chore(security): Track 2 moderate npm audit vulnerabilities (next/postcss) — no safe upgrade path

[ericsocrat]

Problem Statement

npm audit in frontend/ reports 4 moderate transitive vulnerabilities with no safe upgrade path on the current dependency tree:

Vuln	Path	Notes
postcss (next dev tree)	node_modules/next/node_modules/postcss	Auto-fix would downgrade next to 9.3.3 — breaking, unacceptable (currently 16.1.6). Fix must come from upstream Next.js bumping its bundled postcss.
uuid <14.0.0 (advisory GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6)	node_modules/@lhci/cli/node_modules/uuid	Auto-fix downgrades @lhci/cli to 0.6.1 — breaking, unacceptable (project relies on current LHCI for Lighthouse CI). Fix must come from upstream LHCI bumping its bundled uuid.

Both are dev-only / build-chain dependencies — no production runtime exposure. Severity is moderate. Risk is low but not zero (e.g., compromised CI machine).

Why this is a tracking issue, not an immediate fix

Per npm audit fix --force, Node would install:

• next@9.3.3 (15 major versions back, security CVEs in older Next, breaking compatibility with React 18+, app router, middleware, etc.)
• @lhci/cli@0.6.1 (incompatible with current Lighthouse CI workflow, would break bundle-size.yml and quality-gate.yml)

Neither downgrade is acceptable. The fix must come from upstream releasing patch versions that re-bundle non-vulnerable transitives.

Acceptance criteria (for closure)

• npm audit --audit-level=moderate reports 0 moderate, 0 high, 0 critical in frontend/.
  • Resolution path 1: Next.js releases a patch version with non-vulnerable postcss → bump in framework Dependabot group.
  • Resolution path 2: LHCI releases a non-breaking version with non-vulnerable uuid → bump via Dependabot.

Monitoring plan

• Subscribe to upstream advisories: GitHub Security Advisories for next and @lhci/cli.
• Re-run npm audit weekly via existing dependency-audit.yml workflow (already runs).
• If a CVE for these transitives is upgraded to high, escalate to P1 and consider npm-force-resolutions or temporary overrides block (see tmp@>=0.2.4 precedent in PR security(deps): force tmp>=0.2.4 via overrides to close CVE-2025-54798 #1030).

Priority

P3 — moderate severity, dev-only, no safe fix path. Monitor only.

Related precedent

• PR security(deps): force tmp>=0.2.4 via overrides to close CVE-2025-54798 #1030 used overrides block in package.json to force-patch tmp >= 0.2.4 (CVE-2025-54798). Same mechanism could be applied here if upstream remains unresponsive and severity escalates, but only as last resort — overrides are fragile across npm install on different OSes (see Windows lockfile fragility note in copilot-instructions.md §13).

[ericsocrat]

Audit re-scope 2026-05-25: npm audit now reports 5 moderate + 1 HIGH (ws GHSA-58qx-3vcg-4xpx, transitive via @lhci/cli dev-only). Original issue tracked 4 moderates. Still dev-only/non-production, but the HIGH should be acknowledged in the close-as-monitor decision. No action change \u2014 still blocked on user authorization.

[ericsocrat]

Security Tracking Update (authorized execution)

Re-ran npm audit --audit-level=moderate --json on 2026-05-25.

Before mitigation

• 6 total vulnerabilities: 1 high, 5 moderate.
• New high finding was transitive:
  • basic-ftp <=5.3.0 via @lhci/cli -> proxy-agent -> pac-proxy-agent -> get-uri -> basic-ftp
• Additional moderate finding:
  • ws <8.20.1 via transitive chains.

Mitigation applied

• Added npm overrides in frontend/package.json:
  • basic-ftp: 5.3.1
  • ws: 8.21.0
• Ran npm install to regenerate lockfile and apply overrides.

Current state (after mitigation)

• 4 total vulnerabilities: 0 high, 4 moderate.
• Remaining advisories are unchanged and still upstream-blocked:
  • postcss via next (safe upgrade path not available without unacceptable downgrade)
  • uuid via @lhci/cli (safe upgrade path not available without unacceptable downgrade)

Validation

• npm audit --audit-level=moderate --json → 4 moderate, 0 high, 0 critical
• npx tsc --noEmit → pass

This issue remains a monitor until upstream packages publish safe non-breaking updates.

[ericsocrat]

Revalidated npm audit on 2026-05-26 while progressing to next item. Current state is now 5 vulns total (4 moderate, 1 high):\n\n- HIGH: basic-ftp GHSA-rpmf-866q-6p89 (via @lhci/cli -> proxy-agent -> pac-proxy-agent -> get-uri -> basic-ftp@5.3.0)\n- MODERATE: uuid GHSA-w5hq-g745-h8pq (via @lhci/cli)\n- MODERATE: postcss GHSA-qx2v-qp2m-jg93 (via next)\n\nEvidence:\n- npm audit --audit-level=moderate --json\n- npm ls basic-ftp\n- npm view @lhci/cli version -> 0.15.1 (latest)\n\nAt this point this remains externally constrained by upstream releases, but severity has increased because of the new HIGH finding. Recommend re-triage of priority/labeling and continued monitoring.

[ericsocrat]

Mitigation update (2026-05-26): applied targeted frontend npm overrides and revalidated.\n\nChanges applied:\n- basic-ftp -> 5.3.1 (patched)\n- uuid -> 11.1.1 (patched)\n\nValidation:\n- npm ls uuid basic-ftp shows both overridden under @lhci/cli chain\n- npm audit --audit-level=moderate --json now reports: 2 moderate, 0 high, 0 critical\n- residual findings are only next/postcss advisory path\n- npx lhci --version works (0.15.1)\n- npx tsc --noEmit passes\n\nResult:\n- Previously observed HIGH (basic-ftp) and uuid moderate are mitigated.\n- Remaining blocked item is Next-bundled postcss path with no safe non-breaking upstream remediation currently.