Skip to content

chore(deps): pin patched transitive npm deps (Vanta high/medium remediation)#7557

Merged
santicomp2014 merged 1 commit into
mainfrom
vuln-remediation/npm-transitive-bumps
Jul 1, 2026
Merged

chore(deps): pin patched transitive npm deps (Vanta high/medium remediation)#7557
santicomp2014 merged 1 commit into
mainfrom
vuln-remediation/npm-transitive-bumps

Conversation

@santicomp2014

Copy link
Copy Markdown
Contributor

What

Force patched versions of transitively-pinned npm dependencies via Yarn Berry (3.6.0) resolutions, plus one direct dev-dep bump. Diff is limited to package.json + yarn.lock.

Why (the transitive-pin trap)

These packages are flagged by Vanta (high/medium) but we don't declare them directly — they're pulled in transitively, so a normal yarn up can't touch them. Yarn Berry matches each resolutions descriptor exactly, so multi-major packages need one entry per vulnerable descriptor range that appears in the lockfile. After each install the lockfile was re-checked and resolutions added until no flagged package resolved below its patched target.

Versions (resolved >= patched target)

Package Before After
tar 6.2.1 / 7.4.3 7.5.16
serialize-javascript 6.0.2 7.0.5
lodash 4.17.21 4.18.0
lodash-es 4.17.21 4.18.0
minimatch (v3) 3.1.2 3.1.4
minimatch (v9) 9.0.5 9.0.7
minimatch (v10) 10.0.1 / 10.0.3 10.2.3
picomatch (v2) 2.3.1 2.3.2
picomatch (v4) 4.0.2 / 4.0.3 4.0.4
brace-expansion (v1) 1.1.11 1.1.13
brace-expansion (v2) 2.0.1 2.0.3
preact (direct dev dep) ^10.4.0 → 10.28.0 ^10.28.2 → 10.29.3

Out of scope (no patched target defined, left untouched): minimatch v5 (5.1.6), brace-expansion v5 (5.0.6/5.0.7).

⚠️ MAJOR-bump CI caveat

tar and serialize-javascript are MAJOR v6 → v7 jumps. They are build/dev tooling only (not shipped to the browser bundle), but the major bump can shift APIs — this PR is a draft pending CI validation (build + tests) before it should be considered for merge.


Draft. Do not merge until CI is green.

🤖 Generated with Claude Code

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.62%. Comparing base (6307520) to head (da63e5a).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #7557   +/-   ##
=======================================
  Coverage   99.62%   99.62%           
=======================================
  Files         285      285           
  Lines       11971    11971           
  Branches     2920     2920           
=======================================
  Hits        11926    11926           
  Misses         45       45           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…emediation)

Rebuilt on current main. Adds undici 6.27.0 and @tootallnate/once 2.0.1 to
close Low-board gaps, and fixes the preact pin (was targeting a non-existent
^10.18.1 descriptor; the vulnerable copy was ^10.4.0 -> 10.28.0) by forcing
all preact to 10.28.2. Verified no vulnerable version resolves.

Note: @sigstore/core (dev-only) intentionally left — its only fix requires a
cross-major force on the npm-publish signing chain; better handled upstream.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@santicomp2014 santicomp2014 force-pushed the vuln-remediation/npm-transitive-bumps branch from b49536d to da63e5a Compare July 1, 2026 16:14
@santicomp2014 santicomp2014 marked this pull request as ready for review July 1, 2026 16:18
@santicomp2014 santicomp2014 merged commit 9bbcf25 into main Jul 1, 2026
3 checks passed
@santicomp2014 santicomp2014 deleted the vuln-remediation/npm-transitive-bumps branch July 1, 2026 16:24
santicomp2014 pushed a commit that referenced this pull request Jul 1, 2026
The fast-xml-parser 5.7.0 resolution added in #7557 broke the client Release
pipeline at 'Deploy to S3': @aws-sdk's XML response parser (fast-xml-parser
5.7.0) rejects the '&#xD;' entity in S3's XML reply ([EntityReplacer] Invalid
character '#' in entity name: '#xD'). Deploy isn't in PR CI, so it passed
review and only failed post-merge on main.

fast-xml-parser here is deploy-tooling only (@aws-sdk in scripts/deploy-to-s3.js),
not shipped. Its CVEs are in the XMLBuilder (write path, unused by @aws-sdk) or
need untrusted XML input (@aws-sdk parses trusted S3 responses) -> LOW and not
reachable. Reverting to the @aws-sdk-compatible 5.2.5 restores the working
deploy; the proper long-term fix is bumping @aws-sdk itself.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
santicomp2014 pushed a commit that referenced this pull request Jul 1, 2026
Reverts the resolutions block to restore the last-known-good build output.
#7557's build-tool pins (serialize-javascript v6->v7 etc.) changed the
generated inline bootstrap script's bytes, so its sha256 no longer matched
the CSP script-src hash allowlist the backend serves -> browser blocked the
inline script -> broken client in production (CSP violation).

Restores package.json + yarn.lock to 6307520 (pre-#7557). Security pins will
be re-applied carefully, excluding the ones that alter build output / CSP hash.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant