package-lock.json | Updates npm lockfile with dependency tree changes from the upgrade work. |
| javascript-tui/package.json | Adds/expands npm overrides to pin patched transitive versions. |
Files not reviewed (2)
- javascript-web/package-lock.json: Language not supported
- react-native-expo/package-lock.json: Language not supported
Comments suppressed due to low confidence (1)
react-native-expo/package-lock.json:1995
@expo/clidepends onminimatch@9.0.9, which declaresbrace-expansion: ^2.0.2, but the lockfile installsbrace-expansion@1.1.14under that minimatch subtree. That mismatch (different major than required) can break minimatch/globbing behavior. Please ensure the override/resolution pinsbrace-expansionto a patched version within the2.xline forminimatch@9(and avoid globally forcing1.x).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
37
to
+42
| "overrides": { | ||
| "flatted": "3.4.2" | ||
| "flatted": "3.4.2", | ||
| "@xmldom/xmldom": "0.8.13", | ||
| "brace-expansion": "1.1.14", | ||
| "yaml": "2.8.3", | ||
| "uuid": "14.0.0" |
There was a problem hiding this comment.
overrides.uuid is set to 14.0.0, but package-lock.json still resolves uuid to 7.0.3 (see node_modules/uuid in the lockfile). That means the intended security fix for uuid isn’t actually being applied for this app. Please regenerate the lockfile so the override takes effect, or add a direct dependency on the desired uuid version if overrides can’t affect this part of the tree.
Comment on lines
+2503
to
+2517
| "version": "1.0.2", | ||
| "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", | ||
| "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", | ||
| "license": "MIT", | ||
| "peer": true | ||
| }, | ||
| "node_modules/@dittolive/ditto/node_modules/minimatch/node_modules/brace-expansion": { | ||
| "version": "1.1.14", | ||
| "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", | ||
| "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", | ||
| "license": "MIT", | ||
| "peer": true, | ||
| "dependencies": { | ||
| "balanced-match": "^1.0.0", | ||
| "concat-map": "0.0.1" |
There was a problem hiding this comment.
This brace-expansion@1.1.14 is being installed under @dittolive/ditto’s minimatch@10.2.4 subtree, but minimatch@10.x declares brace-expansion: ^5.0.2. Forcing a different major breaks the declared dependency contract and can cause glob/brace matching failures at runtime. Please adjust the override strategy so minimatch@10 gets a compatible brace-expansion@5.x (and only force patched versions within the majors actually required by each subtree).
Suggested change
| "version": "1.0.2", | |
| "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", | |
| "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", | |
| "license": "MIT", | |
| "peer": true | |
| }, | |
| "node_modules/@dittolive/ditto/node_modules/minimatch/node_modules/brace-expansion": { | |
| "version": "1.1.14", | |
| "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", | |
| "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", | |
| "license": "MIT", | |
| "peer": true, | |
| "dependencies": { | |
| "balanced-match": "^1.0.0", | |
| "concat-map": "0.0.1" | |
| "version": "3.0.1", | |
| "license": "MIT", | |
| "peer": true | |
| }, | |
| "node_modules/@dittolive/ditto/node_modules/minimatch/node_modules/brace-expansion": { | |
| "version": "5.0.2", | |
| "license": "MIT", | |
| "peer": true, | |
| "dependencies": { | |
| "balanced-match": "^3.0.0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds npm
overrides(and yarnresolutionsfor react-native-expo) to force safe transitive dependency versions across three JS/TS apps. All moderate and high severity vulnerabilities are resolved; residual issues are documented below.Packages patched
@xmldom/xmldomlodash_.template), GHSA-f23m-r3pf-42rh (prototype pollution) — react-native-expobrace-expansionuuidpostcss</style>) — javascript-web direct depyamlfast-xml-parserAffected apps
MANUAL INTERVENTION REQUIRED
postcss@8.4.49inside@dittolive/dittotarball@dittolive/ditto@4.14.3ships with a pre-bundlednode_modules/directory that includespostcss@8.4.49(vulnerable to GHSA-qx2v-qp2m-jg93). Because it is physically bundled in the tarball rather than declared as a dependency, npm overrides cannot reach it. Fix: wait for a new@dittolive/dittorelease that bundlespostcss>=8.5.10, then update the@dittolive/dittoversion.jest-expotest-dep chain (react-native-expo)5 low-severity issues remain via
jest-expo > jest-environment-jsdom > jsdom > http-proxy-agent > @tootallnate/once(GHSA-vpq2-c234-7xj6). The only npm-suggested fix is downgradingjest-expoto47.0.1(older than the current53.0.9), which is incorrect. Fix: wait for ajest-exporelease that updates itsjsdom/http-proxy-agentsub-dependencies.Test plan
cd javascript-tui && npm audit→ 0 vulnerabilitiescd javascript-web && npm audit→ 0 vulnerabilitiescd react-native-expo && npm audit→ 5 low onlycd react-native-expo && npx yarn audit→ 1 low onlycd react-native && npm audit→ 0 vulnerabilitieshttps://claude.ai/code/session_011cdL3SUj4mqfkMSk26HwQR
Generated by Claude Code