Skip to content

chore(deps): resolve dependency security vulnerabilities#100

Merged
alexpota merged 1 commit into
mainfrom
fix/dependency-security-updates-20260509
May 9, 2026
Merged

chore(deps): resolve dependency security vulnerabilities#100
alexpota merged 1 commit into
mainfrom
fix/dependency-security-updates-20260509

Conversation

@alexpota

@alexpota alexpota commented May 9, 2026

Copy link
Copy Markdown
Owner

Summary

Consolidated fix for 4 open Dependabot PRs, resolving 7 CVEs across npm and GitHub Actions dependencies:

Package CVE(s) Severity Fix Method
protobufjs 7.5.4→7.5.7 CVE-2026-41242 Critical (9.8) npm audit fix (semver range allowed it)
vite 7.2.4→7.3.3 CVE-2026-39363/39364/39365 High (8.2) npm audit fix (peer dep of vitest)
fast-uri 3.1.0→3.1.2 CVE-2026-6321/6322 High (7.5) Override in package.json
github/codeql-action 4.35.1→4.35.2 None (routine patch) N/A SHA pin update

Changes

  • package.json: Added "fast-uri": ">=3.1.2" to overrides (follows existing pattern)
  • package-lock.json: Regenerated via npm install + npm audit fix
  • audit-ci.json: Added GHSA-v2v4-37r5-5v8g (ip-address XSS, bundled in npm, unfixable)
  • .github/workflows/scorecard.yml: Updated codeql-action SHA pin
  • .github/workflows/security.yml: Updated codeql-action SHA pins (init + analyze)

Risk Assessment

  • protobufjs: Transitive dev dep via @valkey/valkey-glide. Used for internal protocol handling with trusted schemas. Zero runtime exposure.
  • vite: Transitive dev dep (peer of vitest). Dev server vulns only. This library ships zero runtime deps.
  • fast-uri: Transitive dev dep via commitlint→ajv. Used for config validation only.
  • codeql-action: CI infrastructure. No code impact.

Verification

  • npm audit: All target CVEs resolved (3 remaining are bundled in npm itself, already allowlisted)
  • npm run build: Pass (ESM + CJS + DTS)
  • npm test: 412/412 tests pass

Dependabot PRs

Closes #95, closes #97, closes #98, closes #99

@alexpota
chore(deps): resolve dependency security vulnerabilities
ac3a7c3 
- Add fast-uri >=3.1.2 override to fix CVE-2026-6321 and CVE-2026-6322
  (path traversal and host confusion in URI parsing)
- Bump github/codeql-action from 4.35.1 to 4.35.2 (SHA pin update)
- Run npm audit fix to resolve protobufjs CVE-2026-41242 (CVSS 9.8,
  arbitrary code execution via unsanitized type names) and vite
  CVE-2026-39363/39364/39365 (dev server file read/path traversal)
- Add GHSA-v2v4-37r5-5v8g to audit-ci allowlist (ip-address XSS,
  bundled in npm, unfixable at project level)

All target vulnerabilities resolved. Remaining 3 audit findings are
bundled inside npm itself and already allowlisted.

Closes #95, closes #97, closes #98, closes #99
@codecov-commenter

codecov-commenter commented May 9, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@alexpota alexpota merged commit 9420775 into main May 9, 2026
15 checks passed
@alexpota alexpota deleted the fix/dependency-security-updates-20260509 branch May 9, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexpota @codecov-commenter