Skip to content

chore: fix undici and @babel/core security vulnerabilities#193

Open
andrerfneves wants to merge 1 commit into
mainfrom
maintenance/fix-npm-audit-vulnerabilities-20260618
Open

chore: fix undici and @babel/core security vulnerabilities#193
andrerfneves wants to merge 1 commit into
mainfrom
maintenance/fix-npm-audit-vulnerabilities-20260618

Conversation

@andrerfneves

@andrerfneves andrerfneves commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Summary

Runs npm audit fix to patch 2 security advisories in transitive dependencies. No breaking changes — only package-lock.json is modified, no source code changes.

Vulnerabilities Fixed

High severity: undici 7.26.0 → 7.28.0

  • GHSA-vmh5-mc38-953g: TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
  • GHSA-pr7r-676h-xcf6: Cross-user information disclosure via shared cache whitespace bypass

Moderate severity: @babel/core 7.29.0 → 7.29.7 (+ 16 related @babel/* packages)

Remaining Advisories (not addressed in this PR)

The following vulnerabilities require --force and/or would introduce breaking changes:

Package Severity Issue Reason not fixed
elliptic (via secp256k1) High Risky cryptographic primitive (GHSA-848j-6mx2-7j84) npm audit fix --force would install secp256k1@1.1.6, a breaking change
uuid (via @storybook/addon-essentials) Moderate Missing buffer bounds check (GHSA-w5hq-g745-h8pq) npm audit fix --force would downgrade Storybook to v7, a breaking change

Test Plan

  • All 52 existing tests pass
  • Production build succeeds
  • npm audit confirms undici and @babel/core advisories are resolved
  • No source code changes — only package-lock.json updated

@andrerfneves
chore: fix undici and @babel/core security vulnerabilities
cbc2172 
Updates the following transitive dependencies via npm audit fix:
- undici 7.26.0 -> 7.28.0 (high severity: TLS certificate validation
  bypass via dropped requestTls in SOCKS5 ProxyAgent, and cross-user
  info disclosure via shared cache whitespace bypass)
- @babel/core 7.29.0 -> 7.29.7 + related @babel/* packages (moderate:
  arbitrary file read via sourceMappingURL comment)

All 52 tests pass and production build succeeds.

Fixes advisories:
- GHSA-vmh5-mc38-953g
- GHSA-pr7r-676h-xcf6
- GHSA-4x5r-pxfx-6jf8
@vercel

vercel Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lightning-decoder Ready Ready Preview, Comment Jun 18, 2026 8:06pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrerfneves