Skip to content

fix(security): patch all known dependency vulnerabilities#447

Merged
msrivastav13 merged 2 commits into
masterfrom
fix/security-vulnerabilities
Jun 19, 2026
Merged

fix(security): patch all known dependency vulnerabilities#447
msrivastav13 merged 2 commits into
masterfrom
fix/security-vulnerabilities

Conversation

@msrivastav13

Copy link
Copy Markdown
Owner

Summary

Patches all vulnerabilities reported by npm audit (13 → 0) on this branch, using overrides to lift transitive dependencies to fixed versions without forcing breaking major downgrades of direct devDependencies.

Changes

Added three entries to overrides in package.json (alongside the existing serialize-javascript pin):

Package Version Severity Advisory
form-data ^4.0.6 high CRLF injection via unescaped multipart field names (GHSA-hmw2-7cc7-3qxx)
uuid ^11.1.1 moderate Missing buffer bounds check in v3/v5/v6 (GHSA-w5hq-g745-h8pq)
js-yaml ^4.2.0 moderate Quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68)

The refreshed package-lock.json also picks up fixes for the remaining advisories that resolved cleanly via npm audit fix: @babel/core, brace-expansion, fast-uri, fast-xml-builder, fast-xml-parser, and ws.

Why overrides instead of npm audit fix --force

uuid and js-yaml are pulled in transitively through nyc (istanbul-lib-processinfo and @istanbuljs/load-nyc-config). npm audit fix --force wanted to downgrade nyc 17 → 14 to resolve them — a breaking change to a direct devDependency. Overrides lift the nested copies to fixed versions while keeping nyc@17.

Verification

  • tsc -p . --noEmit — clean
  • npm test57 passing
  • npm audit — 0 vulnerabilities (in environments where form-data@4.0.6 is fetchable)

Note: form-data@4.0.6 is the published fix; the lockfile entry was set to it directly. CI/normal installs will resolve it without issue.

Resolves all advisories reported by npm audit (13 -> 0) via overrides:
- form-data ^4.0.6  (high: CRLF injection, GHSA-hmw2-7cc7-3qxx)
- uuid ^11.1.1      (moderate: missing buffer bounds check, GHSA-w5hq-g745-h8pq)
- js-yaml ^4.2.0    (moderate: quadratic-complexity DoS, GHSA-h67p-54hq-rp68)

Transitive fixes for @babel/core, brace-expansion, fast-uri,
fast-xml-builder, fast-xml-parser and ws were picked up by the
refreshed lockfile. uuid/js-yaml are pulled in transitively via nyc;
overrides avoid the nyc 17 -> 14 downgrade that 'npm audit fix --force'
would have forced. Build and all 57 tests pass.
form-data@4.0.6 requires hasown ^2.0.4; the lockfile still pinned
2.0.3, which broke 'npm ci' sync validation. Verified clean:
npm ci -> 0 vulnerabilities, tsc clean, 57 tests passing.
@msrivastav13
msrivastav13 merged commit c4980bd into master Jun 19, 2026
3 checks passed
@msrivastav13
msrivastav13 deleted the fix/security-vulnerabilities branch June 19, 2026 12:44
@msrivastav13 msrivastav13 mentioned this pull request Jun 19, 2026
msrivastav13 added a commit that referenced this pull request Jun 19, 2026
Minor release bundling the changes merged since 1.1.0:
- fix(metadata:rename): resolve -o flag collision hiding default org (#443, #449)
- fix(security): patch all known dependency vulnerabilities (#447)
- chore(deps): bump @salesforce/core to ^8.31.1 (#448)
- docs: use 'sf' instead of 'sfdx' in command examples (#449)

Verified: npm ci clean, 0 vulnerabilities, 57 tests passing, prepack builds.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant