Moderate vulnerabilities in transitive dependencies (validator → z-schema → swagger-parser → swagger-jsdoc #426
Description
Package: swagger-jsdoc@6.2.8
Environment:
- Node.js version: v22.19.0
- npm version: 10.9.3
- OS: macOS Sequoia 15.0.1
Description:
When running npm audit in a Docker build step (STEP 11/15), the following occurs:
STEP 11/15: RUN if [ "$RUN_AUDIT" = "true" ]; then npm audit --omit=dev; else echo "Skipping audit"; fi
The audit reports 5 moderate severity vulnerabilities in the transitive dependency chain:
validator → z-schema → @apidevtools/swagger-parser → swagger-jsdoc
Steps to Reproduce:
- Include
swagger-jsdoc@6.2.8in a project. - Run
npm audit(or build a Docker image with$RUN_AUDIT=true). - Observe the reported vulnerabilities.
Expected Behavior:
No vulnerabilities in the dependency chain or guidance on mitigation.
Additional Context:
- This seems to be caused by deep transitive dependencies (
validator,z-schema,swagger-parser). - Advisory reference: GHSA-9965-vmph-33xx