fix(ci): clear high/critical audit advisories#11
Merged
Conversation
CI (`pnpm audit --audit-level high`) was red on every commit. Remediate the 2 critical + 32 high advisories at the root: Direct upgrades: - nodemailer 6 -> 7 (addressparser DoS; standard createTransport/sendMail usage is unchanged) - vitest 2 -> 3 (UI server arbitrary file read/exec, critical) - vite -> ^6.4.3 (server.fs.deny bypass), react-router-dom -> ^7.14.2 pnpm.overrides pin patched transitive versions: - axios ^1.15.2 (the existing override still allowed the vulnerable range), fast-uri, fast-xml-builder, form-data, handlebars, protobufjs, react-router, vite, ws. Documented exception (pnpm.auditConfig.ignoreGhsas) for three esbuild advisories only: GHSA-67mh-4wv8-2f99 (dev-server requests), GHSA-g7r4-m6w7-qqqr (Windows dev-server file read), GHSA-gv7w-rqvm-qjhr (Deno binary integrity). The only patched line (esbuild >=0.28.1) is incompatible with Vite 6's build target, and all three are dev-server / Deno / Windows-only — they don't affect the production build output or the Linux Cloud Run service. Verified: `pnpm audit --audit-level high` exits 0 (0 high/critical), build/typecheck/lint pass for all packages, 525 tests pass. Co-Authored-By: Claude Opus 4.8 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI (
pnpm audit --audit-level high) has been red on every commit (2 critical + 32 high). This remediates them at the root.Direct upgrades
nodemailer6 → 7 (addressparser DoS) — usage is plaincreateTransport().sendMail(), unchangedvitest2 → 3 (critical: UI server arbitrary file read/exec)vite→ ^6.4.3 (server.fs.denybypass),react-router-dom→ ^7.14.2pnpm.overridespin patched transitive versions:axios ^1.15.2(the old override still allowed the vulnerable range),fast-uri,fast-xml-builder,form-data,handlebars,protobufjs,react-router,vite,ws.Documented exception (
pnpm.auditConfig.ignoreGhsas) for three esbuild advisories only —GHSA-67mh-4wv8-2f99(dev-server requests),GHSA-g7r4-m6w7-qqqr(Windows dev-server file read),GHSA-gv7w-rqvm-qjhr(Deno binary integrity). The only patched line (esbuild ≥0.28.1) is incompatible with Vite 6's build target, and all three are dev-server / Deno / Windows-only — none affect the production build output or the Linux Cloud Run service.Verified locally:
pnpm audit --audit-level highexits 0 (0 high/critical); build, typecheck, lint pass for API/Admin/Auth; 525 tests pass.🤖 Generated with Claude Code