chore(deps): resolve npm audit advisories (js-yaml DoS, @babel/core file read)#51
Open
dmchaledev wants to merge 1 commit into
Open
chore(deps): resolve npm audit advisories (js-yaml DoS, @babel/core file read)#51dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Updates transitive dev dependencies in package-lock.json to clear the two advisories reported by `npm audit` (both dev/transitive, no runtime impact — the published package has zero runtime dependencies): - js-yaml 4.1.1 -> 4.3.0 and 3.14.2 -> 3.15.0 GHSA-h67p-54hq-rp68: quadratic-complexity DoS in merge-key handling - @babel/core 7.29.0 -> 7.29.7 GHSA-4x5r-pxfx-6jf8: arbitrary file read via sourceMappingURL comment Lockfile-only change (package.json unchanged); all bumps stay within the existing semver ranges. `npm audit` now reports 0 vulnerabilities. typecheck, lint, 118 tests, and build all pass; `npm ci` validates against the lockfile. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KnNDLWK4XDB9xyC8ur4Kxb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm auditonmaincurrently reports 2 vulnerabilities (1 low, 1 moderate) in the dependency tree — a slightly awkward state for a package whose whole job is flagging security issues. This PR clears both by updating the affected transitive dev dependencies inpackage-lock.json.What changed
Lockfile-only update (all bumps stay within the existing semver ranges in
package.json, sopackage.jsonis untouched):js-yamlnode_modules/js-yamljs-yaml@istanbuljs/load-nyc-config/node_modules/js-yaml@babel/corenode_modules/@babel/coresourceMappingURLcommentProduced by
npm audit fix(no--force), which touched 23 transitive packages in total.Impact / risk
jest/ts-jest/ babel). The published package ships with zero runtime dependencies (dist,README,LICENSEonly), so end users were never exposed — but the dev/CI toolchain was, and reproduciblenpm ciinstalls picked up the advisories.Verification
npm audit→ 0 vulnerabilitiesnpm ci→ validates cleanly against the updated lockfilenpm run typecheck✓ ·npm run lint(0 warnings) ✓ ·npm test→ 118 passed, 5 suites ✓ ·npm run build✓Why this isn't a duplicate
The open backlog (issues #11/#19/#26/#27/#39/#47/#48 and the 30+ open PRs) is entirely about scanner rules, secret detection, CLI, SARIF, and docs — none touch the dependency tree or
package-lock.json. This closes a distinct, orthogonal gap.🤖 Generated with Claude Code
https://claude.ai/code/session_01KnNDLWK4XDB9xyC8ur4Kxb
Generated by Claude Code