fix(ci): clear two moderate npm audit advisories#175
Merged
Conversation
`npm audit --audit-level=moderate` (the `security` job in ci.yml) has been failing on `main` for several PRs in a row. Two transitive advisories landed between the last green run and today: 1. **`brace-expansion 5.0.2 - 5.0.5`** — `GHSA-jxxr-4gwj-5jf2` (moderate, DoS via large numeric range). Comes in via `eslint → minimatch@^10 → brace-expansion`. Nesting a `brace-expansion: ^5.0.6` override under the existing `eslint.minimatch` entry pins it to a non-vulnerable version without touching unrelated brace-expansion instances elsewhere in the tree (glob, test-exclude). 2. **`ws 8.0.0 - 8.20.0`** — `GHSA-58qx-3vcg-4xpx` (moderate, uninitialized memory disclosure). `ws` is a direct dependency pinned at `^8.20.0`. `npm audit fix` walks it to `8.20.1` within the same major; no package.json change needed. After: `npm audit` reports 0 vulnerabilities. CI's `security` job goes green. Verified locally: - `npm install` clean - `npm audit --audit-level=moderate` — 0 vulnerabilities - `npm audit --audit-level=high --production` — 0 vulnerabilities - `npm run build` succeeds - `npm test` — 199/199 passing - `npm run lint` and `npm run format:check` clean Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
securityCI job (which runsnpm audit --audit-level=moderate) has been failing onmainfor several PRs because two transitive advisories landed since the last green run:brace-expansion 5.0.2 - 5.0.5—GHSA-jxxr-4gwj-5jf2(moderate; DoS via large numeric range that defeats the documentedmaxprotection). Reaches us viaeslint → minimatch@^10 → brace-expansion. Fix: nest abrace-expansion: ^5.0.6override under the existingeslint.minimatchentry, so the pin only applies to the minimatch instance pulled in by eslint and leaves unrelated brace-expansion instances elsewhere in the tree (e.g.glob,test-exclude) alone.ws 8.0.0 - 8.20.0—GHSA-58qx-3vcg-4xpx(moderate; uninitialized-memory disclosure).wsis a direct dependency at^8.20.0;npm audit fixwalks it forward to8.20.1inside the same major. Nopackage.jsonchange needed beyond the lockfile bump.After these changes,
npm auditreports0 vulnerabilities. CI'ssecurityjob should go green again.Diff
Test plan
npm installcleannpm audit --audit-level=moderate— 0 vulnerabilitiesnpm audit --audit-level=high --production— 0 vulnerabilitiesnpm run buildsucceedsnpm test— 199/199 passingnpm run lint— clean (warnings pre-existing)npm run format:check— cleansecurity,test (20.x),test (22.x),build,integration-test,smoke-test,validate-acp-providersall passScope notes
This PR is intentionally minimal — just the override + the lockfile bump from
npm audit fix. The earlier merged PR #173 deliberately excluded these changes per maintainer request to keep that PR's diff scoped to ACP work; this is the follow-up that picks them up cleanly on top ofmain.🤖 Generated with Claude Code