Skip to content

[npm] npm audit fix によるパッケージ更新とフロントエンドの再ビルドを行いました#2395

Merged
masaton0216 merged 2 commits intomasterfrom
npm-audit-fix-20260330
Apr 6, 2026
Merged

[npm] npm audit fix によるパッケージ更新とフロントエンドの再ビルドを行いました#2395
masaton0216 merged 2 commits intomasterfrom
npm-audit-fix-20260330

Conversation

@masaton0216
Copy link
Copy Markdown
Contributor

@masaton0216 masaton0216 commented Mar 30, 2026
edited
Loading

概要

npm audit fix により脆弱性のあるパッケージを更新し、npm ci + npm run prod でフロントエンドの再ビルドを行いました。

各ライブラリのバージョン差異

パッケージ 旧バージョン 新バージョン
ajv 6.12.6 6.14.0
ajv (nested) 8.17.1 8.18.0
axios 1.9.0 1.14.0
bn.js 4.12.2 / 5.2.2 4.12.3 / 5.2.3
body-parser 1.20.3 1.20.4
brace-expansion 1.1.11 1.1.13
browserify-sign 4.2.3 4.2.5
follow-redirects 1.15.9 1.15.11
parse-asn1 5.1.7 5.1.9
path-to-regexp 0.1.12 0.1.13
pbkdf2 3.1.3 3.1.5
proxy-from-env 1.1.0 2.1.0
raw-body 2.5.2 2.5.3
ripemd160 2.0.2 2.0.3
yaml 1.10.2 1.10.3

残存脆弱性について

npm audit fix では対応できない18件の脆弱性(5 low, 8 moderate, 5 high)が残っています。いずれも --force(破壊的変更)が必要、または修正が未提供のものです。すべて開発依存(devDependencies)であり、本番のクライアントサイドへの直接影響はありません。

  • elliptic: 修正なし(laravel-mix経由)
  • fabric / tui-image-editor: --force が必要(破壊的変更)
  • webpack-dev-server: 修正なし(laravel-mix経由)

レビュー完了希望日

軽微な改修なので急ぎません

関連Pull requests/Issues

#2394
#2392
#2390

参考1(npm audit fix)

# npm audit fix

added 5 packages, removed 4 packages, changed 25 packages, and audited 952 packages in 6s

118 packages are looking for funding
  run `npm fund` for details

# npm audit report

elliptic  *
Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84
No fix available
node_modules/elliptic

fabric  <=7.1.0
Severity: high
Fabric.js Affected by Stored XSS via SVG Export - https://github.com/advisories/GHSA-hfvx-25r5-qc3w
fix available via `npm audit fix --force`
Will install tui-image-editor@3.7.2, which is a breaking change

qs  <6.14.1
Severity: moderate
fix available via `npm audit fix --force`
Will install tui-image-editor@3.7.2, which is a breaking change

tar  <=7.5.10
Severity: high
fix available via `npm audit fix`

tough-cookie  <4.1.3
Severity: moderate
fix available via `npm audit fix --force`
Will install tui-image-editor@3.7.2, which is a breaking change

webpack-dev-server  <=5.2.0
Severity: moderate
No fix available

18 vulnerabilities (5 low, 8 moderate, 5 high)

参考2(npm ci && npm run prod)

✔ Compiled Successfully in 23955ms

  /js/app.js           533 KiB
  /js/codemirror.js    667 KiB
  /js/wysiwyg.js       2.08 MiB
  css/app.css          294 KiB
  js/707.js            19.1 KiB

webpack compiled successfully

DB変更の有無

無し

チェックリスト

@masaton0216 masaton0216 self-assigned this Mar 30, 2026
@masaton0216 masaton0216 added the developer update 開発者向けの更新 label Mar 30, 2026
@masaton0216 masaton0216 merged commit 8b93412 into master Apr 6, 2026
1 check passed
@masaton0216 masaton0216 deleted the npm-audit-fix-20260330 branch April 6, 2026 02:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@masaton0216 masaton0216

Labels

developer update 開発者向けの更新

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@masaton0216