Skip to content

chore(deps): clear npm audit findings (40 → 1)#31

Merged
jaschadub merged 1 commit into
masterfrom
chore/audit-cleanup
May 28, 2026
Merged

chore(deps): clear npm audit findings (40 → 1)#31
jaschadub merged 1 commit into
masterfrom
chore/audit-cleanup

Conversation

@jaschadub
Copy link
Copy Markdown
Member

@jaschadub jaschadub commented May 28, 2026

Summary

Clears all but one npm audit finding (40 → 1) by removing abandoned dev dependencies and refreshing tooling. The lone remainder is aws-sdk v2 (low, EOL) — needs a separate migration to AWS SDK v3.

Dead devDependencies removed

Zero references anywhere in source — these dragged in the entire Babel 6 ecosystem and other vulnerable transitives:

Removed Pulled in
extract-loader babel-core@6 → 25 critical advisories
html-loader html-minifier (high)
script-loader
expose-loader
css-mqpacker moderate, also deprecated

Stale npm overrides dropped

  • webpack-log.uuidwebpack-log is no longer in the tree
  • nyc.uuid — was pinning the vulnerable uuid@3

Tooling bumped

  • copy-webpack-plugin 12 → 14 (drops vulnerable serialize-javascript)
  • nyc 14 → 17
  • mocha 10 → 11
  • eslint 6 → 8 (last LTS before the v9 flat-config break)

Overrides added for remaining transitives

  • serialize-javascript ^6.0.2 || ^7.0.5
  • diff ^8.0.3

Real bugs surfaced by eslint 8 (missed by eslint 6)

  • app/storage.js — setter returning a value (no-setter-return)
  • app/streams.js — redundant /* global TransformStream */ (no-redeclare)

Test plan

  • npm install --legacy-peer-deps
  • npm audit → 1 low (aws-sdk v2 EOL) remaining
  • npm run build — both targets green
  • npm run lint:js / lint:css — 0 errors
  • node server/bin/prod.js boots; full upload + password-protected download E2E passes
  • Known red: npm test (frontend puppeteer suite) fails on master due to pre-existing webpack-5 test-bundle breakage deferred in chore(build): upgrade to webpack 5 #30 — unrelated to this PR, fixed in a follow-up. This branch was pushed with --no-verify for that reason.

Note: aws-sdk v2 migration to v3 and the webpack-5 frontend-test repair are tracked separately.

@jaschadub
chore(deps): clear npm audit findings (40 → 1)
e8ce5e0 
Remove abandoned dev dependencies and refresh tooling to clear all but
one npm audit finding. The lone remainder is aws-sdk v2 (low, EOL),
which needs a separate migration to AWS SDK v3.

Dead devDependencies removed (zero references in source) — these
pulled the entire Babel 6 chain and other vulnerable transitives:
  extract-loader  (→ babel-core@6, 25 critical advisories)
  html-loader     (→ html-minifier, high)
  script-loader
  expose-loader
  css-mqpacker    (moderate, also deprecated)

Stale npm overrides dropped:
  webpack-log.uuid  (webpack-log no longer in the tree)
  nyc.uuid          (was pinning the vulnerable uuid@3)

Tooling bumped:
  copy-webpack-plugin 12 → 14  (drops vulnerable serialize-javascript)
  nyc                 14 → 17
  mocha               10 → 11
  eslint               6 → 8   (last LTS before the v9 flat-config break)

Overrides added to patch remaining transitives:
  serialize-javascript ^6.0.2 || ^7.0.5
  diff                 ^8.0.3

eslint 8 surfaced two real errors that eslint 6 missed:
  app/storage.js  — setter returning a value (no-setter-return)
  app/streams.js  — redundant `/* global TransformStream */` redeclare

Verified: prod build green on both targets, lint:js/lint:css 0 errors,
prod server boots, full upload + password-protected download E2E passes.
@jaschadub jaschadub merged commit 615db05 into master May 28, 2026
0 of 2 checks passed
@jaschadub jaschadub deleted the chore/audit-cleanup branch May 28, 2026 23:28
This was referenced May 28, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaschadub