Skip to content

Comments

fix: resolve all npm audit vulnerabilities#422

Open
tejaskash wants to merge 1 commit intomainfrom
worktree-fix-npm-audit
Open

fix: resolve all npm audit vulnerabilities#422
tejaskash wants to merge 1 commit intomainfrom
worktree-fix-npm-audit

Conversation

@tejaskash
Copy link
Contributor

@tejaskash tejaskash commented Feb 24, 2026

Summary

  • Upgrade aws-cdk-lib to ^2.240.0 — now uses minimatch@^10.2.1 natively and is no longer bundled, resolving GHSA-3ppc-4f35-3m26 for CDK
  • Upgrade @aws-cdk/toolkit-lib to ^1.16.0 — drops the archiver dependency chain (which pulled in vulnerable minimatch via glob and readdir-glob)
  • Add minimatch override to 10.2.1 for remaining transitive deps (eslint, typescript-eslint, eslint-plugin-import, eslint-plugin-react, prettier-plugin-sort-imports)
  • Update ajv 6.12.6 → 6.14.0 via npm audit fix (GHSA-2g4f-4pwh-qvx6) — v6 patch is now available

Before: 16 vulnerabilities (1 moderate, 15 high)
After: 0 vulnerabilities; npm run security:audit passes

Test plan

  • npm audit reports 0 vulnerabilities
  • npm run security:audit passes
  • npm run lint passes
  • npm run build passes
  • npm test — all 1,754 unit tests pass

@tejaskash tejaskash requested a review from a team February 24, 2026 19:48
@github-actions github-actions bot added the size/xs PR size: XS label Feb 24, 2026
@tejaskash
fix: resolve all npm audit vulnerabilities
9b365f4 
- Upgrade aws-cdk-lib to ^2.240.0 which now uses minimatch ^10.2.1
  natively (no longer bundled), fixing GHSA-3ppc-4f35-3m26
- Upgrade @aws-cdk/toolkit-lib to ^1.16.0 which drops archiver
  dependency chain
- Add minimatch override to 10.2.1 for remaining transitive deps
  (eslint, typescript-eslint, eslint-plugin-import, eslint-plugin-react,
  prettier-plugin-sort-imports)
- Update ajv 6.12.6 -> 6.14.0 via npm audit fix (GHSA-2g4f-4pwh-qvx6)

npm audit now reports 0 vulnerabilities.
@tejaskash tejaskash force-pushed the worktree-fix-npm-audit branch from 94d5d2c to 9b365f4 Compare February 24, 2026 20:12
@github-actions github-actions bot added size/xs PR size: XS and removed size/xs PR size: XS labels Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 43.88% 2962 / 6749
🔵 Statements 43.48% 3118 / 7171
🔵 Functions 45.72% 615 / 1345
🔵 Branches 48.51% 1924 / 3966
Generated in workflow #627 for commit 9b365f4 by the Vitest Coverage Report Action

notgitika
notgitika approved these changes Feb 24, 2026
View reviewed changes
Copy link
Contributor

@notgitika notgitika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we need the override but I'm fine with it for now.
LGTM otherwise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notgitika notgitika notgitika approved these changes

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tejaskash @notgitika