Skip to content

Commit 78ff3ca

Browse files
authored
fix(deps): vulnerability remediation (WALLET-1328 / DEP-2) (#1377)
* build(deps): bump Node 18 → 22 LTS + build-time RCE fix (WALLET-1327) Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes. * fix(deps): remediate npm audit vulnerabilities (WALLET-1328) Only one finding reaches the shipped bundle — i18next-http-backend's path-traversal via unsanitised lng/ns — so it is upgraded outright; the build-time serializer is treated as production-impacting and pinned via overrides. Everything else is dev/build-toolchain and accepted dev-only. - i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source change — i18n.ts has no backend:{} options block) - overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7 (CVE-2026-44705); the override is mandatory — the webpack plugins resolve serialize-javascript to a vulnerable 6.x with no patch - add audit:ci script (npm audit --omit=dev --audit-level=high) wired into CI as a blocking runtime gate plus a non-blocking full-tree audit - regenerate package-lock.json under Node 22 Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical), all under @redux-devtools/* and webpack-dev-server — never bundled. * fix(deps): scope router to path-to-regexp v8 to unbreak start:chrome (WALLET-1328) * fix(deps): move i18next-parser to devDependencies (WALLET-1328) It's a build-time-only CLI used solely by locale:extract_pot and never shipped in the extension bundle. Keeping it in dependencies made the audit:ci gate (npm audit --omit=dev) treat its subtree (undici, node-fetch, cross-fetch) as runtime, which is why undici had to be floated to 7.28.0 and why any future advisory in that tree would have failed the gate as a false positive.
1 parent df598a3 commit 78ff3ca

3 files changed

Lines changed: 7763 additions & 3565 deletions

File tree

.github/workflows/ci-check.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,3 +40,13 @@ jobs:
4040
run: |
4141
npm ci
4242
npm run ci-check
43+
44+
# Blocking: fail the build on a high+ vulnerability that reaches the
45+
# shipped bundle (runtime deps only).
46+
- name: Audit runtime dependencies (blocking)
47+
run: npm run audit:ci
48+
49+
# Non-blocking: surface dev/build-toolchain advisories for visibility
50+
# without failing CI (these never reach the extension bundle).
51+
- name: Audit full dependency tree (non-blocking)
52+
run: npm audit || true

0 commit comments

Comments
 (0)