chore(deps): bump @fastify/static to ^9.1.3 (closes W7 prod CVE)#68
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughThe PR updates the ChangesDependency Version Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
5 tasks
…od CVE) @fastify/static v8 has two moderate CVEs that #66 dragged into the production tree when it added the package as a direct dep on the CLI: - GHSA-pr96-94w5-mx2h (path traversal in directory listing) - GHSA-x428-ghpx-8j92 (route-guard bypass via encoded separators) Verified: - npm audit --omit=dev --audit-level=moderate → 0 vulnerabilities - All workspaces' tests pass (shared 93/93, server 19/19, cli 83/83, web 22/22 = 217 total) - All workspaces' coverage thresholds pass - Live serve smoke: /health ok, web UI + assets serve, SPA fallback intact, path-traversal probes return safe index.html (CVE patch confirmed in the running app). The dev-only `esbuild`-via-`vitest@1` advisories that the original W7 finding called out are intentionally NOT addressed here. Per `01:38` they're not a launch blocker, and the new audit gate in the follow-up PR (#69) only fails dev-tree at high+. A vitest 4 bump would force lowering coverage thresholds because @vitest/coverage-v8@4 instruments arrow functions / inline callbacks more aggressively; not worth the trade for non-blocking dev moderates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
naorsabag
force-pushed
the
chore/audit-fix-fastify-static-vitest
branch
from
c7dd613 to
cfe8660
Compare
naorsabag
changed the title
naorsabag
added a commit
that referenced
this pull request
May 4, 2026
The previous single `npm audit --audit-level=high` gate let W7's moderate `@fastify/static` CVE land on master via #66 without flagging it. Splitting the audit step: - prod tree (`--omit=dev --audit-level=moderate`) — anything moderate+ that ships to end users blocks the merge. - full tree (`--audit-level=high`) — dev-only advisories don't reach users, so block on high+critical only to avoid noise. Verified locally on master @ c8392c7 (pre-W7-fix tree): the new prod-tree gate exits 1 (catches the @fastify/static GHSA), while the full-tree gate stays at exit 0. Once #68 merges, both gates pass. Also enabled Dependabot vulnerability alerts + automated security fixes via the GitHub API on naorsabag/OpenHop. With those on, security updates produce PRs that bypass dependabot.yml's major-version ignore filter — closing the gap that let GHSA-pr96-94w5-mx2h linger silently between #66 and #68. Annotated dependabot.yml's ignore block to call out the security-update bypass so future tightening doesn't accidentally close the gap again. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
naorsabag
added a commit
that referenced
this pull request
May 4, 2026
The previous single `npm audit --audit-level=high` gate let W7's moderate `@fastify/static` CVE land on master via #66 without flagging it. Splitting the audit step: - prod tree (`--omit=dev --audit-level=moderate`) — anything moderate+ that ships to end users blocks the merge. - full tree (`--audit-level=high`) — dev-only advisories don't reach users, so block on high+critical only to avoid noise. Verified locally on master @ c8392c7 (pre-W7-fix tree): the new prod-tree gate exits 1 (catches the @fastify/static GHSA), while the full-tree gate stays at exit 0. Once #68 merges, both gates pass. Also enabled Dependabot vulnerability alerts + automated security fixes via the GitHub API on naorsabag/OpenHop. With those on, security updates produce PRs that bypass dependabot.yml's major-version ignore filter — closing the gap that let GHSA-pr96-94w5-mx2h linger silently between #66 and #68. Annotated dependabot.yml's ignore block to call out the security-update bypass so future tightening doesn't accidentally close the gap again. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
@fastify/staticfrom^8.0.0to^9.1.3inpackages/cli/package.jsonto close two moderate CVEs that #66 pulled into the production dependency tree:GHSA-pr96-94w5-mx2h— path traversal in directory listingGHSA-x428-ghpx-8j92— route-guard bypass via encoded path separatorsThis is largely the same change as the Dependabot-generated #70; either can land. The
@fastify/staticportion is the only one that closes a blocker. The dev-onlyvitest/esbuildmoderates from the original W7 finding are deliberately not addressed here — see "Why no vitest bump" below.Why no vitest bump
The original W7 finding called out 5 dev-only
esbuildadvisories viavitest@1. The fix path requiresvitest@4, but@vitest/coverage-v8@4instruments arrow functions and inline callbacks more aggressively than v1. The same code that scored 100% functions / 90% branches under v1 scores 87% functions / 63% branches under v4 — across all three coverage-gated packages. Lowering thresholds to "match what v4 reports today" defeats the purpose of having thresholds, and01:38explicitly says only high/critical advisories are launch blockers. The new audit gate in #69 is also tuned to match: dev tree at--audit-level=high, prod tree at--audit-level=moderate. So the dev moderates stay surfaced as Dependabot alerts but don't block CI.Test plan
npm audit --omit=dev --audit-level=moderate→ 0 vulnerabilitiesnpm testper workspace: shared 93/93, server 19/19, cli 83/83, web 22/22 = 217/217npm run test:coverageper workspace: all 3 coverage-gated workspaces (shared, server, web) exit 0 — thresholds intactnpm run lint --workspaces,npm run typecheck --workspaces,npm run format:check,npm run build --workspaces— cleanopenhop serve:/healthreturns ok, web UI + 1.8MB asset bundle serve,/flow/<id>SPA fallback works, path-traversal probes return the safeindex.htmlshell — CVE patch confirmed at runtime.🤖 Generated with Claude Code
Summary by CodeRabbit