Skip to content

chore(deps): patch ws and form-data advisories in approuter#41

Merged
jung-thomas merged 1 commit into
mainfrom
chore/approuter-security-updates
Jun 26, 2026
Merged

chore(deps): patch ws and form-data advisories in approuter#41
jung-thomas merged 1 commit into
mainfrom
chore/approuter-security-updates

Conversation

@jung-thomas

Copy link
Copy Markdown
Contributor

Summary

Closes two open Dependabot alerts in solution/MyHANAApp/app/router/ — follow-up to #40.

# Severity Package Before After How
#193 high form-data 4.0.5 4.0.6 Lockfile regen
#194 high ws 7.5.10 7.5.11 overrides

Why two different fixes

form-data — lockfile was stale

The manifest already said @sap/approuter: ^22.0.1 (bumped by #37) but the lockfile was still pinning 21.5.0 — the bump never got reinstalled. Regenerating package-lock.json resolves @sap/approuter to 22.0.3 (latest, 8 days old), which transitively pulls axios 1.16.1form-data 4.0.6. No manifest change needed for this one.

ws — needs an explicit override

@sap/approuter@22.0.3 declares an exact pin "ws": "7.5.10" (not a caret range). The advisory's fixed version is 7.5.11. Even the latest SAP release hasn't bumped the pin, so npm cannot bring in 7.5.11 transparently. Solution: an npm overrides entry that forces ws@^7.5.11 for this lockfile.

"overrides": { "ws": "^7.5.11" }

7.5.11 is a patch on the same minor line as the pinned 7.5.10 (one commit in the upstream changelog, the GHSA-96hv-2xvq-fx4p mitigation), so the regression risk is very small. This is a temporary workaround until SAP bumps the pin in a future @sap/approuter release — worth filing an issue with SAP to nudge that along.

Verification

  • cd solution/MyHANAApp/app/router && npm installfound 0 vulnerabilities
  • Resolved versions:
    @sap/approuter@22.0.3
    ├─┬ axios@1.16.1
    │ └── form-data@4.0.6
    └── ws@7.5.11
    
  • node -e "require('@sap/approuter')" loads cleanly (no module-resolution errors with the override applied)

Resolves two open Dependabot alerts:
- #193 form-data <4.0.6 CRLF injection (high) -> form-data 4.0.6
- #194 ws <7.5.11 memory-exhaustion DoS    (high) -> ws 7.5.11

How:
- Lockfile in app/router/ was stale at @sap/approuter 21.5.0 even
  though PR #37 had already bumped the manifest to ^22.0.1.
  Regenerated it; npm resolves to @sap/approuter 22.0.3 (latest),
  which pulls axios 1.16.1 -> form-data 4.0.6. Closes #193.
- @sap/approuter 22.0.3 still pins ws: '7.5.10' exactly, so a
  lockfile-only fix can't reach 7.5.11. Added an npm 'overrides'
  entry to force ws ^7.5.11. Closes #194.

The override is a workaround until SAP bumps the ws pin in a future
@sap/approuter release. ws 7.5.11 is a patch over 7.5.10 (same minor
line), so the risk of regression is low; the approuter module still
loads cleanly with the override applied.

Verified: npm audit in app/router/ reports 0 vulnerabilities;
node -e "require('@sap/approuter')" loads without errors.
@jung-thomas jung-thomas requested a review from rich-heilman June 26, 2026 16:19
@jung-thomas jung-thomas merged commit b3daa04 into main Jun 26, 2026
1 check passed
@jung-thomas jung-thomas deleted the chore/approuter-security-updates branch June 26, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants