Skip to content

chore: npm audit fix — bump brace-expansion + ws transitive devDeps#95

Closed
Goosterhof wants to merge 1 commit into
mainfrom
fix/npm-audit-baseline-drift
Closed

chore: npm audit fix — bump brace-expansion + ws transitive devDeps#95
Goosterhof wants to merge 1 commit into
mainfrom
fix/npm-audit-baseline-drift

Conversation

@Goosterhof
Copy link
Copy Markdown
Contributor

@Goosterhof Goosterhof commented May 21, 2026

Summary

  • Bumps two dev-only transitive deps to address new moderate advisories:
  • Produced by npm audit fix. Lockfile-only change, no package.json touched.

Context

Both advisories landed in the GitHub Advisory Database between 2026-05-18 and 2026-05-20. CI's npm audit step exits 1 on any moderate advisory, so every PR opened in that window inherits the failure — even PRs whose own diff is trivial (PR #94 is one line in .gitignore). Last green CI on main: 2026-05-15 (PR #88).

This fixes the npm audit half of the baseline. The lint:pkg step is also failing on a separate publint-sideEffects regression — PR #88 (queue #70) is the canonical fix for that and should rebase + merge after this lands.

Test plan

  • npm audit → 0 vulnerabilities
  • npm run format:check
  • npm run lint
  • npm run build
  • npm run typecheck
  • npm run test:coverage (528/528 passed)
  • CI confirms green

🤖 Generated with Claude Code

@Goosterhof
chore: npm audit fix — bump brace-expansion + ws transitive devDeps
5bfd131 
Two moderate-severity advisories landed in the GitHub Advisory Database
between 2026-05-18 and 2026-05-20, breaking `npm audit` on every PR
that ran CI in that window (#87, #90, #91, #92, #94 plus dependabot).
Diagnosis: CI failures show on PRs with trivial diffs (e.g. #94 is a
1-line .gitignore) → failure is in the baseline, not the PR diffs.

- brace-expansion 5.0.5 → 5.0.6 — DoS in numeric range (GHSA-jxxr-4gwj-5jf2)
- ws 8.20.0 → 8.20.1 — uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx)

Both are dev-only transitive deps. Patch-level bumps, no public-API
ripple. `npm audit fix` produces the minimal lockfile delta.

Verified locally:
- npm audit: 0 vulnerabilities
- format:check, lint, build, typecheck, test:coverage all green
- lint:pkg still fails on publint sideEffects suggestion — distinct
  baseline issue addressed by PR #88 (queue #70)

Closes the npm-audit half of envelope #23.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 21, 2026

Deploying fs-packages with  Cloudflare Pages  Cloudflare Pages

Latest commit: 5bfd131
Status: ✅  Deploy successful!
Preview URL: https://6a9a0609.fs-packages.pages.dev
Branch Preview URL: https://fix-npm-audit-baseline-drift.fs-packages.pages.dev

View logs

@Goosterhof Goosterhof mentioned this pull request May 21, 2026
Open
5 tasks
@Goosterhof Goosterhof requested a review from jasperboerhof May 21, 2026 10:19
@Goosterhof Goosterhof mentioned this pull request May 26, 2026
Closed
@jasperboerhof
Copy link
Copy Markdown
Contributor

jasperboerhof commented May 29, 2026

PR Reviewer · 10/10 · PASS

Findings

  • none — all reviewers clean

Action

merge-ready

@Goosterhof
Copy link
Copy Markdown
Contributor Author

Goosterhof commented May 29, 2026

Superseded by #100 (merged). #100's npm audit fix already bumped brace-expansion → 5.0.6 and ws → 8.21.0 (plus qs → 6.15.2, js-cookie → 3.0.7) on main; npm audit is now clean (0 vulnerabilities). This branch's transitive bumps are fully contained in what landed. Closing as redundant.

@Goosterhof Goosterhof closed this May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasperboerhof jasperboerhof Awaiting requested review from jasperboerhof

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Goosterhof @jasperboerhof