Skip to content

fix(deps): resolve 8 npm audit vulnerabilities#244

Open
0xAxiom wants to merge 1 commit intomainfrom
fix/security-audit-vulnerabilities
Open

fix(deps): resolve 8 npm audit vulnerabilities#244
0xAxiom wants to merge 1 commit intomainfrom
fix/security-audit-vulnerabilities

Conversation

@0xAxiom
Copy link
Copy Markdown
Owner

@0xAxiom 0xAxiom commented May 1, 2026

What

Runs npm audit fix to patch all 8 open security vulnerabilities in the dependency tree.

Vulnerabilities resolved:

Severity Package Old → New Issue
🔴 Critical handlebars 4.7.8 → 4.7.9 JS injection via AST type confusion (GHSA-3mfm-83xf-c92r, GHSA-2w6w-674q-4c4q)
🟠 High flatted 3.3.3 → 3.4.2 Prototype pollution / unbounded recursion DoS
🟠 High lodash 4.17.23 → 4.18.1 Code injection via _.template
🟠 High picomatch patched Method injection in POSIX character classes + ReDoS
🟠 High vite 7.3.1 → 7.3.2 Path traversal + arbitrary file read via WebSocket
🟡 Moderate yaml 2.8.2 → 2.8.3 Stack overflow via deeply nested YAML
🟡 Moderate brace-expansion patched (x2) Two version pins fixed

Why

npm audit was reporting 8 vulnerabilities (3 moderate, 4 high, 1 critical). All are fixable without breaking changes — npm audit fix --dry-run confirmed no major version bumps needed.

Tested

  • All 252 unit + integration tests pass after the update (npm run test)
  • npm audit reports found 0 vulnerabilities after fix

@0xAxiom
fix(deps): resolve 8 npm audit vulnerabilities via audit fix
d2ebfd1 
Resolves 1 critical + 4 high + 3 moderate vulnerabilities:
- critical: handlebars 4.7.8 -> 4.7.9 (JS injection via AST type confusion)
- high: flatted 3.3.3 -> 3.4.2 (prototype pollution / DoS)
- high: lodash 4.17.23 -> 4.18.1 (code injection via template)
- high: picomatch patched (method injection / ReDoS)
- high: vite 7.3.1 -> 7.3.2 (path traversal / arbitrary file read)
- moderate: yaml 2.8.2 -> 2.8.3 (stack overflow via deep YAML)

All 252 tests pass after update.
@0xAxiom 0xAxiom requested a review from MeltedMindz as a code owner May 1, 2026 02:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MeltedMindz MeltedMindz Awaiting requested review from MeltedMindz MeltedMindz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xAxiom