Skip to content

fix(deps): patch additional Dependabot vulnerabilities (follow-up to #24369)#24371

Closed
pranav-new-relic wants to merge 2 commits into
developfrom
fix-dependabot-vulns-followup-2026-06-10
Closed

fix(deps): patch additional Dependabot vulnerabilities (follow-up to #24369)#24371
pranav-new-relic wants to merge 2 commits into
developfrom
fix-dependabot-vulns-followup-2026-06-10

Conversation

@pranav-new-relic

@pranav-new-relic pranav-new-relic commented Jun 10, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #24369. This PR patches an additional 25 Dependabot alerts that #24369 had to skip because yarn 1.x classic resolutions cannot selectively upgrade transitive deps in multi-branch trees.

⚠️ Do not merge until #24369 is in develop. This branch is built on top of it; rebase if #24369 changes shape.

Two new mechanisms were introduced:

  1. patch-package for security patches that need to apply to a specific package version without bumping it (used here for path-to-regexp 0.1.12 → backporting the 0.1.13 fix).
  2. scripts/security-postinstall.js — a small idempotent script that runs after patch-package and overlays vulnerable nested copies of a package with the safe hoisted top-level copy (used here for minimatch 3.0.4). Self-repairing on every install.

All open Dependabot alerts →

✅ Fixed — High

Alert Package Advisory Method Patched to
#83 minimatch CVE-2022-3517 postinstall overlay 3.1.2 (was 3.0.4 in recursive-readdir/graphql-config)
#197 multer CVE-2025-47935 resolution ^2.1.1 2.1.1
#198 multer CVE-2025-47944 resolution ^2.1.1 2.1.1
#200 multer CVE-2025-48997 resolution ^2.1.1 2.1.1
#203 multer CVE-2025-7338 resolution ^2.1.1 2.1.1
#265 multer CVE-2026-2359 resolution ^2.1.1 2.1.1
#266 multer CVE-2026-3304 resolution ^2.1.1 2.1.1
#271 multer CVE-2026-3520 resolution ^2.1.1 2.1.1
#278 undici CVE-2026-1526 resolution ^6.24.0 6.26.0
#279 undici CVE-2026-2229 resolution ^6.24.0 6.26.0
#297 path-to-regexp CVE-2026-4867 patch-package backport 0.1.12 + ReDoS fix
#336 js-cookie CVE-2026-46625 resolution ^3.0.7 3.0.7

✅ Fixed — Medium

Alert Package Advisory Method Patched to
#129 postcss CVE-2023-44270 resolution ^8.5.10 8.5.10
#195 esbuild GHSA-67mh-4wv8-2f99 resolution ^0.25.0 0.25.12
#218 katex CVE-2024-28245 resolution ^0.16.21 0.16.25
#219 katex CVE-2024-28246 resolution ^0.16.21 0.16.25
#220 katex CVE-2025-23207 resolution ^0.16.21 0.16.25
#245 katex CVE-2024-28243 resolution ^0.16.21 0.16.25
#277 undici CVE-2026-1525 resolution ^6.24.0 6.26.0
#280 undici CVE-2026-1527 resolution ^6.24.0 6.26.0
#287 yaml CVE-2026-33532 resolution ^2.8.3 2.8.3
#290 yaml CVE-2026-33532 resolution ^2.8.3 2.8.3
#314 postcss CVE-2026-41305 resolution ^8.5.10 8.5.10
#325 ip-address CVE-2026-42338 resolution ^10.1.1 10.1.1

🔄 Will auto-close on next rescan (a side-effect of the resolutions above)

Alert Sev Package Why it auto-closes
#230 medium mdast-util-to-hast Already fixed in #24369's lockfile — yarn picked 13.2.1 for ^13.0.0 consumers. This PR didn't need to do anything; included here for completeness
#238 medium undici Vulnerable range >=7.0.0; we now have only 6.x after the resolution

⏭ Tried but reverted

These were investigated and abandoned. Each row documents why so the next attempt doesn't repeat the experiment.

Package Why reverted
ajv ^8.18.0 @eslint/eslintrc/lib/shared/ajv.js instantiates AJV with the v6 keyword API. Forcing 8.x crashes yarn lint with "ajv-keywords" loader errors
nth-check ^2.0.1 nth-check 2.x exposes { compile, parse, default } instead of a callable default export. Three transitive consumers (gatsby-transformer-yaml/unist-util-select, rehype-add-classes/hast-util-select, static-site-generator-webpack-plugin/css-select) do require('nth-check')(formula) and would crash
file-type ^21.3.1 21.x is ESM-only and gatsby-core-utils/dist/fetch-remote-file.js does require('file-type'). ERR_PACKAGE_PATH_NOT_EXPORTED
sharp ^0.32.6 (resolution) yarn 1 can't override peer-dep range conflicts: gatsby-plugin-sharp@4.25.1 peers ^0.30.7 which 0.32.x doesn't satisfy. yarn keeps the 0.30.7 nested copies untouched. Would need patch-package on each gatsby plugin's package.json to widen the range — too invasive for a security patch
sharp ^0.32.6 (direct dep) Same root cause — only the top-level (unused-by-gatsby) copy moves to 0.32.6; gatsby plugins keep nested 0.30.7
gatsby-transformer-remark ^6.3.2 Major-version bump (5 → 6) tied to Gatsby v5 — outside the scope of a security PR
Selective scoped resolutions like recursive-readdir/minimatch: ^3.1.2 yarn 1 classic supports the syntax in docs but only applies it when the parent is a direct dep of this project. recursive-readdir is transitive, so yarn silently adds a phantom resolution entry without overriding the original

⏭ Still skipped — needs cross-cutting work

Alert Sev Package Reason / what unblocks it
#3, #4, #139, #147, #210 high/medium sanitize-html Pinned to 1.27.5 by gatsby-transformer-remark@5.24.0. Patch only in 2.x. Unblocked by upgrading gatsby-transformer-remark (which itself wants Gatsby v5)
#100 high gatsby-transformer-remark Major bump 5 → 6 is tied to Gatsby v5 migration
#114 medium gatsby-plugin-sharp Same — major bump tied to Gatsby v5
#132 high sharp See "Tried but reverted" — needs gatsby-plugin-sharp peer-range widened first
#137 medium axios Pinned to 0.21.4 by Gatsby's runtime. Bump to 1.x risks Gatsby plugin breakage; revisit after Gatsby v5 migration
#136 high lodash.pick Likely false positive — Dependabot lists patch 4.17.19, but max published lodash.pick is 4.4.0. CVE applies to lodash (already fixed)
#152 medium vue-template-compiler Vue 2 EOL; transitive and unused. Resolved by removing the offending dep chain
#111 medium request Deprecated; no upstream patch. Resolved by removing dep chain
#236 low aws-sdk v2 has no fix; needs migration to AWS SDK v3 (separate effort)
#225, #226 medium js-yaml We use js-yaml@^3.14.0 directly via safeLoad. 4.x removed safeLoad. Migrating our scripts off safeLoad would unblock
#253, #254 medium ajv See "Tried but reverted" — @eslint/eslintrc blocks
#24 high nth-check See "Tried but reverted" — three CJS consumers blocking
#275 medium file-type See "Tried but reverted" — gatsby-core-utils CJS require blocks

Test plan

  • Fresh rm -rf node_modules && yarn install succeeds; postinstall runs cleanly
  • yarn lint (1 pre-existing react-hooks warning)
  • yarn test:cjs — 24/24 suites
  • Direct ESM tests — 82/82 in scripts/actions/__esm-tests__
  • yarn verify-mdx on subset (src/install)
  • Module-load smoke tests for multer, undici, esbuild, ip-address, js-cookie
  • sharp PNG processing smoke test (still on 0.30.7 in this PR — unchanged from fix(deps): patch 34 Dependabot vulnerabilities via resolutions #24369)
  • CI: run tests, run verify, run linter, run validation
  • Preview deploy build (this is the most important — exercises gatsby + multer + undici + esbuild paths not covered by our test suite)
  • Spot-check live preview: search, MDX rendering, KaTeX math blocks, feedback modal cookies

@pranav-new-relic
fix(deps): patch dependabot vulnerabilities via resolutions
bad0681 
Adds yarn resolutions to force patched versions of transitive
dependencies flagged by Dependabot. Closes ~34 alerts including:

- shell-quote (CVE-2026-9277, CRITICAL)
- form-data (CVE-2025-7783, CRITICAL)
- @babel/plugin-transform-modules-systemjs, basic-ftp, engine.io,
  fast-uri, fast-xml-parser, follow-redirects, on-headers, semver,
  svgo, tough-cookie, trim, webpack, xml2js, ws,
  serialize-javascript, qs (HIGH/MEDIUM)
- @tootallnate/once, brace-expansion, cookie, cross-spawn, dottie,
  lodash, node-forge, tmp (MEDIUM/LOW)

Direct dep bumps:
- simple-git 3.32.3 -> 3.36.0 (dev)
- sequelize 6.21.3 -> 6.37.8 (runtime)

Skipped packages requiring major-version bumps (multer 1->2,
undici 5->6, file-type 16->21, sanitize-html 1->2, esbuild 0.15->0.25,
js-cookie 2->3, ip-address 9->10, gatsby-transformer-remark 5->6,
uuid 9->12, sharp 0.30->0.32) and packages with multi-branch trees
that yarn 1.x classic cannot selectively resolve (minimatch 3.x/9.x,
nth-check 1.x/2.x, postcss 7.x/8.x, katex 0.13/0.16, js-yaml 3.x/4.x,
path-to-regexp 0.1/6, yaml 1.x/2.x, ajv 6.x/8.x).

