Security: 10 npm vulnerabilities detected in dependencies

[ruvnet]

Summary

Running npm install @ruvector/gnn@0.1.19 reports 10 vulnerabilities (2 moderate, 8 high) in the dependency tree.

Vulnerability Details

High Severity (3)

axios <=0.30.1

• Severity: High
• Location: node_modules/axios
• Issues:
  • GHSA-wf5p-g6vw-rhxx - Cross-Site Request Forgery Vulnerability
  • GHSA-4hjh-wcwx-xvwj - DoS attack through lack of data size check
  • GHSA-jr5f-v2jv-69x6 - SSRF and Credential Leakage via Absolute URL
• Dependency Chain: wasm-pack → binary-install → axios

Moderate Severity (7)

body-parser 2.2.0

• Severity: Moderate
• Location: node_modules/body-parser
• Issue: GHSA-wqch-xfxh-vrr4 - DoS when url encoding is used
• Fix: npm audit fix

esbuild <=0.24.2

• Severity: Moderate
• Location: node_modules/vite/node_modules/esbuild
• Issue: GHSA-67mh-4wv8-2f99 - Development server request vulnerability
• Dependency Chain: vitest → vite-node → vite → esbuild

Recommended Actions

1. Quick fix (non-breaking):

   npm audit fix

2. Full fix (may include breaking changes):

   npm audit fix --force

3. Manual updates needed:

   • Update axios to version >0.30.1 (requires updating wasm-pack)
   • Update vite and vitest to latest versions

Environment

• Package: @ruvector/gnn@0.1.19
• Node.js: v18+
• Date: 2025-12-01

Notes

These vulnerabilities are in dev dependencies and build tools, not in the core @ruvector/gnn runtime package. The native NAPI-RS bindings themselves are not affected.