Skip to content

fix: security fix#649

Merged
nijil-deriv merged 4 commits intomasterfrom
mayuran/security-issues-on-bot-v1
Mar 6, 2026
Merged

fix: security fix#649
nijil-deriv merged 4 commits intomasterfrom
mayuran/security-issues-on-bot-v1

Conversation

@mayuran-deriv
Copy link
Contributor

@mayuran-deriv mayuran-deriv commented Mar 6, 2026

No description provided.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026
edited
Loading

Claude finished @mayuran-deriv's task in 2m 25s —— View job

PR Review: Security Dependency Updates

  • Gather context on PR changes
  • Analyze package.json dependency changes
  • Review security implications
  • Provide comprehensive review feedback

Summary

This PR updates several npm dependencies to address known security vulnerabilities. The changes are limited to package.json and package-lock.json. No application code was modified.

✅ Security Fixes Applied

Package Fix CVE / Issue
cross-spawn Overridden to ^7.0.6 CVE-2024-21538 — ReDoS via shell argument parsing
braces Upgraded to ^3.0.3 + override CVE-2024-4068 — Memory exhaustion / ReDoS
brace-expansion Added as direct dep ^3.0.1 Forces patched transitive version
glob Overridden to 10.5.0 Deprecation / security advisory in older versions
minimatch Overridden to >=9.0.7 CVE-2022-3517 — ReDoS
@semantic-release/npm Overridden to ^13.1.2 Supply chain / transitive vulnerability fixes
@tootallnate/once Overridden to >=3.0.1 Transitive fix

Lock file confirms the resolved versions are correct:

  • cross-spawn@7.0.6
  • braces@3.0.3
  • brace-expansion@3.0.1
  • glob@10.5.0
  • minimatch@10.2.4 ✓ (satisfies >=9.0.7)

🔴 High Priority

glob@10.5.0 override is deprecated

package-lock.json line 14168 shows a deprecation warning on glob@10.5.0:

"deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities..."

The override "glob": "10.5.0" pins to an exact deprecated version. The current stable is 11.x. Consider changing the override to a range that allows a secure version:

// package.json overrides
"glob": ">=10.5.0"
// or better
"glob": ">=11.0.0"

Fix this →

🟡 Medium Priority

brace-expansion and braces added as direct runtime dependencies

package.json lines 38–39 add these as dependencies (runtime):

"brace-expansion": "^3.0.1",
"braces": "^3.0.3",

Both are glob/minimatch utilities used exclusively by build and dev tooling. They have no runtime use in a browser application. Adding them to dependencies instead of devDependencies bloats the production artifact unnecessarily.

Recommendation: Move to devDependencies, or rely solely on the overrides section to force the patched versions.

Fix this →

brace-expansion@2.0.1 override targets a non-existent version

package.json line 188:

"brace-expansion@2.0.1": "2.0.2"

As of the last published registry state, brace-expansion@2.0.2 does not exist (latest v2 is 2.0.1). This override may be a no-op. If this targets a future release, it should be documented. If the intent is to force the newest patched brace-expansion, the "brace-expansion": "^3.0.1" direct dependency already handles this.

🟡 Medium Priority (Remaining Vulnerability)

semver@7.5.4 still present in @commitlint/is-ignored

package-lock.json line 2511 shows @commitlint/is-ignored still resolves semver@7.5.4, which is vulnerable to CVE-2022-25883 (ReDoS). This is a devDependency chain so runtime impact is nil, but adding a semver override would clean this up:

"overrides": {
  "semver": ">=7.5.10"
}

🟢 Low Priority

No PR description

The PR has no description listing the CVEs addressed, the npm audit output before/after, or links to advisories. For security PRs, this context helps reviewers verify completeness and gives auditors a reference. Consider adding a brief description with the vulnerabilities fixed.

Overall Assessment

The core security fixes are correct and well-applied — the overrides pattern is the right approach for forcing patched transitive dependencies. The main actionable issues are:

  1. The glob pin should be a range, not an exact deprecated version
  2. braces/brace-expansion should be in devDependencies, not dependencies

The PR is safe to merge with these improvements addressed.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026
edited
Loading

Claude finished @mayuran-deriv's task in 1m 51s —— View job

PR Review: Security Dependency Updates

  • Gather context on PR changes
  • Analyze package.json dependency changes
  • Review husky hook changes
  • Analyze lock file for security implications
  • Provide comprehensive review feedback

Summary

This PR patches several known CVEs by adding npm overrides and bumping transitive dependencies. The 4 changed files are: package.json, package-lock.json, and two husky hooks. No application code was modified.

🔴 High Priority

glob pinned to an exact deprecated version

package.json line 185:

"glob": "10.5.0"

package-lock.json confirms this resolves to glob@10.5.0, which carries an explicit "deprecated" field in the registry:

"Old versions of glob are not supported, and contain widely publicized security vulnerabilities..."

The point of the override was to force a patched version — pinning to an exact deprecated release defeats the purpose. Use a minimum range instead:

"glob": ">=11.0.0"

Fix this →

🟡 Medium Priority

brace-expansion and braces placed in runtime dependencies

package.json lines 38–39:

"brace-expansion": "^3.0.1",
"braces": "^3.0.3",

Both packages are glob/shell utilities consumed only by build tooling (Jest, Webpack, Rsbuild, lint-staged). They serve no runtime purpose in the browser. Listing them under dependencies unnecessarily inflates the production artifact and signals to downstream consumers that these are required at runtime.

Recommendation: Move to devDependencies, or remove entirely — the overrides section already forces patched transitive versions without needing a direct dependency.

Fix this →

brace-expansion@2.0.1 override maps to a non-existent version

package.json line 188:

"brace-expansion@2.0.1": "2.0.2"

brace-expansion@2.0.2 does not exist on the npm registry (latest in the v2 line is 2.0.1). This override is a no-op and should either be removed or corrected. If the goal is to patch all brace-expansion installs, the top-level "brace-expansion": "^3.0.1" direct dep (or a plain override "brace-expansion": "^3.0.1") already handles it.

minimatch override jumps to v10 — potential compatibility risk

package.json line 190:

"minimatch": ">=10.2.3"

CVE-2022-3517 was fixed in minimatch@3.0.5 / 5.1.2 / 9.0.5. Forcing all transitive consumers to v10 is unnecessarily aggressive. Packages that depend on minimatch@^3.x or ^9.x will be forcibly resolved to v10, which changed several internal APIs. A safer range that still covers the CVE:

"minimatch": ">=3.0.5"

Or if v9+ behavior is acceptable:

"minimatch": ">=9.0.5"

semver vulnerability not addressed

@commitlint/is-ignored still pulls in semver@7.5.4 (CVE-2022-25883, ReDoS). Runtime impact is nil (dev dependency), but it will show up in npm audit. Adding the following to overrides would silence it:

"semver": ">=7.5.10"

🟢 Low Priority

Husky hook changes are safe but undocumented

.husky/post-commit and .husky/pre-commit each had one line removed (ShiftAI CLI invocations). The current state is reasonable:

  • pre-commit: runs npx lint-staged --allow-empty — correct
  • post-commit: only exit 0 — harmless but a bit empty; the ShiftAI analysis call was removed

No issues here, but the PR description should mention this was intentional.

No PR description

For a security-focused PR, a description listing the CVEs addressed, before/after npm audit output, and rationale for each override makes review and future auditing much easier.

✅ What's Correct

Override CVE Status
cross-spawn: "^7.0.6" CVE-2024-21538 ✅ Correct
braces: "^3.0.3" (override) CVE-2024-4068 ✅ Correct
@semantic-release/npm: "^13.1.2" transitive fixes ✅ Correct
@tootallnate/once: ">=3.0.1" transitive fix ✅ Correct
tar: ">=7.5.9" CVE-2024-28863 ✅ Correct
minimatch: ">=10.2.3" CVE-2022-3517 ⚠️ Over-aggressive (see above)
glob: "10.5.0" security advisory ❌ Pinned to deprecated version

Overall Assessment

The core intent is correct — using overrides is the right npm mechanism for patching transitive CVEs. Three actionable issues remain: the glob pin to a deprecated exact version, brace-expansion/braces in runtime dependencies, and the no-op brace-expansion@2.0.1 override. The minimatch range jump to v10 warrants review for compatibility. The PR is safe to merge but would benefit from the above cleanup before landing.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026
edited
Loading

Claude finished @mayuran-deriv's task in 2m 7s —— View job

PR Review: Security Dependency Updates

  • Gather context on PR changes
  • Analyze package.json changes in detail
  • Review husky hook changes
  • Analyze lock file for security implications
  • Provide comprehensive review feedback

Summary

This PR patches multiple known CVEs by adding npm overrides, bumping transitive dependencies, and removing ShiftAI hooks. Changes are confined to package.json, package-lock.json, and two husky hooks. No application code was modified.

🔴 High Priority

glob override pins to an exact deprecated version

package.json line 185:

"glob": "10.5.0"

package-lock.json line 14168 confirms this resolves to glob@10.5.0, which carries an explicit deprecation warning in the registry:

"Old versions of glob are not supported, and contain widely publicized security vulnerabilities..."

This defeats the purpose of the override — you're forcing all transitive consumers to a version that itself is flagged as insecure. Use a range that allows modern, non-deprecated versions:

"glob": ">=11.0.0"

Fix this →

brace-expansion@2.0.1 override maps to a non-existent version

package.json line 188:

"brace-expansion@2.0.1": "2.0.2"

brace-expansion@2.0.2 does not exist on npm (the latest in the v2 line is 2.0.1). This override is a silent no-op and should be removed. The top-level "brace-expansion": "^3.0.1" direct dependency (or a plain override without the version specifier) already covers patching all brace-expansion installs.

Fix this →

🟡 Medium Priority

brace-expansion and braces placed in runtime dependencies

package.json lines 38–39:

"brace-expansion": "^3.0.1",
"braces": "^3.0.3",

Both are glob/shell utilities consumed exclusively by build tooling (Jest, Webpack, Rsbuild, lint-staged). They serve zero purpose at browser runtime. Adding them under dependencies inflates the production bundle metadata and misleads downstream tooling/consumers.

Recommendation: Remove from dependencies entirely — the overrides section already forces the patched transitive versions without needing a direct dependency.

Fix this →

minimatch override jumps to v10 — compatibility risk

package.json line 190:

"minimatch": ">=10.2.3"

Lock file confirms this resolves to minimatch@10.2.4. CVE-2022-3517 was fixed in 3.0.5 / 9.0.5. Several dev-time packages in this project require minimatch@^3.x (eslint, @humanwhocodes/config-array) — forcing them all to v10 is overly aggressive and may cause subtle runtime breakage in build tooling. A safer range that still addresses the CVE:

"minimatch": ">=9.0.5"

Stale ShiftAI comments in husky hooks

.husky/pre-commit still contains:

# ShiftAI Pre-commit Hook - Detect and strip AI markers

.husky/post-commit still contains:

# ShiftAI Post-commit Hook - Display AI analysis table

The ShiftAI invocations were removed, but the explanatory comments remain, making the hooks misleading. These comments should be cleaned up.

🟡 Medium Priority — Remaining Vulnerability

semver not patched (CVE-2022-25883)

The devDependency chain through @commitlint/is-ignored still resolves semver@7.x which is vulnerable to CVE-2022-25883 (ReDoS). Runtime impact is nil since this is dev-only, but it will continue to appear in npm audit output. Adding the following to overrides would address it:

"semver": ">=7.5.10"

🟢 Low Priority

Notable dev dependency bumps without description

  • @typescript-eslint/eslint-plugin + @typescript-eslint/parser: ^6.x^7.18.0 — major version upgrade. Verify no new lint errors are introduced (CI should catch this).
  • copy-webpack-plugin: ^12.0.2^14.0.0 — two major versions. This is a dev-only Webpack path, so risk is low, but worth noting for any Webpack-based builds.
  • dompurify: ^3.2.6^3.3.2 — a runtime dependency. Changelog for this security library should be consulted to ensure no API changes affect usage.

No PR description

For a security-focused PR, a description listing CVEs addressed, before/after npm audit summaries, and rationale for the overrides choices significantly helps reviewers and future auditors.

✅ What's Correct

Override CVE Status
cross-spawn: "^7.0.6" CVE-2024-21538 ✅ Correct — lock resolves 7.0.6
braces: "^3.0.3" (override) CVE-2024-4068 ✅ Correct
@semantic-release/npm: "^13.1.2" transitive ✅ Correct
@tootallnate/once: ">=3.0.1" transitive ✅ Correct
tar: ">=7.5.10" CVE-2024-28863 ✅ Correct — lock resolves 7.5.10
minimatch: ">=10.2.3" CVE-2022-3517 ⚠️ Over-aggressive, v9.0.5+ is sufficient
glob: "10.5.0" security advisory ❌ Pinned to deprecated exact version
brace-expansion@2.0.1: "2.0.2" ❌ v2.0.2 does not exist, no-op

Overall Assessment

The core intent is correct — using overrides is the right npm mechanism for patching transitive CVEs. Three concrete issues need addressing before this lands cleanly:

  1. glob pin must become a range pointing to non-deprecated versions (>=11.0.0)
  2. brace-expansion and braces should be removed from runtime dependencies
  3. The brace-expansion@2.0.12.0.2 override is a no-op and should be removed

The PR is safe to merge but the glob issue means a deprecated/flagged version will still be present in the lock file, which may generate fresh audit warnings post-merge.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026
edited
Loading

Claude finished @mayuran-deriv's task in 1m 30s —— View job

PR Review: Security Dependency Updates

  • Read changed files
  • Analyze package.json changes
  • Analyze husky hook changes
  • Analyze lock file for security implications
  • Provide comprehensive review feedback

Summary

This PR addresses known CVEs by adding npm overrides, bumping transitive dependencies, removing the @deriv-com/shiftai-cli dependency, and cleaning up its husky hook invocations. Changes are confined to package.json, package-lock.json, and two husky hooks. No application code was modified.

🔴 High Priority

glob override pinned to an exact deprecated version

package.json line 184:

"glob": "10.5.0"

This resolves to glob@10.5.0, which carries an explicit "deprecated" notice in the registry:

"Old versions of glob are not supported, and contain widely publicized security vulnerabilities..."

Pinning to an exact version that itself is flagged as insecure defeats the purpose of the override. Use a minimum range to allow resolution to a modern, non-deprecated version:

"glob": ">=11.0.0"

Fix this →

brace-expansion@2.0.1 override is a no-op

package.json line 187:

"brace-expansion@2.0.1": "2.0.2"

brace-expansion@2.0.2 does not exist on the npm registry (the latest v2 release is 2.0.1). This override silently does nothing. If the intent was to patch all brace-expansion installs, the top-level "brace-expansion": "^3.0.1" entry (or a plain override without the version specifier) already handles that. Remove this entry.

Fix this →

🟡 Medium Priority

brace-expansion and braces placed in runtime dependencies

package.json lines 38–39:

"brace-expansion": "^3.0.1",
"braces": "^3.0.3",

Both are glob/shell utilities consumed exclusively by build tooling (Jest, Webpack, Rsbuild, lint-staged). They serve zero runtime purpose in the browser bundle. Placing them under dependencies rather than devDependencies unnecessarily inflates production artifact metadata and misleads downstream tooling.

Recommendation: Remove them from dependencies entirely — the overrides section already forces the patched transitive versions without a direct dependency.

Fix this →

minimatch override is overly aggressive

package.json line 189:

"minimatch": ">=10.2.3"

CVE-2022-3517 was fixed in minimatch@3.0.5, 5.1.2, and 9.0.5. Forcing all transitive consumers to v10 risks breaking packages that were written against minimatch@^3.x or ^9.x semantics (e.g. eslint's @humanwhocodes/config-array). A safer range that still closes the CVE:

"minimatch": ">=9.0.5"

Stale ShiftAI comments remain in husky hooks

The ShiftAI CLI invocations were correctly removed, but the explanatory comments are still present:

.husky/pre-commit line 5:

# ShiftAI Pre-commit Hook - Detect and strip AI markers

.husky/post-commit line 4:

# ShiftAI Post-commit Hook - Display AI analysis table

These misleading comments should be cleaned up since the functionality no longer exists.

Fix this →

semver vulnerability not addressed (CVE-2022-25883)

The devDependency chain through @commitlint/is-ignored still resolves semver@7.x (vulnerable to ReDoS). Runtime impact is nil since it's dev-only, but it will continue to appear in npm audit. Adding the following to overrides would address it:

"semver": ">=7.5.10"

🟢 Low Priority / Informational

Notable dependency version bumps

Package Old New Note
@typescript-eslint/eslint-plugin ^6.21.0 ^7.18.0 Major version. Verify no new lint errors (CI should catch).
@typescript-eslint/parser ^6.0.0 ^7.18.0 Major version. Same risk as above.
copy-webpack-plugin ^12.0.2 ^14.0.0 Two major versions. Dev/Webpack-only path, low risk but worth noting.
dompurify ^3.2.6 ^3.3.2 Runtime security library bump. Changelog should be reviewed to confirm no API surface changes affect usage.

No PR description

For a security-focused PR, listing the CVEs addressed and before/after npm audit output would significantly help reviewers and future auditors.

✅ What's Correct

Change CVE Assessment
cross-spawn: "^7.0.6" override CVE-2024-21538 ✅ Correct
braces: "^3.0.3" override CVE-2024-4068 ✅ Correct
@semantic-release/npm: "^13.1.2" override transitive ✅ Correct
@tootallnate/once: ">=3.0.1" override transitive ✅ Correct
tar: ">=7.5.10" override CVE-2024-28863 ✅ Correct
Removed @deriv-com/shiftai-cli + hook calls supply chain ✅ Correct
dompurify: "^3.3.2" security patch ✅ Correct
minimatch: ">=10.2.3" CVE-2022-3517 ⚠️ Closes CVE but overly aggressive (v9.0.5+ is sufficient)
glob: "10.5.0" security advisory ❌ Pinned to deprecated exact version
brace-expansion@2.0.1: "2.0.2" ❌ v2.0.2 doesn't exist, no-op

Overall Assessment

The core intent and mechanism are correct — overrides is the right npm approach for patching transitive CVEs. Three concrete issues need addressing before this lands cleanly:

  1. glob override must be a range pointing to non-deprecated versions (>=11.0.0)
  2. brace-expansion and braces should be removed from runtime dependencies
  3. The brace-expansion@2.0.1 → 2.0.2 override is a no-op and should be removed

The PR is safe to merge as-is, but the glob pin will continue to generate audit warnings post-merge.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2026

Preview Link: https://mayuran-security-iss.bot-65f.pages.dev

Name Result
Build status Completed ✅
Preview URL Visit Preview
Action URL Visit Action

@nijil-deriv nijil-deriv merged commit fc0a46f into master Mar 6, 2026
8 checks passed
@nijil-deriv nijil-deriv deleted the mayuran/security-issues-on-bot-v1 branch March 6, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nijil-deriv nijil-deriv nijil-deriv approved these changes

@prince-deriv prince-deriv prince-deriv approved these changes

@matin-deriv matin-deriv Awaiting requested review from matin-deriv matin-deriv is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mayuran-deriv @nijil-deriv @prince-deriv