From 16e905cf2d83d325ef26a42fc748fe7dd4eb8d90 Mon Sep 17 00:00:00 2001 From: Debug Agent Date: Wed, 20 May 2026 19:00:08 +0200 Subject: [PATCH] fix(ci): clear two moderate npm audit advisories MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `npm audit --audit-level=moderate` (the `security` job in ci.yml) has been failing on `main` for several PRs in a row. Two transitive advisories landed between the last green run and today: 1. **`brace-expansion 5.0.2 - 5.0.5`** — `GHSA-jxxr-4gwj-5jf2` (moderate, DoS via large numeric range). Comes in via `eslint → minimatch@^10 → brace-expansion`. Nesting a `brace-expansion: ^5.0.6` override under the existing `eslint.minimatch` entry pins it to a non-vulnerable version without touching unrelated brace-expansion instances elsewhere in the tree (glob, test-exclude). 2. **`ws 8.0.0 - 8.20.0`** — `GHSA-58qx-3vcg-4xpx` (moderate, uninitialized memory disclosure). `ws` is a direct dependency pinned at `^8.20.0`. `npm audit fix` walks it to `8.20.1` within the same major; no package.json change needed. After: `npm audit` reports 0 vulnerabilities. CI's `security` job goes green. Verified locally: - `npm install` clean - `npm audit --audit-level=moderate` — 0 vulnerabilities - `npm audit --audit-level=high --production` — 0 vulnerabilities - `npm run build` succeeds - `npm test` — 199/199 passing - `npm run lint` and `npm run format:check` clean Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 32 ++++++++++++++++---------------- package.json | 5 ++++- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/package-lock.json b/package-lock.json index e50c9fb..042ce0a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3527,19 +3527,6 @@ "node": ">=6.0.0" } }, - "node_modules/brace-expansion": { - "version": "5.0.5", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", - "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "balanced-match": "^4.0.2" - }, - "engines": { - "node": "18 || 20 || >=22" - } - }, "node_modules/browserslist": { "version": "4.28.1", "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz", @@ -5664,6 +5651,19 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/minimatch/node_modules/brace-expansion": { + "version": "5.0.6", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz", + "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^4.0.2" + }, + "engines": { + "node": "18 || 20 || >=22" + } + }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", @@ -7241,9 +7241,9 @@ } }, "node_modules/ws": { - "version": "8.20.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz", - "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==", + "version": "8.20.1", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", + "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package.json b/package.json index 17cbb54..edb1770 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,10 @@ }, "overrides": { "eslint": { - "minimatch": "^10.2.1" + "minimatch": { + ".": "^10.2.1", + "brace-expansion": "^5.0.6" + } } }, "scripts": {