fix(deps): remove malicious tree-sitter-erlang, fix 3 moderate vulns#1478
Conversation
Removes the WhatsApp/tree-sitter-erlang devDependency flagged as malware (GHSA-rphw-c8qj-jv84, CWE-506). The committed WASM in grammars/ was validated clean (correct export name, no disallowed imports) — Erlang grammar support is unaffected. Also runs npm audit fix to bump hono (→4.12.25), protobufjs (→7.5.8), and qs (→6.15.2) to their patched versions. All three were transitive deps; no direct-dependency changes required. See scripts/build-wasm.ts for instructions on rebuilding the Erlang WASM from a safe source if needed.
|
Claude finished @carlos-alm's task —— View job PR Review — fix(deps): remove malicious tree-sitter-erlang, fix 3 moderate vulns
Root Cause AnalysisProblem Being Solved: Why This Approach: Removing the devDependency entirely (rather than swapping the source) is the correct call — the advisory covers all versions by package name so any npm install would re-fetch the flagged package. Risk Assessment: Medium — the approach is correct, but the PR contains a factually inaccurate claim about the Erlang WASM file's status, and the comment in Phase 2: Configuration Change DetectionNo lint rules relaxed. No test timeouts changed. No TypeScript strict flags modified. No biome configuration altered. Clean pass. Phase 3: Test IntegrityNo test files modified. The PR description references 12 pre-existing Erlang failures (filed as #1477) and correctly states they are unrelated. No assertions weakened. Clean pass. Phase 4: Code Quality
This is factually wrong. The comment will mislead future contributors into believing the WASM is present when it is not. If the Erlang grammar was truly pre-validated and committed, the This means Erlang grammar support is not preserved at runtime — users running with Phase 5: Backlog Compliance
Critical Concerns1. Inaccurate claim encoded in source code —
|
Greptile SummaryThis PR removes the malicious
Confidence Score: 5/5Safe to merge — all blast-radius from the removal is accounted for across build scripts, version checks, parser tests, and benchmark baselines. The malicious package is removed cleanly with no dangling references. The The restoration comment in Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[GHSA-rphw-c8qj-jv84\nmalicious tree-sitter-erlang] -->|removed from| B[package.json\ndevDependencies]
B --> C[package-lock.json\nnpm audit fix]
C --> D[hono bumped\nprotobufjs → 7.6.3\nqs bumped]
B --> E[scripts/build-wasm.ts\ngrammar entry commented out\nwith restoration steps]
B --> F[scripts/check-grammar-versions.mjs\nerlang removed from parity list]
E --> G[Erlang WASM unavailable]
G --> H[tests/parsers/erlang.test.ts\nctx.skip when WASM absent]
G --> I[tests/benchmarks/regression-guard.test.ts\n3.12.0 erlang precision/recall\nexempted in KNOWN_REGRESSIONS]
Reviews (6): Last reviewed commit: "fix(test): use ctx.skip() for explicit v..." | Re-trigger Greptile |
…packages npm install on macOS strips the libc field from linux optional entries when regenerating the lockfile. Restore the glibc/musl discriminators that were lost during the npm audit fix run so CI libc-discriminator check passes.
The devDependency was dropped (GHSA-rphw-c8qj-jv84 malware advisory). Keeping it in the GRAMMAR_NPM_PACKAGES list causes the grammar version parity CI check to fail with 'listed in check but absent from devDependencies'.
With tree-sitter-erlang removed from devDependencies, the WASM is no longer built on npm install. The tests threw 'Erlang parser not available' causing 14 hard failures. Add an erlangAvailable guard to each test so they pass (no-op) instead of failing when the grammar is absent.
Removing tree-sitter-erlang causes erlang precision/recall to drop from 100% (3.12.0 baseline) to 0% since the WASM is no longer built. Add KNOWN_REGRESSIONS entries for the expected erlang precision and recall drops so the pre-publish benchmark gate passes.
The previous comment incorrectly claimed 'The grammar WASM is committed in grammars/'. grammars/*.wasm is gitignored; the WASM is not tracked in the repository. Rewrite the comment to accurately describe the situation and provide complete restoration steps.
|
Addressed all review feedback: Claude review — critical concern:
Greptile review — P2 comments:
CI failures fixed (5 commits):
|
|
Claude finished @carlos-alm's task —— View job Re-review — fix(deps): remove malicious tree-sitter-erlang, fix 3 moderate vulns
Review UpdateAll concerns from the previous review have been addressed. Here's the verification: Critical concern resolved —
|
…lability
parsers.has('erlang') returns true even when WASM loading fails because
doLoadLanguage sets the key to null on error. Use !!parsers.get('erlang')
so the suite skips correctly when the grammar is absent.
Replace early-return guards with ctx.skip() so vitest reports these tests as explicitly skipped rather than silently passed when the Erlang WASM is absent.
|
Addressed Greptile's suggestion about |
1 participant
Summary
tree-sitter-erlangdevDependency (GHSA-rphw-c8qj-jv84, CWE-506 malware). The npm advisory covers*(all versions by package name), so replacing the source is insufficient — the dep is dropped entirely. Erlang WASM support is unavailable in this configuration; seescripts/build-wasm.tsfor rebuild instructions using the safegithub:the-mikedavis/tree-sitter-erlangsource when the WASM needs regenerating.npm audit fixbumps three transitive deps to patched versions:hono→ 4.12.25 (via@modelcontextprotocol/sdk),protobufjs→ 7.6.3 (via@huggingface/transformers),qs→ 6.15.2 (via@modelcontextprotocol/sdk→express).Result:
npm auditreports 0 vulnerabilities.Exposure assessment
The malicious package's
installscript (node-gyp-build) ran but produced no native addon — nobuild/directory was created, so the C source never executed. The package was never imported at runtime; it was only used to locate grammar source files for WASM compilation.Test plan
npm audit→ 0 vulnerabilitiesscripts/check-grammar-versions.mjsupdated —tree-sitter-erlangremoved from parity check listtests/parsers/erlang.test.tsupdated to skip gracefully when Erlang WASM is unavailabletests/benchmarks/regression-guard.test.tsexempts Erlang precision/recall drop (100% → 0%) inKNOWN_REGRESSIONSpackage-lock.jsonlibc discriminators restored for@optave/codegraph-linux-*packages (stripped by npm on macOS during audit fix)scripts/build-wasm.tscomment corrected — accurately describes that the Erlang WASM is not in the repository (grammars/ is gitignored) and provides full restoration stepsCloses #1477 is NOT intended — that issue tracks the pre-existing test failures, not this security fix.