Skip to content

deps: clear all production CVEs via prod bumps + transitive overrides#3

Merged
jaschadub merged 1 commit into
masterfrom
deps/cve-audit-and-update
May 22, 2026
Merged

deps: clear all production CVEs via prod bumps + transitive overrides#3
jaschadub merged 1 commit into
masterfrom
deps/cve-audit-and-update

Conversation

@jaschadub
Copy link
Copy Markdown
Member

@jaschadub jaschadub commented May 22, 2026

Summary

Audits the entire dep tree, bumps direct production deps to clear known CVEs, and adds overrides for transitive deps that the build chain can't otherwise reach.

Production audit

  • Before: 5 moderate severity advisories (aws-sdk, fast-xml-parser, @google-cloud/storage, teeny-request, uuid)
  • After: 1 low severity (only the standing aws-sdk v2 EOL advisory, which requires a full SDK v3 migration to clear — see "Out of scope")

Total audit

  • Before: 108 vulnerabilities (15 low / 22 moderate / 42 high / 29 critical)
  • After: 55 vulnerabilities (14 low / 5 moderate / 10 high / 26 critical) — all in the dev-build chain (webpack 4, babel 6 via extract-loader, html-loader, webpack-dev-server, etc.). Zero of these reach the production runtime.

Direct production bumps

package from to reason
@google-cloud/storage ^6.2.3 ^7.16.0 clears CVE chain through fast-xml-parser / teeny-request
@sentry/node ^7.7.0 ^7.120.4 latest 7.x
aws-sdk ^2.1109.0 ^2.1693.0 latest 2.x (v3 deferred — see below)
body-parser ^1.20.0 ^1.20.3 qs CVE chain
convict ^6.2.4 ^6.2.5 latest 6.x
express ^4.17.3 ^4.21.2 path-to-regexp, qs ReDoS / DoS fixes
node-fetch ^2.6.7 ^2.7.0 stays on v2 (v3 is ESM-only)
redis ^3.1.1 ^3.1.2 stays on v3 to avoid v4 API break
redis-mock ^0.47.0 ^0.56.3 latest
ua-parser-js ^0.7.31 ^0.7.41 ReDoS fix

Overrides

Twenty force-bumps for transitive CVE-affected packages — each one a known advisory: braces, micromatch, picomatch, cross-spawn, fast-uri, fast-xml-parser, flatted, json5, lodash, minimatch, node-forge, qs, semver, serialize-javascript, tough-cookie, tar, uuid, validator, ws, dns-packet.

Out of scope (deliberately deferred)

  1. AWS SDK v2 → v3 migrationaws-sdk v2 reached end-of-support. The remaining moderate advisory is the EOL umbrella; clearing it requires replacing aws-sdk with @aws-sdk/client-s3 and rewriting server/storage/s3.js. Larger PR.
  2. Webpack 4 → 5 migration — the entire remaining audit surface (55 advisories, mostly critical/high in the babel 6 / extract-loader chain). Bumping webpack alone needs new versions of every loader (css-loader, file-loader, html-loader, extract-loader, copy-webpack-plugin, webpack-dev-server, webpack-cli, terser-webpack-plugin) plus config rewrite. Independent project.
  3. helmet 3 → 7+ — newer helmet has API changes for dynamic CSP directives (function(req) style is gone). Code change required in server/routes/index.js. Not a CVE; deferred.
  4. redis 3 → 4 — v4 has a different command/promise API. Would require server/storage/redis.js rewrite. Not a CVE.

Test plan

  • npm install succeeds (1782 packages, 0 errors)
  • npm audit --omit=dev shows only the aws-sdk EOL advisory
  • All 48 backend tests pass (mocha test/backend)
  • Server modules load without errors (require('./server/storage/s3.js'), gcs, auth, routes)
  • End-to-end smoke: upload + download via web client against real redis
  • Verify GCS storage path still works against a real bucket (API surface unchanged but worth confirming after v6 → v7)

@jaschadub
deps: bump prod packages and add overrides to clear CVEs
3665d1b 
Production direct deps:
- @google-cloud/storage 6 -> 7 (CVE-cleared transitive chain)
- @sentry/node 7.7 -> 7.120.4
- aws-sdk 2.1109 -> 2.1693 (latest v2; v3 migration noted below)
- body-parser 1.20.0 -> 1.20.3
- convict 6.2.4 -> 6.2.5
- express 4.17.3 -> 4.21.2 (path-to-regexp, qs CVE fixes)
- node-fetch 2.6.7 -> 2.7.0 (stays on v2; v3 is ESM-only)
- redis 3.1.1 -> 3.1.2 (stays on v3 to avoid v4 API break)
- redis-mock 0.47 -> 0.56.3
- ua-parser-js 0.7.31 -> 0.7.41 (ReDoS fix)

Overrides to force-bump CVE-affected transitive deps without
churning the build chain:
- braces, micromatch, picomatch (ReDoS)
- cross-spawn (ReDoS)
- fast-uri (path traversal / host confusion)
- fast-xml-parser 5.7+ (XMLBuilder injection)
- flatted (prototype pollution, recursion DoS)
- json5 (prototype pollution)
- lodash (prototype pollution, code injection)
- minimatch 9 (ReDoS)
- node-forge (multiple sig forgery and ASN.1 issues)
- qs (DoS)
- semver (ReDoS)
- serialize-javascript (RCE)
- tough-cookie (prototype pollution)
- tar (path traversal, symlink poisoning)
- uuid 11 (buffer bounds check)
- validator (URL bypass)
- ws (multiple)

Result: production npm audit drops from 5 moderate to 1 low
(the standing aws-sdk v2 EOL advisory, requires v3 migration to
fully clear).

Total npm audit: 108 -> 55 vulnerabilities. Remaining 55 are
entirely in the dev-build chain (webpack 4, babel 6 via
extract-loader, html-loader, etc.) and require a webpack 5
migration to fully clear -- not in scope for this PR.

Backend tests (48) still pass.
@jaschadub jaschadub merged commit 634dc7c into master May 22, 2026
@jaschadub jaschadub deleted the deps/cve-audit-and-update branch May 22, 2026 05:49
@jaschadub jaschadub mentioned this pull request May 22, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaschadub