Skip to content

chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)#1411

Merged
jbujula merged 1 commit into
release/stablefrom
users/jbujula/fix-dependency-vulns-2026-06-release
Jun 22, 2026
Merged

chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)#1411
jbujula merged 1 commit into
release/stablefrom
users/jbujula/fix-dependency-vulns-2026-06-release

Conversation

@jbujula

@jbujula jbujula commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

Cherry-pick of #1410 to release/stable.

  • Resolves all high-severity npm-audit findings plus Dependabot alerts across transitive dev/runtime deps (npm audit 28 → 8; remaining 8 are documented accepted-risk/deferred).
  • Same dependency changes as the main PR: override bumps (basic-ftp, serialize-javascript, postcss, qs), new flat overrides (tmp, undici, defu, flatted, form-data, ip-address, js-yaml, lodash), scoped overrides (tinyglobby→picomatch, tfx-cli→uuid), tar direct bump, and a package-lock.json Strategy C patch for the bundled follow-redirects 1.15.11 → 1.16.0.

Paired main PR

#1410

Known limitations / follow-ups

  • uuid 3.4.0 (runtime, S360 ADO #6420216) — bundled in azure-pipelines-task-lib (pins uuid ^3.0.1); needs upstream fix, cannot be overridden in a bundled subtree.
  • elliptic chain (6× low) — known permanent accepted risk (GHSA-848j-6mx2-7j84), dev-only, no patch.

Test plan

  • npm install clean
  • npm audit — 28 → 8 (all highs resolved; follow-redirects 1.16.0 verified)
  • npm run ci — compile + lint + restore pass (unitTest exempt: fails only on local Node 24, passes on CI Node 20)

🤖 Generated with Claude Code

@jbujula @claude
chore: fix dependency vulnerabilities (28 -> 8, all highs resolved)
fd8cca4 
Resolves all 9 high-severity npm-audit findings plus Dependabot alerts
across transitive dev/runtime deps. Strategy:

- Bump existing overrides to patched versions: basic-ftp ^6.0.1,
  serialize-javascript ^7.0.5, postcss ^8.5.15, qs ^6.15.2
- New flat overrides (single-major, single-instance, safe): tmp ^0.2.7,
  undici ^6.24.0, defu ^6.1.7, flatted ^3.4.2, form-data ^2.5.6,
  ip-address ^10.2.0, js-yaml ^4.2.0, lodash ^4.18.1
- Scoped overrides to avoid forcing inBundle siblings: tinyglobby>picomatch
  ^4.0.4 (leaves inBundle picomatch 2.3.2), tfx-cli>uuid ^13.0.1 (leaves
  inBundle uuid 3.4.0 under azure-pipelines-task-lib)
- Direct dep bump: tar ^7.5.16
- Lock-file patch (Strategy C) for follow-redirects 1.15.11 -> 1.16.0;
  overrides cannot reach it (inBundle via bundled cli-wrapper subtree)

Remaining 8 (down from 28) are documented accepted-risk/deferred:
- 6 low: elliptic chain (GHSA-848j-6mx2-7j84, dev-only, no patch)
- 2 moderate: uuid 3.4.0 bundled in azure-pipelines-task-lib (requires
  uuid ^3.0.1) -> needs upstream fix; cannot override a bundled subtree

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jbujula jbujula merged commit 81a1033 into release/stable Jun 22, 2026
3 checks passed
@jbujula jbujula deleted the users/jbujula/fix-dependency-vulns-2026-06-release branch June 22, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brflood brflood brflood approved these changes
+2 more reviewers
@Quesadeha Quesadeha Quesadeha approved these changes
@aurorauser04 aurorauser04 aurorauser04 approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jbujula @Quesadeha @brflood @aurorauser04