|
| 1 | +# Security Audit: plugins-client-sdk |
| 2 | + |
| 3 | +Repository: `@staffbase/plugins-client-sdk` (v3.0.0-alpha.4) |
| 4 | +Package manager: Yarn Classic 1.22.19 (`yarn audit`; repo has no pnpm lockfile) |
| 5 | +Date: 2026-06-10 |
| 6 | + |
| 7 | +## Summary |
| 8 | + |
| 9 | +| Severity | Before | After | |
| 10 | +|----------|--------|-------| |
| 11 | +| Critical | 0 | 0 | |
| 12 | +| High | 4 | 0 | |
| 13 | +| Moderate | 36 | 0 | |
| 14 | +| Low | 14 | 0 | |
| 15 | +| **Total**| **54** | **0** | |
| 16 | + |
| 17 | +12 unique advisories, all in **devDependencies** (build, test and docs tooling), all transitive. |
| 18 | +Runtime dependencies (`loglevel`, `object.entries-ponyfill`) had no advisories. |
| 19 | +The published package ships only `dist/` (pre-built), so none of these reach SDK consumers. |
| 20 | +All issues were resolved by pinning patched versions via Yarn `resolutions`. |
| 21 | + |
| 22 | +## Resolution |
| 23 | + |
| 24 | +Added to the `resolutions` block in `package.json`: |
| 25 | + |
| 26 | +```json |
| 27 | +"@babel/plugin-transform-modules-systemjs": "^7.29.4", |
| 28 | +"serialize-javascript": "^7.0.5", |
| 29 | +"underscore": "^1.13.8", |
| 30 | +"eslint/ajv": "^6.14.0", |
| 31 | +"@eslint/eslintrc/ajv": "^6.14.0", |
| 32 | +"brace-expansion": "^2.0.3", |
| 33 | +"js-yaml": "^4.1.1", |
| 34 | +"markdown-it": "^14.1.1", |
| 35 | +"ws": "^8.20.1", |
| 36 | +"esbuild": "^0.25.0", |
| 37 | +"@tootallnate/once": "^2.0.1" |
| 38 | +``` |
| 39 | + |
| 40 | +## Per-advisory decisions (all = RESOLVED) |
| 41 | + |
| 42 | +| Pkg | Sev | Advisory | Path | Patched | Decision | |
| 43 | +|-----|-----|----------|------|---------|----------| |
| 44 | +| @babel/plugin-transform-modules-systemjs | High | GHSA-fv7c-fp4j-7gwp (CVE-2026-44728) arbitrary code on malicious input | @babel/preset-env | 7.29.4 | Resolved (resolution) | |
| 45 | +| serialize-javascript | High | GHSA-5c6j-r48x-rmvq RCE via RegExp.flags | @rollup/plugin-terser | 7.0.5 | Resolved (resolution) | |
| 46 | +| serialize-javascript | Mod | GHSA-qj8w-gfj5-8c6v (CVE-2026-34043) CPU exhaustion DoS | @rollup/plugin-terser | 7.0.5 | Resolved (same bump) | |
| 47 | +| underscore | High | GHSA-qpx9-hpmf-5gmw (CVE-2026-27601) unbounded recursion DoS | jsdoc | 1.13.8 | Resolved (resolution) | |
| 48 | +| ajv | Mod | GHSA-2g4f-4pwh-qvx6 (CVE-2025-69873) ReDoS via `$data` | eslint | 6.14.0 | Resolved (scoped resolution on eslint/eslintrc only; commitlint keeps ajv v8 to avoid the addKeyword API break) | |
| 49 | +| brace-expansion | Mod | GHSA-f886-m6hf-6m8v (CVE-2026-33750) zero-step sequence hang | minimatch/glob | 2.0.3 | Resolved (resolution) | |
| 50 | +| brace-expansion | Low | GHSA-v6h2-p8h4-qcjw (CVE-2025-5889) ReDoS | minimatch/glob | 2.0.3 | Resolved (same bump) | |
| 51 | +| js-yaml | Mod | GHSA-mh29-5h37-fv8m (CVE-2025-64718) prototype pollution in merge | eslint, commitlint | 4.1.1 | Resolved (resolution) | |
| 52 | +| markdown-it | Mod | GHSA-38c4-r59v-3vqw (CVE-2026-2327) ReDoS | jsdoc | 14.1.1 | Resolved (resolution) | |
| 53 | +| ws | Mod | GHSA-58qx-3vcg-4xpx (CVE-2026-45736) uninitialized memory disclosure | jest-environment-jsdom/jsdom | 8.20.1 | Resolved (resolution) | |
| 54 | +| esbuild | Mod | GHSA-67mh-4wv8-2f99 dev server SSRF/CORS | @size-limit/esbuild | 0.25.0 | Resolved (resolution); size-limit verified working | |
| 55 | +| @tootallnate/once | Low | GHSA-vpq2-c234-7xj6 (CVE-2026-3449) incorrect control flow | jsdom/http-proxy-agent | 2.0.1 | Resolved (2.0.0 -> 2.0.1 patch) | |
| 56 | + |
| 57 | +## Verification |
| 58 | + |
| 59 | +After applying resolutions and reinstalling: |
| 60 | + |
| 61 | +- `yarn audit` -> 0 vulnerabilities (all severities) |
| 62 | +- `yarn lint` (eslint + size-limit) -> pass; bundle 6.88 kB / 8 kB limit |
| 63 | +- `yarn test-unit` -> 52 passed, 6 suites |
| 64 | +- `yarn build` -> all 4 dist bundles produced |
| 65 | + |
| 66 | +Changed files: `package.json`, `yarn.lock`. |
| 67 | + |
| 68 | +## Notes |
| 69 | + |
| 70 | +- The esbuild bump (0.24 -> 0.25) is a minor-version major-ish jump for that tool; confirmed |
| 71 | + safe because `size-limit` (its only consumer here) runs cleanly. |
| 72 | +- All findings were dev-only and never bundled into `dist/`, so consumer-facing risk was already |
| 73 | + nil; the resolutions keep the dev/CI toolchain clean going forward. |
0 commit comments