fix(deps): vulnerability remediation (WALLET-1328 / DEP-2)#1377
Conversation
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.
- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
(CVE-2026-44705); the override is mandatory — the webpack plugins resolve
serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22
Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
…dep-2-vulnerability-remediation # Conflicts: # package-lock.json
|
Suggestion: move It is a build-time-only CLI — used solely by the Because it currently sits in Moving it to |
It's a build-time-only CLI used solely by locale:extract_pot and never shipped in the extension bundle. Keeping it in dependencies made the audit:ci gate (npm audit --omit=dev) treat its subtree (undici, node-fetch, cross-fetch) as runtime, which is why undici had to be floated to 7.28.0 and why any future advisory in that tree would have failed the gate as a false positive.
|
Good catch — moved Confirmed:
|
…rnization Integrate release/2.6.0 (DEP-2 squash-merged as #1377) into the DEP-3 branch. Net content unchanged: DEP-3 already carried the same DEP-2 changes via individual commits, so the 3-way merge keeps the DEP-3 crypto deps and resolves the package-lock conflict to the equivalent tree. Records release/2.6.0 as an ancestor so the PR can be retargeted to release/2.6.0 and merge cleanly.
DEP-2 — Vulnerability remediation
Jira: https://make-software.atlassian.net/browse/WALLET-1328
Stacked on DEP-1 (Node 18 → 22).
npm auditreports many findings, but only one reaches the shipped bundle:i18next-http-backend(path traversal / URL injection via unsanitisedlng/ns). It isupgraded outright. The bundler's serializer can poison the bundle, so it is treated as
production-impacting and pinned via
overrides. Everything else is dev/build-toolchain andaccepted dev-only (verified:
npm audit --omit=dev --audit-level=high→ 0).Changes
i18next-http-backend2.5.0→^3.0.5— v3 uses globalfetch. Zero source change:src/libs/i18n/i18n.tscalls.use(Backend)with nobackend:{}options block, so nothingfrom the removed v2 API is touched.
overrides+=serialize-javascript@^7.0.5(CVE-2026-34043),tmp@^0.2.7(CVE-2026-44705).The
serialize-javascriptoverride is mandatory — the webpack plugins resolve it to avulnerable
6.xwith no patched 6.x release.audit:ciscript (npm audit --omit=dev --audit-level=high) wired intoci-check.yml:a blocking runtime gate plus a non-blocking full-tree audit for dev-tool visibility.
package-lock.jsonregenerated from scratch under Node 22 (Dependabot/CI cannot regenerate itdue to the private
git+sshdep).About the large
package-lock.jsondiffThe diff is big but the dependency versions barely moved — most of it is npm 10 re-deduping
the tree (e.g.
@redux-devtools/cli4.0.3→4.0.4,@apollo/server4.12.2→4.13.0;socketcluster-client/electronunchanged). A clean regen was chosen deliberately because italso floats real in-range security patches that a minimal in-place install misses — most notably
undici7.24.1 → 7.28.0 (7 advisories incl. one high). With the minimal lock,audit:cifails on
undici; with the full regen it is 0.lockfileVersionstays at 3 and CInpm civerifies integrity.Verification
npm install(Node 22.23.1) ✅npm run audit:ci→ 0 vulnerabilities (runtime) ✅npm run ci-check→ 0 errors, 28 tests passed ✅npm run build:chrome+grep -cE 'socketcluster|remotedev|composeWithDevTools' build/chrome/*.js→ 0 on every bundle ✅serialize-javascript@^7override active ✅build/chrome/locales/(10 languages), nobackend:{}block ✅Residual (full
npm audit): 16 dev-only, 0 critical (2 low / 7 moderate / 7 high)All under tooling that is never bundled:
@redux-devtools/clichain (devtools:redux) → electron / tar / cacache / node-gyp / sqlite3 / make-fetch-happen / @apollo/server — accept dev-only (consider dropping for@redux-devtools/extensionlater).@redux-devtools/remote+webpack-dev-server→ socketcluster-client / sockjs → uuid (no fix) — accept dev-only.shell-quote(no-fix) and nestedajvhighs anticipated earlier are already gone after Node 22 +web-ext@10.Out of scope (deferred)
uuidoverride and thecomposeWithDevToolsdynamic-import hardening (already tree-shaken).i18next-parseras a devDependency.Manual smoke (recommended before merge)
fetchwith no console errors.npm run start:chrome→ Redux remote devtools still connect onlocalhost:8000.