Security Wave 1 - supply-chain remediation (-34 vulns)#122
Merged
Conversation
Capture the current vulnerability state (181 issues: 6 critical, 83 high, 71 moderate, 21 low) before running 'npm audit fix' so the diff is auditable in a follow-up commit.
Apply 'npm audit fix' without --force. Only package-lock.json is modified; no package.json change, no breaking change introduced. Vulnerability count: 181 -> 161 (-20). Critical: 6 -> 4 (-2) High: 83 -> 73 (-10) Moderate: 71 -> 66 (-5) Low: 21 -> 18 (-3) Build (ng build --configuration dev): green. Karma suite: 13/13 passing (38 skipped, identical to pre-fix baseline). Remaining 161 vulnerabilities require breaking-change upgrades (Angular 21, karma 6, protractor 6) and are intentionally left out of this PR; they will be addressed in a dedicated Angular major upgrade decision.
firebase-admin is a Node.js server SDK; it has no place in an Angular front-end and was never imported anywhere in src/. Its presence pulled in a large transitive subtree (@google-cloud/firestore, @grpc/proto-loader, protobufjs, jsonwebtoken, ...) carrying multiple critical/high CVEs that were structurally unfixable in this client. Verification: 'grep -rn firebase-admin src/' returns no matches. Vulnerability count after removal: 161 -> 147 (-14). Build hash unchanged (vendor bundle 23b84eb0b09e489158c2 identical before/after), confirming the package never reached the bundle. Karma suite still green (13/13).
Replace caret ranges ('^8.10.1', '^6.1.5') with exact versions ('8.10.1', '6.1.5') in package.json for runtime-sensitive Firebase dependencies.
Rationale: 'npm install' without a lockfile (or after lockfile invalidation) would otherwise be free to pull a newer minor of these packages. For supply-chain hardening, pinning to the exact resolved version makes installs deterministic and removes one degree of freedom from the install plan. The package-lock.json already enforced this in 'npm ci' mode, but the manifest now matches.
Build green, Karma suite 13/13 passing, audit count unchanged (147).
Promote 'npm ci' over 'npm install' for any non-interactive environment (CI, deploy, fresh clone). 'npm ci' refuses to mutate package-lock.json and fails fast on lockfile drift, which is the property we want for supply-chain hygiene.
- docs/security-baseline-2026-05-15-post-wave1.json: final 'npm audit' state after Wave 1 commits (147 vulns: 4 critical, 67 high, 62 moderate, 14 low).
- docs/security-audit-redquest.md: mark Wave 1 as complete with the delta table and flag two side findings ('dot-prop' and 'elliptic' use '>=' ranges, more permissive than '^') to schedule in a follow-up.
Net Wave 1 impact: 181 -> 147 vulns (-34, -19%). Critical -33%, Low -33%, no breaking changes.
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Wave 1 - supply-chain remediation
Implementation of Wave 1 from
docs/security-audit-redquest.md. Focus is supply-chain hygiene: no breaking change, no--forcenpm audit fix, no Angular upgrade.Net impact
Baselines committed for diff:
docs/security-baseline-2026-05-15.json(before) anddocs/security-baseline-2026-05-15-post-wave1.json(after).Commits
chore(security): snapshot npm audit baseline before Wave 1 fixes- pre-fix audit JSON for auditability.fix(security): npm audit fix - resolve 20 transitive vulnerabilities- lockfile-only update, no package.json change, no breaking change.fix(security): remove unused firebase-admin server-side SDK- confirmed zero imports insrc/, vendor bundle hash unchanged before/after (23b84eb0b09e489158c2).chore(security): pin exact versions for firebase and @angular/fire- replace^with exact versions.docs(readme): document npm ci as preferred install for CI and deploys.chore(security): snapshot post-Wave 1 audit baseline and update plan- final JSON + delta table + Wave 1 flagged complete.Verification
For every change touching the dependency tree:
ng build --configuration dev: green (same vendor bundle hash before/after firebase-admin removal).ng test --watch=false --browsers=ChromeHeadless: 13/13 passing (38 skipped, identical to pre-Wave 1 baseline).npm ls firebase-adminafter removal: empty.npm auditJSON snapshots committed before and after for delta auditability.Out of scope (intentional)
npm audit fix --force(would pull Angular 21, karma 6, protractor 6). These belong to a dedicated Angular major upgrade decision.dot-propandellipticstill use>=ranges inpackage.json. Flagged indocs/security-audit-redquest.mdfor a follow-up.Rollback plan
Each commit is independently revertible. The two most impactful commits are #3 (firebase-admin removal) and #2 (npm audit fix). If a downstream issue is discovered:
git revert <sha>on the offending commit.No data migration, no runtime contract change.
Related
docs/security-audit-redquest.mddocs/security-audit-framework.mdPull Request opened by Augment Code with guidance from the PR author