chore(sec): remediate form-data/axios advisories in dev & fixture deps#260
Merged
Conversation
- Drop @continuous-auth/client (npm OTP publish helper); we publish via OIDC. Remove its getOtp/--otp path from scripts/publish.mjs and scripts/x.mjs. It was the only root devDependency pulling vulnerable axios@1.6.2 -> form-data@4.0.2. - Bump fixtures/pnpm axios 1.6.2 -> 1.16.0 and regenerate its lockfile so form-data resolves to 4.0.5 (>= 4.0.4 patch). Closes Dependabot #67 and #69. - benches: make it a standalone workspace root with ignoreScripts so no dependency lifecycle script ever runs on install (deps are static resolver fixtures, never executed). Simplify the benchmark workflow accordingly.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fb5704a01e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses Dependabot security advisories affecting form-data and axios that are introduced via dev tooling and fixture dependencies (not the published @rspack/resolver package). It removes the root devDependency chain that pulled vulnerable transitive deps, updates the fixtures/pnpm dependency set/lockfile to resolve patched versions, and adjusts benchmark installation behavior to avoid executing lifecycle scripts.
Changes:
- Remove
@continuous-auth/clientand drop the npm OTP publish flow from the repo’s publish scripts. - Bump
fixtures/pnpmaxiosto1.16.0and regenerate the fixture lockfile soform-dataresolves to4.0.5. - Add a standalone
benchespnpm workspace config and simplify the benchmark workflow’spnpm installstep.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/x.mjs | Removes the --otp publish CLI option. |
| scripts/publish.mjs | Removes OTP-based publishing logic and @continuous-auth/client usage. |
| package.json | Drops @continuous-auth/client from devDependencies. |
| pnpm-lock.yaml | Removes @continuous-auth/client; updates fixture-resolved axios/form-data transitive versions. |
| fixtures/pnpm/package.json | Bumps fixture axios to 1.16.0. |
| fixtures/pnpm/pnpm-lock.yaml | Regenerated fixture lockfile (v9) reflecting updated dependency graph and patched form-data. |
| benches/pnpm-workspace.yaml | Adds a benches-local pnpm workspace manifest intended to control install behavior. |
| .github/workflows/benchmark.yml | Simplifies benchmark dependency installation in CI. |
Files not reviewed (2)
- fixtures/pnpm/pnpm-lock.yaml: Language not supported
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cargo test resolve_test::axios hardcodes the pnpm virtual-store path, which contains the package version. The axios 1.6.2 -> 1.16.0 bump changed it to node_modules/.pnpm/axios@1.16.0/...; the resolved entry files are unchanged.
The setup hint in resolver.rs contradicted benches/pnpm-workspace.yaml, which requires a plain `pnpm install` (--ignore-workspace bypasses that config).
hardfist
approved these changes
Jun 1, 2026
Resolve conflicts after #264 (js-yaml/mathjs/postcss bumps) landed on main: - fixtures/pnpm/package.json: union of axios 1.16.0 (this PR) + postcss 8.5.10 + mathjs 15.2.0 (#264) - tests/resolve_test.rs: keep both updated .pnpm paths (axios@1.16.0, mathjs@15.2.0) - pnpm-lock.yaml: regenerated with pnpm 11.3.0; advisories patched, bindings importers preserved - fixtures/pnpm/pnpm-lock.yaml: regenerated to v9 with patched versions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Dependabot flags critical
form-data@4.0.2(CVE GHSA-fjxv-7rqg-78g4, patched in 4.0.4) and a long tail ofaxios@1.6.2advisories. These only ever entered through dev tooling and a benchmark/test fixture — never the published@rspack/resolverpackage — but the alerts should be cleared.Two entry points pulled vulnerable
form-data:pnpm-lock.yaml(#69)@continuous-auth/client→axios→form-datafixtures/pnpm/pnpm-lock.yaml(#67)axios@1.6.2→form-dataWhat
@continuous-auth/client. It was an npm OTP publish helper; we publish via OIDC, so itsgetOtp/--otppath inscripts/publish.mjs+scripts/x.mjsis removed. This was the only root devDependency pullingaxios@1.6.2→form-data@4.0.2.fixtures/pnpmaxios1.6.2 → 1.16.0 and regenerate its lockfile soform-dataresolves to4.0.5. The fixture's installednode_modulesis workspace-managed and untouched.benches: assert no lifecycle script runs on install.benchesis a standalone fixture project whose deps are only resolved as paths (the JS is never executed). Made it its own workspace root withignoreScripts: true, so a plaincd benches && pnpm install(local or CI) runs no dependency postinstall — keeping the remaining known-vulnerable transitive deps inert. The benchmark workflow is simplified to match (no--ignore-workspace, which would bypass the config).Closes Dependabot #67 and #69.
benches/pnpm-lock.yamlis intentionally left as-is.