Skip to content

chore(deps): remove stale package-lock.json to clear Dependabot alerts#1483

Merged
Wirasm merged 2 commits intodevfrom
chore/remove-stale-package-lock
Apr 29, 2026
Merged

chore(deps): remove stale package-lock.json to clear Dependabot alerts#1483
Wirasm merged 2 commits intodevfrom
chore/remove-stale-package-lock

Conversation

@Wirasm
Copy link
Copy Markdown
Collaborator

@Wirasm Wirasm commented Apr 29, 2026
edited by coderabbitai Bot
Loading

Summary

UX Journey

N/A — repo hygiene, no user-facing change.

Architecture Diagram

N/A — no module changes.

Label Snapshot

  • Risk: `risk: low`
  • Size: `size: XS`
  • Scope: `dependencies`
  • Module: `repo:tooling`

Change Metadata

  • Change type: `security` / `chore`
  • Primary scope: `multi` (repo-level)

Linked Issue

Validation Evidence (required)

```bash
bun run validate

check:bundled → up to date (36 commands, 20 workflows)

type-check → all packages exit 0

lint → 0 warnings, 0 errors

format:check → All matched files use Prettier code style

test → all packages pass (full suite green)

```

Also confirmed:

```bash
bun pm why axios

axios@1.15.1 ← @slack/bolt + @slack/web-api (override is load-bearing, kept as-is)

```

  • Evidence provided: full `bun run validate` exit 0 locally
  • Skipped: none

Security Impact (required)

  • New permissions/capabilities? No
  • New external network calls? No
  • Secrets/tokens handling changed? No
  • File system access scope changed? No

Note for follow-up: Dependabot's bun.lock coverage is incomplete — removing package-lock.json clears the visible alerts but doesn't audit the actual runtime tree. A separate sweep against bun.lock (e.g. via bun audit or manual review of the high-severity packages: undici, lodash, follow-redirects, qs, path-to-regexp) is worth doing as a follow-up if any of those resolve in the bun tree at vulnerable versions.

Compatibility / Migration

  • Backward compatible? Yes
  • Config/env changes? No
  • Database migration needed? No

Human Verification (required)

  • Verified scenarios:
    • `bun run validate` — all 5 phases green after removal
    • `bun pm why axios` — confirmed override is load-bearing in bun tree
    • Searched repo for any reference to `package-lock.json` outside docs/skills: only `auth-service/Dockerfile` mentions npm, and it explicitly uses `--no-package-lock`
  • Edge cases checked:
    • CI workflows (`test.yml`, `release.yml`, `deploy-docs.yml`, `e2e-smoke.yml`) all use `bun install`/`bun.lock` — none reference `package-lock.json`
    • The `overrides` block in `package.json` is consumed by Bun (`bun.lock` regenerates with overrides applied); not affected by lockfile removal
  • What was not verified:
    • Did not run `bun audit` against `bun.lock` — that's a separate triage (see Security Impact note)

Side Effects / Blast Radius (required)

  • Affected subsystems/workflows: none at runtime
  • Potential unintended effects: if a contributor was somehow relying on `npm install` reproducing the same tree as `bun install`, that workflow would now fail (but it was already drifted — package-lock.json hadn't been regenerated since April)
  • Guardrails/monitoring for early detection: `.gitignore` entry blocks accidental re-introduction

Rollback Plan (required)

  • Fast rollback command/path: `git revert ` — single-commit, additive-revert is trivial
  • Feature flags or config toggles: none
  • Observable failure symptoms: none expected

Risks and Mitigations

  • Risk: Dependabot alerts close based on the stale file going away rather than the underlying CVEs being patched in the runtime tree.
    • Mitigation: documented as a follow-up in Security Impact above. The `axios` override stays in place; future triages should run against `bun.lock`.

Summary by CodeRabbit

  • Chores
    • Added Git ignore patterns for JavaScript dependency lockfiles
    • Extended dependency version override specifications for package resolution consistency

Wirasm added 2 commits April 29, 2026 12:48
@Wirasm
chore(deps): remove stale package-lock.json to clear Dependabot noise
26adc79 
This file was deleted in #85 (Bun migration) but accidentally re-committed
in #89 unrelated to that PR's actual fix. It hasn't been touched since
April and isn't used by anything (CI runs `bun install`), but Dependabot
keeps scanning it — every one of the 21 open alerts triaged in #1353 is
against this file, not bun.lock.

Removing it closes all 21 alerts. The axios `^1.15.0` override in
package.json stays — it's doing real work for the bun tree because
@slack/bolt pulls in a vulnerable axios transitively (CVE-2025-62718).

Add package-lock.json (and yarn/pnpm lockfiles) to .gitignore so this
can't silently slip back in.

Closes #1353
@Wirasm
chore(deps): patch four runtime CVEs in bun.lock via overrides
8dbff05 
Targets #1353 alerts that resolve in the actual runtime tree (bun.lock),
not just the stale package-lock.json removed in the previous commit.

Added overrides:
- follow-redirects ^1.16.0 — auth-header leak on cross-domain redirect
  (GHSA-r4q5-vmmm-2653); via @slack/bolt
- path-to-regexp ^8.4.2 — DoS via sequential optional groups
  (CVE-2026-4926, CVE-2026-4923); via @slack/bolt + claude-agent-sdk
- qs ^6.15.1 — arrayLimit bypass DoS
  (CVE-2025-15284, CVE-2026-2391); via @slack/bolt
- flatted ^3.4.2 — prototype pollution in parse()
  (CVE-2026-33228); dev-only via eslint chain

bun audit confirms each resolves to a single non-vulnerable version
across the tree. bun run validate green. No code changes — purely
transitive bumps; we don't import any of these directly.

Skipped (require deeper triage): undici, lodash, picomatch — each has
multiple major versions resolved in the bun tree, so a single override
would force-downgrade other consumers.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 29, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2aef138b-12ac-403b-9131-ae18981c14f4

📥 Commits

Reviewing files that changed from the base of the PR and between 7e4ea40 and 8dbff05.

⛔ Files ignored due to path filters (2)
  • bun.lock is excluded by !**/*.lock
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • .gitignore
  • package.json
📝 Walkthrough

Walkthrough

Updates .gitignore to exclude JavaScript package manager lockfiles and extends package.json dependency overrides to enforce specific versions for follow-redirects, path-to-regexp, qs, and flatted to address transitive dependency vulnerabilities.

Changes

Cohort / File(s) Summary
Lockfile ignores
.gitignore		 Added ignore patterns for npm, Yarn, and pnpm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) with clarification that Bun is the primary package manager.
Dependency overrides
package.json		 Extended overrides section with explicit version constraints for follow-redirects, path-to-regexp, qs, and flatted to resolve transitive dependency vulnerabilities while retaining existing axios override.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Poem

🐰 A rabbit hops through dep-land deep,
Patching vulns with overrides steep,
Bun's the one, npm don't stay,
Security locked, vulnerabilities away! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: removing the stale package-lock.json file and its linkage to clearing Dependabot alerts, which is the primary objective of this PR.
Description check ✅ Passed The PR description comprehensively covers all required template sections with substantial detail: problem statement, justification, scope boundaries, validation evidence, security impact analysis, compatibility notes, human verification steps, side effects assessment, and rollback plan.
Linked Issues check ✅ Passed The PR directly addresses issue #1353 by removing the stale package-lock.json that was generating all 21 Dependabot alerts, effectively resolving the primary objective of triaging and clearing noise from that issue.
Out of Scope Changes check ✅ Passed The file changes (removing package-lock.json and updating .gitignore and package.json overrides) are all directly scoped to addressing the package-lock.json removal objective in issue #1353 with no unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/remove-stale-package-lock

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 6/8 reviews remaining, refill in 12 minutes and 36 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@Wirasm Wirasm merged commit 25531df into dev Apr 29, 2026
4 checks passed
@Wirasm Wirasm deleted the chore/remove-stale-package-lock branch April 29, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Triage open Dependabot vulnerabilities (20 remaining after 0.3.7)

1 participant

@Wirasm