Skip to content

Fix Dependabot alerts in car-sales-website sample#105

Merged
priyanshu92 merged 1 commit into
mainfrom
priyanshu92-fix-dependabot-alerts
Jun 29, 2026
Merged

Fix Dependabot alerts in car-sales-website sample#105
priyanshu92 merged 1 commit into
mainfrom
priyanshu92-fix-dependabot-alerts

Conversation

@priyanshu92

Copy link
Copy Markdown
Contributor

Why

The Angular car-sales-website sample had 5 open Dependabot alerts (2 high, 3 medium) from transitive dev dependencies. Although these packages only run during local development/build, leaving known CVEs unresolved keeps the alerts noisy and risks the sample shipping vulnerable code to anyone who clones it.

What changed

All five issues are transitive, so the fix is contained to the overrides block in samples/spa/angular/car-sales-website/package.json plus the regenerated lock file:

  • webpack-dev-server 5.2.4 -> 5.2.5 (HMR WebSocket interception via permissive proxies)
  • http-proxy-middleware -> 3.0.7 (CRLF field injection in fixRequestBody; host+path routing bypass) — covers alerts #464, #466, #467
  • piscina -> 5.2.0 (prototype pollution gadget to RCE) — alert #463

The single http-proxy-middleware 3.0.7 override forces all consumers, including webpack-dev-server, onto the patched 3.x line; npm dedupes it cleanly so there's no duplicate install.

Verification

  • Clean reinstall (removed node_modules + lock) so integrity hashes are computed by npm, not hand-edited
  • npm audit reports 0 vulnerabilities
  • ng build succeeds; only the pre-existing bundle-budget and missing-stylesheet warnings remain
  • Karma tests not run since they require a Chrome browser; build is the meaningful gate here

- Bumped webpack-dev-server override 5.2.4 -> 5.2.5 (HMR WebSocket interception)
- Added http-proxy-middleware 3.0.7 override (CRLF field injection + host routing bypass)
- Added piscina 5.2.0 override (prototype pollution -> RCE)
- npm audit: 0 vulnerabilities; ng build passes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@priyanshu92 priyanshu92 enabled auto-merge (squash) June 29, 2026 07:01
@priyanshu92 priyanshu92 merged commit a8886e0 into main Jun 29, 2026
3 checks passed
@priyanshu92 priyanshu92 deleted the priyanshu92-fix-dependabot-alerts branch June 29, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants