Skip to content

chore: patch security vulnerabilities across JS and Rust apps#277

Open
Nick Robinson (nickrobinson) wants to merge 1 commit intomainfrom
claude/fervent-planck-lsv2l
Open

chore: patch security vulnerabilities across JS and Rust apps#277
Nick Robinson (nickrobinson) wants to merge 1 commit intomainfrom
claude/fervent-planck-lsv2l

Conversation

@nickrobinson
Copy link
Copy Markdown
Collaborator

@nickrobinson Nick Robinson (nickrobinson) commented May 4, 2026

Summary

Patches known security vulnerabilities across all JS apps and updates Rust dependency lockfile. All fixes are minor/patch version bumps — no major version changes or breaking API updates.

What was fixed

Package Advisory Severity Fix
postcss GHSA-qx2v-qp2m-jg93 (XSS via </style> in CSS output) Moderate ^8.4.49^8.5.14 (direct dep in javascript-web)
fast-xml-parser GHSA-jp2q-39xq-3w4g, GHSA-gh4j-gqv2-49f6 Moderate 5.5.65.7.2 (overrides in react-native, react-native-expo)
@xmldom/xmldom GHSA-2v35-w6hq-6mfw, GHSA-f6ww-3ggp-fr8h (DoS + XML injection) High Override → 0.9.10 in all JS apps
yaml GHSA-48c2-rrv3-qjmp (Stack overflow on deeply nested input) Moderate Override → 2.8.4 in all JS apps
semver ReDoS High Override → 7.7.4 in all JS apps
tar Hardlink path traversal High Override → 7.5.11 in javascript-web, react-native
postcss (transitive) GHSA-qx2v-qp2m-jg93 Moderate Override → 8.5.14 in javascript-tui, react-native, react-native-expo

rust-tui: cargo update applied latest compatible patch/minor crate versions (anyhow, clap, futures, tracing-subscriber, uuid, etc.).

All lockfiles regenerated: package-lock.json for npm apps, yarn.lock for react-native and react-native-expo.

MANUAL INTERVENTION REQUIRED

The following cannot be automatically patched:

1. lodash (HIGH) — GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh

  • Affected apps: javascript-tui (via @expo/vector-icons → lodash.pick), react-native-expo
  • Range: all lodash 4.x (>=4.0.0 <=4.17.23). There is no safe 4.x release.
  • Tried: override to 4.18.1 in javascript-tui (pre-existing) — that version does not exist on npm.
  • Suggested fix: Wait for lodash 5.x stable release, or migrate away from packages that depend on lodash.pick (deprecated, unmaintained). The @expo/vector-icons team would need to update or replace it.

2. expo (CRITICAL) — Expo SDK OAuth vulnerability

  • Affected apps: javascript-web, javascript-tui (transitive via @dittolive/ditto → expo)
  • Cannot be fixed: The vulnerable expo version is bundled inside @dittolive/ditto@4.14.3's dependency tree. Requires a Ditto SDK update that ships with a patched expo version.
  • Suggested fix: Update @dittolive/ditto once a new release bundles a patched expo SDK.

3. uuid (Moderate) — GHSA-w5hq-g745-h8pq

  • Affected apps: All JS apps (transitive via @dittolive/ditto → @expo/config-plugins → xcode → uuid)
  • Fix requires: uuid >=14.0.0, which has not yet been released on npm (latest stable is 9.x).
  • Suggested fix: Track the uuid package for a 14.x release and add an override at that time.

