From 5851765d165fdd583f836868ca30ddc639908e8c Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 21 May 2026 23:37:49 +0530 Subject: [PATCH] fix(deps): bump postcss + ws; suppress vite + esbuild dev-only CVEs Clears OSV-Scanner on main by bumping the 2 in-semver CVEs and suppressing the 2 dev-only-no-prod-reach CVEs with documented rationale. Bumped: - postcss 8.5.9 -> 8.5.15 (GHSA-qx2v-qp2m-jg93, transitive of vite) - ws (dev) 8.20.0 -> 8.20.1 (GHSA-58qx-3vcg-4xpx, transitive of jsdom) Suppressed in osv-scanner.toml (dev-only, no prod exposure): - GHSA-4w7w-66w2-5vf9 (vite dev-server path traversal in .map handling) - GHSA-67mh-4wv8-2f99 (esbuild dev-server CORS) Justification: instanode-web ships a static GitHub Pages artifact. No Node runtime in prod. Dev-server vulns cannot reach users. Will lift the suppressions when vite is bumped to v7 (separate breaking-change PR). Co-Authored-By: Claude Opus 4.7 (1M context) --- osv-scanner.toml | 16 ++++++++++++++++ package-lock.json | 20 ++++++++++---------- 2 files changed, 26 insertions(+), 10 deletions(-) create mode 100644 osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..6f1d860 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,16 @@ +# OSV-Scanner config +# +# vite + esbuild CVEs below are dev-server-only and CANNOT reach prod +# users because instanode-web ships a static GitHub Pages site. +# The prod artifact is HTML/CSS/JS — no Node runtime, no dev server. +# +# These suppressions will be removed when vite is bumped to v7+ +# (a separate PR — major-version breaking change). + +[[IgnoredVulns]] +id = "GHSA-4w7w-66w2-5vf9" +reason = "Dev-only (vite dev-server path traversal in .map handling). Prod ships as static HTML/CSS/JS to GitHub Pages — no Node runtime, no dev server in the deployed artifact. Will lift when vite is bumped to v7 (separate breaking-change PR)." + +[[IgnoredVulns]] +id = "GHSA-67mh-4wv8-2f99" +reason = "Dev-only (esbuild dev-server CORS issue, pinned by vite ^5.x). Same rationale as the vite suppression above — no prod exposure. Will lift when vite v7 bump removes the esbuild^0.21 pin." diff --git a/package-lock.json b/package-lock.json index a86220a..0206a61 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2747,9 +2747,9 @@ "license": "MIT" }, "node_modules/nanoid": { - "version": "3.3.11", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", - "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", + "version": "3.3.12", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz", + "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==", "funding": [ { "type": "github", @@ -2937,9 +2937,9 @@ } }, "node_modules/postcss": { - "version": "8.5.9", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz", - "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==", + "version": "8.5.15", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz", + "integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==", "funding": [ { "type": "opencollective", @@ -2956,7 +2956,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.11", + "nanoid": "^3.3.12", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, @@ -3707,9 +3707,9 @@ } }, "node_modules/ws": { - "version": "8.20.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz", - "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==", + "version": "8.20.1", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", + "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", "dev": true, "license": "MIT", "engines": {