Skip to content

[codex] Fix npm audit vulnerabilities#542

Merged
nullvariant merged 1 commit into
mainfrom
codex/fix-security-audit-vulnerabilities
Jun 18, 2026
Merged

[codex] Fix npm audit vulnerabilities#542
nullvariant merged 1 commit into
mainfrom
codex/fix-security-audit-vulnerabilities

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

Updates vulnerable transitive development dependencies in package-lock.json so the Security Audit workflow no longer fails on npm audit --audit-level=high.

Root Cause

The latest main lockfile resolved form-data@4.0.5, which is affected by GHSA-hmw2-7cc7-3qxx. The audit also reported js-yaml@4.1.1 as a moderate advisory.

Changes

  • Updates form-data from 4.0.5 to 4.0.6.
  • Updates hasown from 2.0.3 to 2.0.4 to satisfy form-data@4.0.6.
  • Updates js-yaml from 4.1.1 to 4.2.0.

Validation

  • npm ci --cache /private/tmp/npm-cache-nullvariant-vscode-extensions
  • npm audit --audit-level=high --cache /private/tmp/npm-cache-nullvariant-vscode-extensions from extensions/git-id-switcher
  • npm run compile --workspace extensions/git-id-switcher

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [Terminal](#)

Co-authored-by: GPT-5.5 <codex@openai.com>
Model-Raw: gpt-5.5
@nullvariant-mimi

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/form-data 4.0.6 🟢 5.4
Details
CheckScoreReason
Maintained🟢 1016 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/hasown 2.0.4 UnknownUnknown
npm/js-yaml 4.2.0 🟢 6
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 1030 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0no SAST tool detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 4security policy file detected

Scanned Files

  • package-lock.json

@nullvariant-ciel

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation 💤

*~~ drifting lazily through still air ~~ The zoo is napping today...*

1 zoo member has reviewed this PR.

Zoo Member Status
🐰 Mimi Commented

😴 A quiet day at the zoo. Only one member peeked at this PR.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/mocha@11.7.6npm/@vscode/vsce@3.9.2npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud

Copy link
Copy Markdown

@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@nullvariant nullvariant marked this pull request as ready for review June 18, 2026 01:32
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit 2a58c72 into main Jun 18, 2026
42 of 45 checks passed
@nullvariant nullvariant deleted the codex/fix-security-audit-vulnerabilities branch June 18, 2026 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant