Skip to content
This repository was archived by the owner on Jan 6, 2026. It is now read-only.

Fix security vulnerabilities with targeted solutions#1759

Merged
NullVoxPopuli merged 2 commits intomainfrom
fix-security-vulnerabilities
Jul 5, 2025
Merged

Fix security vulnerabilities with targeted solutions#1759
NullVoxPopuli merged 2 commits intomainfrom
fix-security-vulnerabilities

Conversation

@wycats
Copy link
Copy Markdown
Contributor

@wycats wycats commented Jul 5, 2025

Summary

This PR fixes all reported security vulnerabilities using targeted solutions rather than blanket overrides.

Approach

  1. Fixed directly where possible:

    • Updated vite from 6.1.1 to 7.0.2 (fixes esbuild vulnerability)
    • Updated mocha from 10.2.0 to 11.7.1 in @glimmer/vm-babel-plugins (fixes nanoid and serialize-javascript vulnerabilities)

  2. Added minimal overrides for third-party issues:

    • @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability (from tracerbench)
    • d3-color: Fix ReDoS vulnerability (from tracerbench)
    • got: Fix UNIX socket redirect vulnerability (from auto-dist-tag)
    • esbuild: Ensure all transitive dependencies use secure version

Vulnerabilities Fixed

All 7 vulnerabilities resolved:

  • 2 HIGH: d3-color ReDoS, lodash.template command injection
  • 5 MODERATE: got redirect, nanoid predictability, esbuild dev server, serialize-javascript XSS, additional esbuild instances

Follow-up Actions

We should file issues with upstream packages:

  • tracerbench: Update @oclif/plugin-warn-if-update-available and d3-color dependencies
  • auto-dist-tag: Update package-json dependency to get newer got

Test Plan

  • pnpm audit shows no vulnerabilities
  • pnpm install completes successfully
  • All tests pass
  • No functionality regressions

wycats added 2 commits July 3, 2025 22:13
@wycats
Fix security vulnerabilities in dependencies
3e26088 
- Add targeted pnpm overrides for vulnerable dependencies:
  - @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability
  - brace-expansion: Fix ReDoS vulnerability
  - d3-color: Fix ReDoS vulnerability
  - esbuild: Fix dev server request vulnerability
  - got: Fix UNIX socket redirect vulnerability
  - nanoid: Fix predictable generation vulnerability
  - serialize-javascript: Fix XSS vulnerability
  - tar-fs: Fix path traversal vulnerabilities
- All 18 vulnerabilities resolved (previously: 2 low, 12 moderate, 4 high)
@wycats
Fix security vulnerabilities with targeted solutions
108c04f 
- Update vite to v7 to fix esbuild vulnerability
- Update mocha in vm-babel-plugins to fix nanoid and serialize-javascript vulnerabilities
- Add minimal pnpm overrides for third-party packages:
  - @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability (tracerbench)
  - d3-color: Fix ReDoS vulnerability (tracerbench)
  - got: Fix UNIX socket redirect vulnerability (auto-dist-tag)
  - esbuild: Ensure all transitive dependencies use secure version

All 7 vulnerabilities resolved (previously: 5 moderate, 2 high)
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jul 5, 2025

This PRmain
Dev 
588K └─┬ .
169K   ├── runtime
160K   ├── syntax
100K   ├── compiler
 58K   ├── opcode-compiler
 27K   ├── manager
 24K   ├── validator
 11K   ├── program
8.9K   ├── reference
7.2K   ├── destroyable
6.3K   ├── util
4.3K   ├── node
3.4K   ├── global-context
2.5K   ├── wire-format
1.0K   ├── vm
969B   ├── encoder
844B   ├── vm-babel-plugins
606B   └── owner

588K └─┬ .
169K   ├── runtime
160K   ├── syntax
100K   ├── compiler
 58K   ├── opcode-compiler
 27K   ├── manager
 24K   ├── validator
 11K   ├── program
8.9K   ├── reference
7.2K   ├── destroyable
6.3K   ├── util
4.3K   ├── node
3.4K   ├── global-context
2.5K   ├── wire-format
1.0K   ├── vm
969B   ├── encoder
844B   ├── vm-babel-plugins
606B   └── owner
Prod 
231K └─┬ .
 70K   ├── syntax
 63K   ├── runtime
 48K   ├── compiler
 18K   ├── opcode-compiler
7.9K   ├── manager
5.1K   ├── validator
4.8K   ├── program
3.6K   ├── reference
2.4K   ├── util
2.1K   ├── node
1.6K   ├── wire-format
1.5K   ├── destroyable
737B   ├── vm
594B   ├── global-context
516B   ├── encoder
469B   ├── vm-babel-plugins
155B   └── owner

231K └─┬ .
 70K   ├── syntax
 63K   ├── runtime
 48K   ├── compiler
 18K   ├── opcode-compiler
7.9K   ├── manager
5.1K   ├── validator
4.8K   ├── program
3.6K   ├── reference
2.4K   ├── util
2.1K   ├── node
1.6K   ├── wire-format
1.5K   ├── destroyable
737B   ├── vm
594B   ├── global-context
516B   ├── encoder
469B   ├── vm-babel-plugins
155B   └── owner

NullVoxPopuli
NullVoxPopuli approved these changes Jul 5, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@NullVoxPopuli NullVoxPopuli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems good

@NullVoxPopuli NullVoxPopuli merged commit 2e8ec9f into main Jul 5, 2025
9 checks passed
@NullVoxPopuli NullVoxPopuli deleted the fix-security-vulnerabilities branch July 5, 2025 17:41
@github-actions github-actions Bot mentioned this pull request Jul 5, 2025
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@NullVoxPopuli NullVoxPopuli NullVoxPopuli approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wycats @NullVoxPopuli