chore(deps): resolve npm audit findings without next 9.x downgrade (closes #22)#38
Open
FUKI618 wants to merge 1 commit into
Open
chore(deps): resolve npm audit findings without next 9.x downgrade (closes #22)#38FUKI618 wants to merge 1 commit into
FUKI618 wants to merge 1 commit into
Conversation
…rade Fixes the underlying issue reported in JCodesMore#22 — npm audit fix on the current main was attempting to "fix" the postcss XSS by downgrading next to 9.3.3, which is a major-major regression (next 9 ↔ next 16 have completely different APIs and break the entire scaffold). This commit takes the surgical path: - next: 16.2.1 → 16.2.4 (in-major patch bump). Resolves the path-to-regexp HIGH ReDoS via the dependency chain — npm audit fix recommends this as a non-breaking step. - Add an npm overrides entry pinning postcss to ^8.5.10. This forces the transitive postcss (used by next's CSS pipeline) to a non-vulnerable version without touching next's major. The override is the documented workaround when a transitive dep has a fix available but the parent hasn't published a release pulling it in yet (https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides). After this change: $ npm ls next └── next@16.2.4 $ npm audit found 0 vulnerabilities $ npm run check ✓ lint + typecheck + build all clean No code or documentation changes — purely a dependency hygiene fix. Closes JCodesMore#22.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi! Thanks for the great template 🙌. This PR addresses the issue reported in #22 where
npm audit fixon the currentmaintries to "fix" the remaining moderate-severity postcss finding by downgradingnextto9.3.3— which is a major-major regression (next 9 and next 16 have entirely different APIs and break the scaffold).What this PR does
Two surgical changes to
package.json, no code/doc changes:next16.2.1 → 16.2.4 — non-breaking patch bump within the same major. Resolves thepath-to-regexpHIGH-severity ReDoS finding (this is whatnpm audit fixrecommends as the non-breaking step).New
overridesentry pinningpostcssto^8.5.10— forces the transitive postcss (used by next's CSS pipeline) to a non-vulnerable version without touching next's major. This is the documented npm workaround when a transitive dep has a fix available but the parent hasn't published a release pulling it in yet.Verification
After this change, on a clean install (
rm -rf node_modules package-lock.json && npm install):Why I'm sending this
I'm running a downstream fork of this template (FUKI618/ai-website-design-study-template) and hit the same issue. Once we landed this fix in our fork it solved the problem cleanly without disturbing anything else, so I figured upstream users would benefit too. Happy to adjust the patch if you'd prefer a different shape.
Closes #22.
— FUKI618