[codex] Fix npm audit vulnerabilities#542
Conversation
Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [Terminal](#) Co-authored-by: GPT-5.5 <codex@openai.com> Model-Raw: gpt-5.5
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
🕊️ Ciel's Mediation 💤*~~ drifting lazily through still air ~~ The zoo is napping today...* 1 zoo member has reviewed this PR.
😴 A quiet day at the zoo. Only one member peeked at this PR.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |



Summary
Updates vulnerable transitive development dependencies in
package-lock.jsonso the Security Audit workflow no longer fails onnpm audit --audit-level=high.Root Cause
The latest
mainlockfile resolvedform-data@4.0.5, which is affected by GHSA-hmw2-7cc7-3qxx. The audit also reportedjs-yaml@4.1.1as a moderate advisory.Changes
form-datafrom4.0.5to4.0.6.hasownfrom2.0.3to2.0.4to satisfyform-data@4.0.6.js-yamlfrom4.1.1to4.2.0.Validation
npm ci --cache /private/tmp/npm-cache-nullvariant-vscode-extensionsnpm audit --audit-level=high --cache /private/tmp/npm-cache-nullvariant-vscode-extensionsfromextensions/git-id-switchernpm run compile --workspace extensions/git-id-switcher