|
| 1 | +# Security Updates Summary |
| 2 | + |
| 3 | +This PR addresses critical security vulnerabilities in the Azure Static Web Apps CLI dependencies. |
| 4 | + |
| 5 | +## Vulnerabilities Fixed |
| 6 | + |
| 7 | +### Before: 21 vulnerabilities |
| 8 | + |
| 9 | +- 1 critical |
| 10 | +- 4 high |
| 11 | +- 11 moderate |
| 12 | +- 5 low |
| 13 | + |
| 14 | +### After: 9 vulnerabilities |
| 15 | + |
| 16 | +- 0 critical ✅ |
| 17 | +- 1 high |
| 18 | +- 7 moderate |
| 19 | +- 1 low |
| 20 | + |
| 21 | +## Updates Applied |
| 22 | + |
| 23 | +1. **cookie**: `^0.5.0` → `^0.7.0` |
| 24 | + |
| 25 | + - Fixed: CVE-2024-47764 - Critical vulnerability allowing injection of unexpected key-value pairs |
| 26 | + - This was the most critical security issue |
| 27 | + |
| 28 | +2. **vitest**: `^2.0.2` → `^2.1.9` |
| 29 | + |
| 30 | + - Fixed: Remote Code Execution vulnerability when accessing malicious websites while Vitest API server is listening |
| 31 | + - This was a critical vulnerability in the development dependencies |
| 32 | + |
| 33 | +3. **npm audit fix**: Automatically updated multiple dependencies including: |
| 34 | + - Various @babel packages |
| 35 | + - @octokit packages (fixed ReDoS vulnerabilities) |
| 36 | + - axios (fixed SSRF vulnerability) |
| 37 | + - nanoid (fixed predictable results vulnerability) |
| 38 | + - rollup (fixed DOM Clobbering XSS) |
| 39 | + - send/serve-static (fixed template injection XSS) |
| 40 | + - tar-fs (fixed path traversal vulnerabilities) |
| 41 | + - And many others |
| 42 | + |
| 43 | +## Remaining Vulnerabilities |
| 44 | + |
| 45 | +The remaining 9 vulnerabilities require major version updates that could introduce breaking changes: |
| 46 | + |
| 47 | +1. **cypress** (9.x → 14.x): Major update with significant API changes |
| 48 | +2. **esbuild/vite/vitest**: Would require updating to vitest 3.x |
| 49 | +3. **brace-expansion & cross-spawn**: Bundled with npm itself |
| 50 | + |
| 51 | +These should be addressed in separate PRs with thorough testing. |
| 52 | + |
| 53 | +## Testing |
| 54 | + |
| 55 | +- ✅ All unit tests pass |
| 56 | +- ✅ Build completes successfully |
| 57 | +- ✅ No breaking changes introduced |
| 58 | + |
| 59 | +## Impact |
| 60 | + |
| 61 | +This update significantly improves the security posture of the project by: |
| 62 | + |
| 63 | +- Eliminating all critical vulnerabilities |
| 64 | +- Reducing high-severity vulnerabilities from 4 to 1 |
| 65 | +- Reducing overall vulnerabilities by 57% (from 21 to 9) |
0 commit comments