Skip to content

chore(deps): resolve npm audit advisories (js-yaml DoS, @babel/core file read)#51

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-0iqg2o
Open

chore(deps): resolve npm audit advisories (js-yaml DoS, @babel/core file read)#51
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-0iqg2o

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

npm audit on main currently reports 2 vulnerabilities (1 low, 1 moderate) in the dependency tree — a slightly awkward state for a package whose whole job is flagging security issues. This PR clears both by updating the affected transitive dev dependencies in package-lock.json.

# before  →  after
$ npm audit
2 vulnerabilities (1 low, 1 moderate)   →   found 0 vulnerabilities

What changed

Lockfile-only update (all bumps stay within the existing semver ranges in package.json, so package.json is untouched):

Package Path Before → After Advisory
js-yaml node_modules/js-yaml 4.1.1 → 4.3.0 GHSA-h67p-54hq-rp68 — quadratic-complexity DoS in merge-key handling
js-yaml @istanbuljs/load-nyc-config/node_modules/js-yaml 3.14.2 → 3.15.0 GHSA-h67p-54hq-rp68 (same)
@babel/core node_modules/@babel/core 7.29.0 → 7.29.7 GHSA-4x5r-pxfx-6jf8 — arbitrary file read via sourceMappingURL comment

Produced by npm audit fix (no --force), which touched 23 transitive packages in total.

Impact / risk

  • No runtime impact. All three are dev-only transitive deps (pulled in via jest / ts-jest / babel). The published package ships with zero runtime dependencies (dist, README, LICENSE only), so end users were never exposed — but the dev/CI toolchain was, and reproducible npm ci installs picked up the advisories.
  • No API or behavior change. Source, rules, scorer, and report shape are unchanged.

Verification

  • npm audit0 vulnerabilities
  • npm ci → validates cleanly against the updated lockfile
  • npm run typecheck ✓ · npm run lint (0 warnings) ✓ · npm test118 passed, 5 suites ✓ · npm run build

Why this isn't a duplicate

The open backlog (issues #11/#19/#26/#27/#39/#47/#48 and the 30+ open PRs) is entirely about scanner rules, secret detection, CLI, SARIF, and docs — none touch the dependency tree or package-lock.json. This closes a distinct, orthogonal gap.

🤖 Generated with Claude Code

https://claude.ai/code/session_01KnNDLWK4XDB9xyC8ur4Kxb


Generated by Claude Code

Updates transitive dev dependencies in package-lock.json to clear the two
advisories reported by `npm audit` (both dev/transitive, no runtime impact —
the published package has zero runtime dependencies):

- js-yaml 4.1.1 -> 4.3.0 and 3.14.2 -> 3.15.0
  GHSA-h67p-54hq-rp68: quadratic-complexity DoS in merge-key handling
- @babel/core 7.29.0 -> 7.29.7
  GHSA-4x5r-pxfx-6jf8: arbitrary file read via sourceMappingURL comment

Lockfile-only change (package.json unchanged); all bumps stay within the
existing semver ranges. `npm audit` now reports 0 vulnerabilities. typecheck,
lint, 118 tests, and build all pass; `npm ci` validates against the lockfile.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KnNDLWK4XDB9xyC8ur4Kxb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants