chore(security): non-breaking npm audit fix across all 4 packages#1801
Open
johan-bell wants to merge 1 commit into
Open
chore(security): non-breaking npm audit fix across all 4 packages#1801johan-bell wants to merge 1 commit into
johan-bell wants to merge 1 commit into
Conversation
Lockfile-only transitive dependency bumps from a non-`--force` `npm audit fix` in each of the four packages. No package.json version ranges were changed, so no declared dependency was altered — this is purely resolution to already-permitted semver-compatible versions. Alert reduction (npm audit): api 49→23, app 39→17, cms 39→17, shared 42→22. Clears the semver-compatible transitive advisories (axios→1.16, ws→8.21, socket.io-parser, postcss, uuid, qs, glob, lodash, music-metadata, and the dev-side handlebars/shell-quote/form-data criticals, among others). app/ and cms/ lockfiles were reconciled with `npm install --install-links` so they stay valid under CI's `npm ci --install-links` (which materializes the file:../shared dependency); the initial audit-fix ran in symlink mode and had pruned luminary-shared's transitive deps, which broke `npm ci` in CI. Everything remaining needs a major bump (NestJS 11 for the production @fastify/middie critical; Vite 8; Vitest 4) and is deferred to scoped follow-ups that need the integration/e2e infra to verify. Verified: all four lockfiles pass `npm ci` in their CI install mode (shared/api plain, app/cms --install-links). No unit-test regression vs origin/main: cms 928 passed / 0 failed, app 582 passed / 1 skipped / 0 failed, shared unchanged. The api lockfile is NOT integration-tested here (needs CouchDB + MinIO) — a maintainer should run the api suite before merge.
9037122 to
d77ae96
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Non-breaking
npm audit fixacross all four packages (api/,app/,cms/,shared/). Lockfile-only — nopackage.jsonversion ranges were touched, so no declared dependency changed; this is purely transitive resolution to already-permitted semver-compatible versions.Part of the dependency-vulnerability audit in #1800. This is the safe half — see that issue for the full picture and the deferred major-upgrade work.
Alert reduction
Covers the semver-compatible transitive bumps:
axios→ 1.16.x,ws→ 8.21,socket.io-parser→ 4.2.6,postcss,uuid,qs,glob,brace-expansion,music-metadata,lodash/lodash-es→ 4.17.23, and the dev-sidehandlebars/shell-quote/form-datacriticals, among others.What is NOT here (on purpose)
Every remaining alert needs a major bump that ripples through a framework or the build and needs integration/e2e infra to verify. Deferred to scoped follow-ups (tracked in #1800):
@fastify/middieauth-bypass critical and thefastify/fast-uri/multerhighs. Highest-priority follow-up.vitestcriticals),vue-tsc3.@typescript-eslint/*,minimatch) fixable via anoverridesblock — left out because that editspackage.json.Lockfile validity (CI install mode)
All four lockfiles pass
npm ciin the exact mode CI uses (shared/apiplain;app/cms--install-links, which materializes thefile:../shareddep). The first push failed CI here: the initialnpm audit fixran in symlink mode and prunedluminary-shared's transitive deps from theapp/cmslockfiles, whichnpm ci --install-linksrejects as out-of-sync. Fixed by reconciling those two withnpm install --install-links(costs a couple of alerts vs the symlink-mode count -- hence 39&17, not 39&15).Verification
sharedbuilds clean (npm run build).origin/main, measured properly (backed up fixes →npm cithe true baseline lockfile → compared):shared:153 failed | 952 passedon both baseline and this branch — byte-identical. Those 153 are a pre-existing broken test-env issue onmain(localStorage/initDatabase;responseCache.spec.ts20/20), not caused by this change. Flagged in Security: Dependabot vulnerability audit + remediation plan (180 alerts) #1800 for its own ticket.cms:115 files, 928 passed, 0 failed— clean.app:72 files, 582 passed, 1 skipped, 0 failed— clean.The
apilockfile change is not integration-tested — the api suite needs CouchDB + MinIO, which per the repo conventions are the maintainer's to run, and aren't available in the environment this was prepared in. The change resolves cleanly (npm ls), but a maintainer should run the api tests before merging. The bumps here are transitive and semver-compatible (notablyaxios1.13→1.16,ws,fast-xml-parser,file-type,music-metadata), so risk is low — but "low" is not "verified."Recommend closing Dependabot PRs #1491 and #1517 (stale, superseded, partial) in favour of this sweep.