Skip to content

fix(deps): patch 4 npm security vulnerabilities via overrides#367

Merged
michaelrobertsutton merged 3 commits into
mainfrom
fix/npm-security-overrides
Jun 29, 2026
Merged

fix(deps): patch 4 npm security vulnerabilities via overrides#367
michaelrobertsutton merged 3 commits into
mainfrom
fix/npm-security-overrides

Conversation

@michaelrobertsutton

Copy link
Copy Markdown
Collaborator

Summary

Patches 4 npm security vulnerabilities in the CRA frontend dependency tree using package.json overrides. No application code changed.

Vulnerabilities fixed

Alert Package Severity Fix
#36 form-data (CRLF injection) Low Pinned to ^3.0.5 (patched from 3.0.4)
#37 ws@7 (memory exhaustion) Medium Pinned to ^7.5.11 (patched from 7.5.10)
#38 ws@8 in webpack-dev-server (memory exhaustion) Medium Scoped override to >=8.21.0 inside webpack-dev-server
#39 js-yaml (quadratic expression DoS) Medium Pinned to ^4.2.0; scoped away from svgo@1.3.2 (see below)

js-yaml: why there's a nested svgo override

svgo@1.3.2 (pulled in by CRA's SVGR pipeline) calls yaml.safeLoad(), which was removed in js-yaml@4. A flat "js-yaml": "^4.2.0" override would silently break any build that processes an SVG import. The fix: a nested "svgo": {"js-yaml": "^3.14.2"} override gives svgo its own js-yaml@3.x while all other consumers get v4.

Verified: svgo/node_modules/js-yaml@3.15.0 (safeLoad works), root js-yaml@4.3.0 (load works).

Vulnerabilities intentionally NOT fixed

These remain open; they require a react-scripts major version bump or CRA→Vite migration, which is out of scope for this PR:

  • webpack-dev-server@4.15.2 — 4 moderate CVEs (GHSA-9jgg-88mc-972h, -4v9v-hfq4-rm2v, -79cf-xcqc-c78w, -mx8g-39q3-5c79). Fix requires wds ≥5.2.5, locked by CRA.
  • @babel/core — 1 low CVE. Fix requires major version bump, locked by CRA.
  • http-proxy-middleware — 1 moderate CVE. Fix requires a CRA-breaking major bump.

The ws @8 bump addresses the WebSocket-layer DoS in wds; the remaining wds CVEs are in wds's own application code.

Test plan

  • npm install + lockfile regenerated
  • npm run build — clean
  • CI=true npm test — 88 tests pass, 6 suites
  • Backend lint (ruff check + ruff format --check) — clean
  • Backend unit tests (503 passed)
  • CI-equivalent integration suite (33 passed, 3 skipped, 503 deselected) — ~20 min run against real HAPI containers
  • Adversarial review — two independent passes; svgo/js-yaml latent risk identified and fixed before merge
  • Lockfile integrity hashes verified against npm registry

🤖 Generated with Claude Code

https://claude.ai/code/session_013S7BMjyXGSNLYkfFDWomuj

michaelrobertsutton and others added 3 commits June 29, 2026 10:34
Closes Dependabot alerts #36 (form-data CRLF injection), #37 (ws@7 memory
exhaustion), #38 (ws@8 memory exhaustion), #39 (js-yaml@3 quadratic DoS).
All fixes use package.json overrides — no direct dependency changes:

- form-data: ^3.0.4 → ^3.0.5 (CRLF injection in multipart field names)
- ws (global, jsdom dep): 7.5.10 → 7.5.11 (memory exhaustion DoS)
- ws (webpack-dev-server nested): >=8.20.1 → >=8.21.0 (same CVE, 8.x series)
- js-yaml: ^4.2.0 (quadratic DoS in merge key handling; js-yaml resolves to
  4.3.0 for all dependents, including the former 3.14.2 root copy)

Production build verified clean after changes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013S7BMjyXGSNLYkfFDWomuj
Change exact pin '7.5.11' to '^7.5.11' for consistency with all other
overrides in the file. Resolved version is unchanged (still 7.5.11).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013S7BMjyXGSNLYkfFDWomuj
…ad breakage

svgo@1.3.2 calls yaml.safeLoad() which was removed in js-yaml@4. Add a nested
override to give svgo its own js-yaml@3.x while all other consumers get v4.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013S7BMjyXGSNLYkfFDWomuj
@michaelrobertsutton michaelrobertsutton merged commit 06fb168 into main Jun 29, 2026
6 checks passed
@michaelrobertsutton michaelrobertsutton deleted the fix/npm-security-overrides branch June 29, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant