Skip to content

chore(DF-859): migrate eslint to v9 flat config and fix vulnerabilites#1110

Merged
mokhld merged 2 commits into
mainfrom
chore/df-859-eslint9-migration
Mar 5, 2026
Merged

chore(DF-859): migrate eslint to v9 flat config and fix vulnerabilites#1110
mokhld merged 2 commits into
mainfrom
chore/df-859-eslint9-migration

Conversation

@mokhld
Copy link
Copy Markdown
Contributor

@mokhld mokhld commented Mar 3, 2026
edited
Loading

Description

  • fast-xml-parser >=5.3.8: Overrides the version pinned by @aws-sdk/xml-builder (a transitive dependency of @aws-sdk/client-sqs) to resolve GHSA-fj3w-jwp8-x2g3, a high-severity stack overflow vulnerability. AWS hasn’t bumped their dependency yet (New Vulnerability on fast-xml-parser aws/aws-sdk-js-v3#7797), though comments indicate the fix has been added and will be released shortly.
  • serialize-javascript >=7.0.3: Overrides the version pinned by copy-webpack-plugin and terser-webpack-plugin to resolve GHSA-5c6j-r48x-rmvq, a high-severity RCE vulnerability via RegExp.flags and Date.prototype.toISOString().
  • tmp >=0.2.4: Overrides the version used by useragent (via @hapi/scooter) to resolve GHSA-g2q5-5433-rhrf, a high-severity TOCTOU race condition vulnerability. useragent hasn’t updated its dependency.

The remaining two moderate-severity useragent ReDoS vulnerabilities (GHSA-mgfv-m47x-4wqp) have no fix available. useragent@2.3.0 is the latest version and the package is unmaintained. It is pulled in by @hapi/scooter.

Running npm audit will show:

# npm audit report

useragent  *
Severity: moderate
useragent Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-mgfv-m47x-4wqp
No fix available
node_modules/useragent
  @hapi/scooter  *
  Depends on vulnerable versions of useragent
  node_modules/@hapi/scooter

2 moderate severity vulnerabilities

@mokhld mokhld force-pushed the chore/df-859-eslint9-migration branch from d53689a to 27ead5d Compare March 3, 2026 16:49
@mokhld mokhld marked this pull request as ready for review March 3, 2026 16:53
@mokhld mokhld force-pushed the chore/df-859-eslint9-migration branch from 27ead5d to a357bf1 Compare March 5, 2026 10:03
@mokhld
chore(deps): update immutable, sax, and svgo to latest versions
3386e1f 
- Bumped immutable from 5.1.4 to 5.1.5
- Bumped sax from 1.4.3 to 1.5.0, added node engine requirement
- Bumped svgo from 4.0.0 to 4.0.1, updated sax dependency version
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mokhld mokhld merged commit 59c0170 into main Mar 5, 2026
9 checks passed
@mokhld mokhld deleted the chore/df-859-eslint9-migration branch March 5, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexluckett alexluckett alexluckett approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mokhld @alexluckett