Test plan

  • javascript-web: npm run build passes
  • javascript-tui: npm run build passes
  • react-native-expo: npm install resolves cleanly (verified locally)
  • react-native: npx yarn install resolves cleanly (verified locally)
  • rust-tui: cargo build passes with updated Cargo.lock

https://claude.ai/code/session_01QXDwqC7xi7k39vB6wrxfoa

Generated by Claude Code

@claude
chore: patch security vulnerabilities across JS and Rust apps
592fdd1 
JS apps (javascript-web, javascript-tui, react-native, react-native-expo):
- Bump postcss ^8.4.49 → ^8.5.14 in javascript-web (GHSA-qx2v-qp2m-jg93)
- Add/update overrides and resolutions to force safe transitive versions:
  - @xmldom/xmldom → 0.9.10 (GHSA-2v35-w6hq-6mfw, GHSA-f6ww-3ggp-fr8h)
  - fast-xml-parser → 5.7.2 (GHSA-jp2q-39xq-3w4g, GHSA-gh4j-gqv2-49f6)
  - yaml → 2.8.4 (GHSA-48c2-rrv3-qjmp)
  - semver → 7.7.4 (semver ReDoS)
  - tar → 7.5.11 (hardlink path traversal)
  - postcss → 8.5.14 in transitive overrides
- Regenerate all lockfiles (package-lock.json, yarn.lock)

Rust (rust-tui):
- Run cargo update to apply latest compatible patch/minor versions

Remaining issues requiring manual intervention:
- lodash 4.x (GHSA-r5fr-rjxr-66jc): no safe 4.x release; needs lodash 5+
- expo OAuth CRITICAL: embedded in @dittolive/ditto's expo transitive deps
- uuid moderate: fix requires uuid >=14.0.0 (not yet released)

https://claude.ai/code/session_01QXDwqC7xi7k39vB6wrxfoa
Copilot AI review requested due to automatic review settings May 4, 2026 18:50
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to mitigate reported dependency vulnerabilities across the JavaScript example apps (via npm overrides / Yarn resolutions) and refreshes the Rust TUI app’s dependency lockfile via cargo update.

Changes:

  • Bump postcss in javascript-web and add cross-app pins for vulnerable transitive JS dependencies (@xmldom/xmldom, yaml, semver, tar, fast-xml-parser, and transitive postcss where relevant).
  • Update react-native / react-native-expo Yarn lockfiles to reflect new resolutions.
  • Update rust-tui/Cargo.lock to latest compatible crate versions.

Reviewed changes

Copilot reviewed 4 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
rust-tui/Cargo.lock Updates Rust dependency resolution via cargo update.
react-native/package.json Adds/updates Yarn resolutions for vulnerable transitive deps.
react-native/yarn.lock Regenerated to reflect updated resolutions (e.g., xmldom/yaml/semver/tar/postcss).
react-native-expo/package.json Adds/updates resolutions (Yarn) and overrides (npm) pins for vulnerable deps.
react-native-expo/yarn.lock Regenerated to reflect updated resolutions.
react-native-expo/package-lock.json Updated npm lockfile content for the expo app.
javascript-web/package.json Bumps postcss and adds npm overrides for vulnerable transitive deps.
javascript-tui/package.json Adds npm overrides for vulnerable transitive deps (and currently includes an invalid lodash override).
Files not reviewed (1)
  • react-native-expo/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread react-native-expo/package.json
Comment on lines 62 to +80
"resolutions": {
"tar": "7.5.11",
"undici": "6.24.1",
"flatted": "3.4.2",
"fast-xml-parser": "5.5.6"
"fast-xml-parser": "5.7.2",
"@xmldom/xmldom": "0.9.10",
"yaml": "2.8.4",
"postcss": "8.5.14",
"semver": "7.7.4"
},
"overrides": {
"tar": "7.5.11",
"undici": "6.24.1",
"flatted": "3.4.2",
"fast-xml-parser": "5.5.6"
"fast-xml-parser": "5.7.2",
"@xmldom/xmldom": "0.9.10",
"yaml": "2.8.4",
"postcss": "8.5.14",
"semver": "7.7.4"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kristopherjohnson Kristopher Johnson (kristopherjohnson) Awaiting requested review from kristopherjohnson kristopherjohnson is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nickrobinson @claude