Skip to content

chore(deps): resolve all open security alerts + fix flaky 6h CI hang#29

Merged
shreyaskarnik merged 1 commit into
mainfrom
chore/security-deps-sweep
Jul 7, 2026
Merged

chore(deps): resolve all open security alerts + fix flaky 6h CI hang#29
shreyaskarnik merged 1 commit into
mainfrom
chore/security-deps-sweep

Conversation

@shreyaskarnik

Copy link
Copy Markdown
Owner

What

Consolidates all 10 open Dependabot alerts into a single lockfile update, and fixes the flaky CI hang that was blocking every dependency PR.

Dependency bumps

Package → version Alert(s) Severity
ws 8.21.0 #40, #26 high / med
vitest 3.2.7 #29 critical
form-data 4.0.6 #38 high
vite 7.3.6 #36, #37 high / med
protobufjs 7.6.5 #35, #33 high / med
esbuild 0.28.1 #30 low
tar (example/) 7.5.19 #39 med

ws, form-data, vite, esbuild, protobufjs, and tar are transitive — pinned via npm overrides. protobufjs (via @google/genai + onnxruntime-web) had no Dependabot PR and needed a manual override.

CI fix

Every recent dependency PR hung for 6 hours on npx playwright install --with-deps chromium (an apt-get stall) — so npm test never ran, and each PR showed a false red X. Root cause was step 6, not the test suite.

  • Added DEBIAN_FRONTEND=noninteractive (job env) to prevent the apt prompt stall.
  • Added timeout-minutes (20 unit / 30 cross-browser / 30 publish) so a stalled install fails fast instead of burning the full 6h default budget.
  • Applied to both ci.yml and publish.yml.

Supersedes

Closes out the 5 open Dependabot PRs: #22, #25, #26, #27, #28.

Verification

npm run build + full suite pass locally: 649 tests, 58 files, ~4s.

Consolidates every open Dependabot alert into one lockfile update and
adds overrides for the transitive packages Dependabot could not bump.

Root (package.json overrides + vitest floor):
- ws        -> 8.21.0  (GHSA memory-exhaustion DoS; alerts #40, #26)
- form-data -> 4.0.6   (CRLF injection; alert #38)
- vite      -> 7.3.6   (fs.deny bypass + launch-editor NTLM; #36, #37)
- esbuild   -> 0.28.1  (dev-server arbitrary file read; alert #30)
- vitest    -> 3.2.7   (UI-server RCE, critical; alert #29)
- protobufjs-> 7.6.5   (Any-expansion DoS + prop shadowing; #35, #33)

example/ (override):
- tar       -> 7.5.19  (PAX header file smuggling; alert #39)

protobufjs is transitive via @google/genai + onnxruntime-web, so no
Dependabot PR covered it — pinned through an override instead.

CI hardening: past dependency PRs hung 6h on
`npx playwright install --with-deps chromium` (an apt-get stall) so
`npm test` never ran. Add DEBIAN_FRONTEND=noninteractive and
timeout-minutes so a stalled install fails fast instead of burning the
full 6h job budget. Applied to ci.yml and publish.yml.

Supersedes #22, #25, #26, #27, #28.

Verified: npm run build + full suite (649 tests) pass locally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant