chore: resolve non-breaking client security advisories#34
Conversation
Clear the client advisories that have fixes not requiring a major build-chain migration by pinning vulnerable transitive packages: - serialize-javascript ^7.0.5 (HIGH: RCE/XSS in terser/copy-webpack-plugin output serialization) - tar ^7.5.16 (HIGH: path traversal / arbitrary file write in build caching via cacache) Reduces client advisories 65 -> 60 (HIGH 17 -> 12). Build passes and the dependency tree gains no new invalid peers. The remaining advisories are all dev-only build tooling (webpack 4, webpack-dev-server 3, jest 26, stylelint 13) that don't ship in the production bundle; clearing them requires a major build-chain migration (webpack 5 / jest 30 / stylelint 17), out of scope here to keep the app building and tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![dobby-coder[bot]](https://avatars.githubusercontent.com/in/3365457?s=60&v=4){kind=small}
There was a problem hiding this comment.
Two stylistic concerns on the overrides pinning — both are non-blocking but worth a look before merge:
serialize-javascriptis pinned higher than the advisory requires;^6.0.0would clear it with a looser engine constraint.tarjumps a major version across cacache; please confirm runtime caching paths were exercised (not justnpm run build), or prefer a 6.x release if one covers the advisory.
Approach (overrides over --force) is sound given the legacy webpack 4 / jest 26 baseline; production runtime impact looks nil.
| "overrides": { | ||
| "trim": "^1.0.1" | ||
| "trim": "^1.0.1", | ||
| "serialize-javascript": "^7.0.5", |
There was a problem hiding this comment.
serialize-javascript@^7.0.5 is more aggressive than the advisory requires. GHSA-76p7-773f-r4q5 (the relevant RCE/XSS advisory) is fixed in serialize-javascript@>=6.0.0. Pinning to ^7.0.5 adds an engines: node>=20 constraint with no extra security benefit; ^6.0.0 would clear the advisory with a smaller blast radius and looser engine requirements. The production Dockerfile uses node:lts-alpine so the bump works today, but the override has no security upside over v6.
| "trim": "^1.0.1" | ||
| "trim": "^1.0.1", | ||
| "serialize-javascript": "^7.0.5", | ||
| "tar": "^7.5.16" |
There was a problem hiding this comment.
tar@^7.5.16 is a major version bump across the only consumer here — cacache@15 declares tar@^6.0.2. tar v7 ships meaningful API/behavior changes from v6 (engines bumped to node>=18, dependency overhaul, new minipass major). Build passing does not guarantee that cacache's runtime caching paths still behave correctly under tar v7. If a 6.x release covers the advisory (e.g. ^6.2.1), prefer that; if v7 is required, please confirm cacache's caching paths were smoke-tested, not just npm run build.
1 participant
Summary
Clears the client security advisories that have fixes not requiring a major build-chain migration, by pinning two vulnerable transitive packages via
overrides:serialize-javascript^7.0.5 — HIGH: RCE/XSS in terser-webpack-plugin / copy-webpack-plugin output serializationtar^7.5.16 — HIGH: path traversal / arbitrary file write in build caching (viacacache)Impact
npm run buildpassesnpm audit fixis a no-op here: every remaining fixable leaf is pinned by a parent (jest 26 / css-loader 4 / webpack 4), so npm can't upgrade in place without--force(which pulls webpack 5 / wds 5).overridesis the only lever that works without the major migration.Out of scope
The remaining 60 advisories are all dev-only build tooling (webpack 4, webpack-dev-server 3, jest 26, stylelint 13) that don't ship in the production bundle. Clearing them requires a major build-chain migration (webpack 5 / jest 30 / stylelint 17), kept out of this PR to keep the app building and tests green.
One remaining advisory does ship (
@amsterdam/arm-core→uuid, moderate) but is non-exploitable here (the advisory needs abufargument; arm-core callsuuid()with none) and can't be overridden without breaking arm-core's use of the removed uuid v3 default-export API — it needs an arm-core upgrade.🤖 Generated with Claude Code