Skip to content

fix(deps): resolve 35 npm audit vulnerabilities reported in #40#43

Open
Topmatrixmor2014 wants to merge 1 commit into
OrbitChainLabs:mainfrom
Topmatrixmor2014:fix/npm-audit-vulnerabilities
Open

fix(deps): resolve 35 npm audit vulnerabilities reported in #40#43
Topmatrixmor2014 wants to merge 1 commit into
OrbitChainLabs:mainfrom
Topmatrixmor2014:fix/npm-audit-vulnerabilities

Conversation

@Topmatrixmor2014

@Topmatrixmor2014 Topmatrixmor2014 commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Closes #40.

npm audit --omit=dev was failing with 35 production-dependency advisories
(19 moderate, 16 high) on main. This branch fixes every moderate-or-higher
prod-dep advisory and adds a CI gate so it cannot regress.

Changes

Direct upgrades (package.json)

  • @sentry/node: ^9.47.1 -> ^10.59.0 (major; transitive @opentelemetry
    refresh; the codebase only uses the stable surface — Sentry.init,
    setContext, withScope, setExtras, captureException,
    captureMessage).
  • nodemailer: ^9.0.0 -> ^9.0.1 (patch; fixes message-level raw
    option bypass).

Transitive override pins (package.json -> overrides)

  • form-data: ^4.0.4 — CRLF injection in multipart field names/filenames.
  • js-yaml: ^4.1.1 — quadratic-complexity DoS via merge key handling.
  • multer: ~1.4.5-lts.2 — patched 1.x LTS branch. Multer 2.x is a breaking
    change incompatible with @nestjs/platform-express; the tilde allows any
    future 1.4.5-lts.x security backport without crossing to 2.x.
  • uuid: ^11.1.1 — missing buffer bounds check in v3/v5/v6.
  • ws: ^8.18.0 — memory-exhaustion DoS from tiny fragments/data chunks.

CI hardening

  • .github/workflows/ci.yml: new audit job runs
    npm audit --omit=dev --audit-level=moderate and fails any PR that
    re-introduces a moderate+ prod-dep advisory.
  • .github/dependabot.yml: weekly npm version updates grouped into
    production-security / production-major / production-minor-patch /
    dev-dependencies. Security-relevant transitive bumps (form-data,
    js-yaml, multer, uuid, ws, @sentry/*, nodemailer) all stay in one
    reviewable PR so the audit gate catches regressions early.

Verification

Local (commands the new CI audit job will run):

npm audit --omit=dev --audit-level=moderate  -> 0 vulnerabilities
npm run build                                -> passes
npm run lint                                 -> 0 errors (260 warnings pre-existing on main)
npx prettier --check src/**/*.ts test/**/*.ts -> matches
npm test                                     -> 7 suites / 44 tests all pass

package-lock.json has been regenerated to match.

Note on the test-e2e job

The test-e2e CI job in ci.yml will continue to fail on main (and on
this branch) — PrismaService.onModuleInit() calls $connect() and the
runner has no PostgreSQL / Redis service. This is pre-existing and
unrelated to #40. A proper fix (mock PrismaService in the e2e spec,
or add real service containers to the test-e2e job) belongs in a
follow-up PR so #40 stays scoped to the audit regression.

Refs #40

closes #40

@Topmatrixmor2014
fix(deps): resolve 35 npm audit vulnerabilities from issue OrbitChain…
15987a5 
…Labs#40

Removes all moderate-or-higher production-dependency advisories reported by
`npm audit --omit=dev` so the new CI audit gate stays green.

Direct upgrades:
- @sentry/node: ^9.47.1 -> ^10.59.0 (transitive @opentelemetry refresh;
  only stable APIs Sentry.init / setContext / withScope / captureException /
  captureMessage are used)
- nodemailer: ^9.0.0 -> ^9.0.1 (patch, fixes message-level raw option bypass)

Transitive overrides (npm overrides):
- form-data ^4.0.4 (CRLF injection in multipart field names)
- js-yaml ^4.1.1 (merge-key DoS)
- multer ~1.4.5-lts.2 (1.x LTS line; 2.x is incompatible with
  @nestjs/platform-express; tilde allows future 1.4.5-lts.x backports)
- uuid ^11.1.1 (missing buffer bounds check in v3/v5/v6)
- ws ^8.18.0 (memory-exhaustion DoS from tiny fragments)

CI hardening:
- .github/workflows/ci.yml: new `audit` job runs
  `npm audit --omit=dev --audit-level=moderate` and fails any PR that
  re-introduces a moderate+ prod-dep advisory (guards against the
  regression that created OrbitChainLabs#40).
- .github/dependabot.yml: weekly npm version updates grouped into
  production-security / production-major / production-minor-patch /
  dev-dependencies, so reviewers see small, focused bumps and security
  patches never pile up unnoticed.

Verification (local):
- npm audit --omit=dev --audit-level=moderate -> 0 vulnerabilities
- npm run build -> passes
- npm run lint   -> 0 errors (260 warnings pre-existing on main, not introduced)
- prettier --check src test -> matches
- npm test -> 7 suites / 44 tests all pass

Refs: OrbitChainLabs#40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependency regression detected by npm audit (weekly)

1 participant

@Topmatrixmor2014