Security Wave 1bis - pin dot-prop and elliptic exact versions#123
Merged
dev-mansonthomas merged 1 commit intoMay 15, 2026
Merged
Conversation
Replace '>=' ranges with the exact currently-installed versions: - dot-prop: '>=5.1.1' -> '9.0.0' - elliptic: '>=6.5.3' -> '6.6.1' The '>=' operator was the broadest allowed by npm and authorized any future major version without intervention. These two entries are historical resolution overrides (neither is imported from src/), so pinning them to the installed version is a no-op at runtime but removes a degree of freedom from the install plan and the supply-chain attack surface. Build green, Karma 13/13 passing, audit count unchanged (147). Note: elliptic remains flagged 'low' in 'npm audit' (Risky Implementation, advisory range *). The fix requires upgrading @angular-devkit/build-angular to v21, which is a breaking change deferred to the future Angular major upgrade.
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Wave 1bis - pin permissive ranges
Side finding flagged during Wave 1 (#122). Two root-level entries in
package.jsonused the>=operator, which is broader than^andauthorizes any future major version. This PR pins them to their
currently installed versions.
Changes
">=5.1.1""9.0.0"">=6.5.3""6.6.1"Both entries are historical resolution overrides; neither is imported
from
src/. The change is therefore a runtime no-op but removes adegree of freedom from the install plan and from the supply-chain
attack surface.
Verification
ng build --configuration devgreen.ng test --watch=false --browsers=ChromeHeadless: 13/13 passing.npm audit: 147 vulns, unchanged vs. post-Wave 1 baseline.Note on elliptic
ellipticremains flagged "low" bynpm audit(advisory range*,"Risky Implementation"). The advertised fix requires
@angular-devkit/build-angular@21, which is a breaking change deferredto the future Angular major upgrade. The pin in this PR does not
address that CVE; it only addresses the install-plan looseness.
Rollback
Single trivial commit, revert with
git revert.Related
docs/security-audit-redquest.md