Also skipped mdast-util-to-hast: a global ^13.2.1 resolution broke
@mdx-js/mdx@2.0.0-next.8 (CJS) which require()s mdast-util-to-hast
(ESM-only since v12), causing ERR_REQUIRE_ESM in verify-mdx and
test:esm. The CJS/ESM split across versions 9/10 vs 12/13 is
unfixable without selective per-version resolution.

Verified: yarn install, yarn lint, yarn test:cjs (24/24 suites pass),
direct ESM tests (82/82 pass).
@pranav-new-relic
fix(deps): patch additional dependabot vulnerabilities (follow-up)
2452ebb 
Builds on #24369. Adds patch-package + a security-postinstall script
plus more global yarn resolutions. Closes 25+ additional Dependabot
alerts that #24369 had to skip due to yarn 1.x classic limitations.

New mechanisms:
- patches/path-to-regexp+0.1.12.patch — backports the 0.1.13 ReDoS
  fix to the 0.1.x branch (express still pins 0.1.12 exact, so a
  resolution can't reach it) — closes alert #297
- scripts/security-postinstall.js — overlays vulnerable nested
  copies of minimatch (recursive-readdir, graphql-config) with the
  hoisted safe top-level — closes alert #83

New global resolutions:
- katex ^0.16.21    -> closes #218 #219 #220 #245 (medium)
- yaml ^2.8.3       -> closes #287 #290 (medium)
- postcss ^8.5.10   -> closes #129 #314 (medium)
- js-cookie ^3.0.7  -> closes #336 (high)
- multer ^2.1.1     -> closes #197 #198 #200 #203 #265 #266 #271 (high)
- undici ^6.24.0    -> closes #277 #278 #279 #280 (high/medium)
- ip-address ^10.1.1 -> closes #325 (medium)
- esbuild ^0.25.0   -> closes #195 (medium)

Tried but reverted:
- ajv ^8.18.0     -> @eslint/eslintrc requires AJV 6 API
- nth-check ^2.0.1 -> 1.x consumers do require('nth-check')() which
  fails in 2.x (default export is now namespaced)
- file-type ^21.3.1 -> ESM-only, breaks gatsby-core-utils CJS
  require
- sharp ^0.32.6 (resolution) -> gatsby-plugin-sharp peers ^0.30.7
  which 0.32.x doesn't satisfy; yarn 1 can't override peer ranges

Verified: yarn install (clean and post-rm), yarn lint, yarn test:cjs
(24/24), direct ESM tests (82/82), verify-mdx subset, sharp + multer
+ undici + esbuild module-load smoke tests, sharp PNG processing.
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

Hi @pranav-new-relic 👋

Thanks for your pull request! Your PR is in a queue, and a writer will take a look soon. We generally publish small edits within one business day, and larger edits within three days.

Please ensure the propsed changes look good by building it first in your local environment. Refer to this contribution guide to get the site up and running in your local.

If you really require a preview url, reach out to one of the writers and they will generate one for you.

@github-actions github-actions Bot added the eng issues related to site functionality that requires engineering label Jun 10, 2026
@pranav-new-relic

pranav-new-relic commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

Closing — too risky to land as-is.

The mechanisms here (a custom postinstall script that overlays nested node_modules directories, plus aggressive global resolutions that force major-version bumps on transitive deps like multer 1→2, undici 5→6, postcss 7→8, yaml 1→2) all pass our test suites, but our test suites don't exercise the gatsby build/runtime paths where these libraries actually run. The ones I'm specifically uneasy about:

  • scripts/security-postinstall.js — overlaying nested package copies after install is non-standard, brittle, and a footgun for future contributors who won't know it exists.
  • multer 2.x — gatsby's internal dev-server middleware uses it; module loads fine but actual file-upload behavior at runtime is untested.
  • undici 6.x — used by node-fetch chain and @actions/*; major-version bump.
  • postcss 8.x and yaml 2.x — forcing all consumers (including 7.x and 1.x) to a new major.
  • patch-package for path-to-regexp — works, but adds a maintenance burden.

The tradeoff (~25 more alerts closed vs. the chance of breaking gatsby develop / production build / preview deploys in subtle ways) doesn't feel right. Tests passing isn't enough confidence here.

Plan: merge #24369 first (which is already conservative and CI-clean), let things settle, then come back to the remaining alerts with a different strategy — likely scoped to specific packages with paired runtime verification, or as part of the Gatsby v5 / AWS SDK v3 migration work where the upstream deps move forward naturally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

eng issues related to site functionality that requires engineering

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pranav-new-relic @adutta-newrelic