Skip to content

chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)#1410

Merged
jbujula merged 2 commits into
mainfrom
users/jbujula/fix-dependency-vulns-2026-06
Jun 18, 2026
Merged

chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)#1410
jbujula merged 2 commits into
mainfrom
users/jbujula/fix-dependency-vulns-2026-06

Conversation

@jbujula

@jbujula jbujula commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Resolves all 9 high-severity npm-audit findings and the open Dependabot alerts across transitive dev/runtime dependencies.
  • npm audit: 28 → 8 total (remaining 8 are documented accepted-risk / deferred — see below).
  • S360/ADO query skipped this run (az devops not authenticated for the dynamicscrm org); fix plan derived from Dependabot + npm audit.

Dependencies updated

Package Before After Strategy Source
serialize-javascript ^7.0.3 ^7.0.5 bump override Dependabot #179 + npm
postcss ^8.4.31 ^8.5.15 bump override Dependabot #173 + npm
qs ^6.14.2 ^6.15.2 bump override Dependabot #180 + npm
basic-ftp ^5.3.0 ^6.0.1 bump override npm audit
tmp 0.2.5 ^0.2.7 new override Dependabot #181 + npm
undici 6.23.0 ^6.24.0 new override Dependabot #152/153/156 + npm
defu 6.1.4 ^6.1.7 new override npm audit
flatted 3.4.1 ^3.4.2 new override npm audit
form-data 2.5.5 ^2.5.6 new override npm audit
ip-address 10.1.0 ^10.2.0 new override npm audit
js-yaml 4.1.1 ^4.2.0 new override npm audit
lodash 4.17.23 ^4.18.1 new override npm audit
picomatch (under tinyglobby) 4.0.3 ^4.0.4 scoped override Dependabot #161 + npm
uuid (under tfx-cli) 13.0.0 ^13.0.1 scoped override Dependabot #174 + npm
tar ^7.5.11 ^7.5.16 direct dep bump npm audit
follow-redirects 1.15.11 1.16.0 lock-file patch Dependabot #170 + npm

Why scoped/lock-patch: picomatch and uuid each have an inBundle sibling (picomatch 2.3.2, uuid 3.4.0) that must not be force-upgraded, so scoped overrides target only the vulnerable nested copies. follow-redirects is inBundle via the bundled cli-wrapper subtree, so an override cannot reach it — patched directly in package-lock.json to 1.16.0.

Known limitations / follow-ups

  • uuid 3.4.0 (runtime, Dependabot Deploy Package Task fail #178 / moderate) — bundled inside azure-pipelines-task-lib (requires uuid ^3.0.1). Fixing needs uuid v3→v11 (breaking API) and the package is bundled in the VSIX, so an override cannot reach it. Must be fixed upstream in azure-pipelines-task-lib. Deferred.
  • elliptic chain (browserify-sign, create-ecdh, crypto-browserify, node-libs-browser, rewiremock) — known permanent accepted risk (GHSA-848j-6mx2-7j84, LOW), dev-only, no patched version.

Test plan

  • npm install clean
  • npm audit — 28 → 8 (all highs resolved; remaining are documented accepted-risk/deferred)
  • npm run ci — compile (32 tasks) + lint + restore pass. unitTest fails locally only on Node 24 (ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX, native TS strip vs CJS ts-node/register) — reproduces identically on clean main; CI runs Node 20 where it passes. Not a regression.

🤖 Generated with Claude Code

jbujula and others added 2 commits June 17, 2026 17:19
@jbujula @claude
chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)
d0238e6 
Resolves all 9 high-severity npm-audit findings plus Dependabot alerts
across transitive dev/runtime deps. Strategy:

- Bump existing overrides to patched versions: basic-ftp ^6.0.1,
  serialize-javascript ^7.0.5, postcss ^8.5.15, qs ^6.15.2
- New flat overrides (single-major, single-instance, safe): tmp ^0.2.7,
  undici ^6.24.0, defu ^6.1.7, flatted ^3.4.2, form-data ^2.5.6,
  ip-address ^10.2.0, js-yaml ^4.2.0, lodash ^4.18.1
- Scoped overrides to avoid forcing inBundle siblings: tinyglobby>picomatch
  ^4.0.4 (leaves inBundle picomatch 2.3.2), tfx-cli>uuid ^13.0.1 (leaves
  inBundle uuid 3.4.0 under azure-pipelines-task-lib)
- Direct dep bump: tar ^7.5.16
- Lock-file patch (Strategy C) for follow-redirects 1.15.11 -> 1.16.0;
  overrides cannot reach it (inBundle via bundled cli-wrapper subtree)

Remaining 8 (down from 28) are documented accepted-risk/deferred:
- 6 low: elliptic chain (GHSA-848j-6mx2-7j84, dev-only, no patch)
- 2 moderate: uuid 3.4.0 bundled in azure-pipelines-task-lib (requires
  uuid ^3.0.1) -> needs upstream fix; cannot override a bundled subtree

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jbujula
Merge branch 'main' into users/jbujula/fix-dependency-vulns-2026-06
a7d512e
@jbujula jbujula enabled auto-merge (squash) June 18, 2026 00:54
@jbujula jbujula mentioned this pull request Jun 18, 2026
Merged
3 tasks
@jbujula jbujula merged commit 3ae9f84 into main Jun 18, 2026
5 checks passed
@jbujula jbujula deleted the users/jbujula/fix-dependency-vulns-2026-06 branch June 18, 2026 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brflood brflood brflood approved these changes
+2 more reviewers
@Quesadeha Quesadeha Quesadeha approved these changes
@aurorauser04 aurorauser04 aurorauser04 approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jbujula @Quesadeha @brflood @aurorauser04