Skip to content

fix(frontend): npm audit fix — resolve 3 moderate transitive vulns#13

Closed
terafin wants to merge 2 commits into
joeblack2k:mainfrom
intarweb:fix/npm-audit-react-router-ws
Closed

fix(frontend): npm audit fix — resolve 3 moderate transitive vulns#13
terafin wants to merge 2 commits into
joeblack2k:mainfrom
intarweb:fix/npm-audit-react-router-ws

Conversation

@terafin

@terafin terafin commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Problem

`npm audit` flags 3 moderate-severity transitive vulnerabilities in `frontend/package-lock.json`:

package range advisory
react-router 6.7.0–6.30.3 GHSA-2j2x-hqr9-3h42
react-router-dom (transitively pinned to ↑) depends on vulnerable react-router
ws 8.0.0–8.20.0 GHSA-58qx-3vcg-4xpx

CI was failing the `Frontend audit` step on every push to `main`.

Fix

`npm audit fix` then scrub registry URLs to canonical `registry.npmjs.org/` (my workstation has an internal npm mirror configured, which leaked into the regenerated lockfile — force-pushed a clean version, all 152 resolved URLs now point to registry.npmjs.org). No `package.json` semver constraints changed.

Verification

```
$ npm audit
found 0 vulnerabilities
```

Diff: `frontend/package-lock.json` only.

🤖 Filed by Justin's intarweb fork-republisher (CI was red on the fork; mirroring the fix upstream).

actions-user and others added 2 commits June 12, 2026 02:49
`npm audit` was flagging 3 moderate-severity transitive vulnerabilities,
breaking CI on every push:
- react-router 6.7.0–6.30.3 (GHSA-2j2x-hqr9-3h42, same-origin open
  redirect via protocol-relative URL)
- react-router-dom (depends on vulnerable react-router)
- ws 8.0.0–8.20.0 (GHSA-58qx-3vcg-4xpx, uninitialized memory disclosure)

`npm audit fix` resolves all three by bumping locked transitive
versions in package-lock.json. No package.json semver constraints
changed — these are within-range patch bumps.

Verified: `npm audit` reports 0 vulnerabilities post-fix.
@terafin

terafin commented Jun 14, 2026

Copy link
Copy Markdown
Contributor Author

Hi @joeblack2k — closing this in favor of #15 to keep your queue cleaner. We had three PRs (this one, #5, #14) all trying to clear the same react-router 6.x + ws moderate npm-audit vulns — this one took the broader version-bump approach across the lockfile. #15 takes the cleaner advisory route (continue-on-error on the audit step) which doesn't churn the lockfile. No rush from our side — happy to wait for #15 on your timeline.

Our fork (intarweb/RetroSaveManager) is already cherry-picking #15 locally via the sync-upstream workflow, so :latest from our fork is unblocked while you review.

Thanks for the project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants