Skip to content

fix(deps): resolve 3 Dependabot alerts by dropping vestigial phantomjs deps#1361

Merged
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts
Jul 9, 2026
Merged

fix(deps): resolve 3 Dependabot alerts by dropping vestigial phantomjs deps#1361
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Addresses all 15 open Dependabot alerts, in three buckets.

✅ Fixed — 3 alerts

The karma suite runs on Firefox (tests/js/config/karma.js, gulpfile.js). karma-phantomjs-launcher and phantomjs-prebuilt were referenced nowhere except package.json — dead dev deps. phantomjs-prebuilt was the sole path pulling in the vulnerable request → tough-cookie / uuid chain. Removing both eliminates those transitive packages from the tree entirely.

Alert Package Was Now Advisory
#58 request 2.88.2 removed SSRF (deprecated pkg, no upstream fix)
#64 tough-cookie 2.5.0 removed Prototype pollution (needs ≥ 4.1.3)
#129 uuid 3.4.0 removed Missing buffer bounds check (needs ≥ 11.1.1)

⚠️ No fix available — 12 alerts (bucket 2)

These have no in-tree remediation and are not dismissed:

Test plan

  • yarn install --frozen-lockfile — clean (lockfile consistent).
  • yarn build (gulp: jslint + build + minify) — ✅ green.
  • Test suite runs on Firefox inside an ownCloud core checkout (CI: enable-xvfb-display-server). The removed packages are a defunct test-launcher with no role in the karma runtime, so the suite is unaffected. (Locally, Firefox isn't installed; a ChromeHeadless spot-run confirmed the karma config loads and the dep removal introduces no new failures — remaining local failures are the expected missing-core-vendor/moment environment, unrelated to this change.)

…s deps

The karma test suite runs on Firefox (tests/js/config/karma.js,
gulpfile.js); `karma-phantomjs-launcher` and `phantomjs-prebuilt` were
unreferenced anywhere except package.json. `phantomjs-prebuilt` was the
SOLE path pulling in the vulnerable request -> tough-cookie / uuid chain.
Removing both dead dev deps eliminates those transitive packages entirely.

Fixed (packages removed from the dependency tree):
- request 2.88.2 removed (#58, SSRF, GHSA-p8p7-x288-28g6; deprecated, no fix)
- tough-cookie 2.5.0 removed (#64, prototype pollution, needs >= 4.1.3)
- uuid 3.4.0 removed (#129, buffer bounds check, needs >= 11.1.1)

Verified: `yarn install --frozen-lockfile` clean, `yarn build` (gulp) green.
Test suite runs on Firefox inside an ownCloud core checkout (CI: xvfb) and
is unaffected — the removed packages play no role in the karma runtime.

Not fixable here (no upstream fix / would need a major migration):
- angular / angular-sanitize (#43,#46,#59,#60,#61,#73,#84,#85,#90,#91) —
  AngularJS 1.x is EOL; all first_patched are null. Real remediation is a
  framework migration off AngularJS.
- babel-traverse 6.26.0 (#76, critical) — only @babel/traverse 7.x is
  patched; needs babel 6 -> 7 toolchain migration.
- lodash.template 3.6.2 (#77, high) — pulled by gulp-util/gulp 3.x; no
  patched line, deprecated. Resolved by the pending gulp 3 -> 5 upgrade (#1349).

Signed-off-by: Thomas Müller <[email protected]>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 9, 2026 15:49
@phil-davis phil-davis merged commit 964f81a into master Jul 9, 2026
10 checks passed
@phil-davis phil-davis deleted the fix/dependabot-alerts branch July 9, 2026 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants