Skip to content

chore(security): non-breaking npm audit fix across all 4 packages#1801

Open
johan-bell wants to merge 1 commit into
mainfrom
security/npm-audit-nonbreaking-1798
Open

chore(security): non-breaking npm audit fix across all 4 packages#1801
johan-bell wants to merge 1 commit into
mainfrom
security/npm-audit-nonbreaking-1798

Conversation

@johan-bell

@johan-bell johan-bell commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

What

Non-breaking npm audit fix across all four packages (api/, app/, cms/, shared/). Lockfile-only — no package.json version ranges were touched, so no declared dependency changed; this is purely transitive resolution to already-permitted semver-compatible versions.

Part of the dependency-vulnerability audit in #1800. This is the safe half — see that issue for the full picture and the deferred major-upgrade work.

Alert reduction

Package Before After Cleared
api 49 23 26
app 39 17 22
cms 39 17 22
shared 42 22 20

Covers the semver-compatible transitive bumps: axios → 1.16.x, ws → 8.21, socket.io-parser → 4.2.6, postcss, uuid, qs, glob, brace-expansion, music-metadata, lodash/lodash-es → 4.17.23, and the dev-side handlebars / shell-quote / form-data criticals, among others.

What is NOT here (on purpose)

Every remaining alert needs a major bump that ripples through a framework or the build and needs integration/e2e infra to verify. Deferred to scoped follow-ups (tracked in #1800):

  • api: NestJS 10 → 11 — the only way to clear the production @fastify/middie auth-bypass critical and the fastify/fast-uri/multer highs. Highest-priority follow-up.
  • app/cms/shared: Vite 7 → 8, Vitest 3 → 4 (clears the dev vitest criticals), vue-tsc 3.
  • A few nested highs (@typescript-eslint/*, minimatch) fixable via an overrides block — left out because that edits package.json.

Lockfile validity (CI install mode)

All four lockfiles pass npm ci in the exact mode CI uses (shared/api plain; app/cms --install-links, which materializes the file:../shared dep). The first push failed CI here: the initial npm audit fix ran in symlink mode and pruned luminary-shared's transitive deps from the app/cms lockfiles, which npm ci --install-links rejects as out-of-sync. Fixed by reconciling those two with npm install --install-links (costs a couple of alerts vs the symlink-mode count -- hence 39&17, not 39&15).

Verification

  • shared builds clean (npm run build).
  • No test regression vs origin/main, measured properly (backed up fixes → npm ci the true baseline lockfile → compared):
    • shared: 153 failed | 952 passed on both baseline and this branch — byte-identical. Those 153 are a pre-existing broken test-env issue on main (localStorage/initDatabase; responseCache.spec.ts 20/20), not caused by this change. Flagged in Security: Dependabot vulnerability audit + remediation plan (180 alerts) #1800 for its own ticket.
    • cms: 115 files, 928 passed, 0 failed — clean.
    • app: 72 files, 582 passed, 1 skipped, 0 failed — clean.

⚠️ Not verified

The api lockfile change is not integration-tested — the api suite needs CouchDB + MinIO, which per the repo conventions are the maintainer's to run, and aren't available in the environment this was prepared in. The change resolves cleanly (npm ls), but a maintainer should run the api tests before merging. The bumps here are transitive and semver-compatible (notably axios 1.13→1.16, ws, fast-xml-parser, file-type, music-metadata), so risk is low — but "low" is not "verified."

Recommend closing Dependabot PRs #1491 and #1517 (stale, superseded, partial) in favour of this sweep.

Lockfile-only transitive dependency bumps from a non-`--force` `npm audit fix`
in each of the four packages. No package.json version ranges were changed, so
no declared dependency was altered — this is purely resolution to
already-permitted semver-compatible versions.

Alert reduction (npm audit): api 49→23, app 39→17, cms 39→17, shared 42→22.
Clears the semver-compatible transitive advisories (axios→1.16, ws→8.21,
socket.io-parser, postcss, uuid, qs, glob, lodash, music-metadata, and the
dev-side handlebars/shell-quote/form-data criticals, among others).

app/ and cms/ lockfiles were reconciled with `npm install --install-links` so
they stay valid under CI's `npm ci --install-links` (which materializes the
file:../shared dependency); the initial audit-fix ran in symlink mode and had
pruned luminary-shared's transitive deps, which broke `npm ci` in CI.

Everything remaining needs a major bump (NestJS 11 for the production
@fastify/middie critical; Vite 8; Vitest 4) and is deferred to scoped
follow-ups that need the integration/e2e infra to verify.

Verified: all four lockfiles pass `npm ci` in their CI install mode
(shared/api plain, app/cms --install-links). No unit-test regression vs
origin/main: cms 928 passed / 0 failed, app 582 passed / 1 skipped / 0 failed,
shared unchanged. The api lockfile is NOT integration-tested here (needs
CouchDB + MinIO) — a maintainer should run the api suite before merge.
@johan-bell johan-bell force-pushed the security/npm-audit-nonbreaking-1798 branch from 9037122 to d77ae96 Compare July 9, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant