Frontend audit hardening: pin vulnerable transitive deps via npm overrides

[Copilot]

npm run audit:ci was failing in CI due to frontend dependency vulnerabilities (including transitive packages pulled via the Vite/Vitest toolchain). This PR constrains vulnerable packages in frontend so the audit gate can resolve to patched versions through lockfile regeneration.

• Dependency security updates (frontend/package.json)

  • Bumped direct dependency:
    • axios → ^1.15.0
  • Added targeted overrides for vulnerable/flagged packages:
    • axios, follow-redirects, esbuild, vite, vitest
  • Kept existing picomatch-related override structure intact and removed duplicate/ambiguous override key usage.

• Lockfile alignment (frontend/package-lock.json)

  • Regenerated lockfile to apply override resolution consistently for CI installs.

• Resulting override pattern

  {
    "overrides": {
      "axios": "^1.15.0",
      "follow-redirects": "^1.16.0",
      "esbuild": "^0.28.0",
      "vite": "^7.3.2",
      "vitest": "^3.2.4"
    }
  }

Original prompt

The npm run audit:ci step in GitHub Actions workflows is failing because vite and vitest depend on vulnerable versions of esbuild and other nested dependencies.

Please fix these "Moderate" and "High" frontend npm audit vulnerabilities.

Requirements:

1. Only modify files in the frontend/ directory (specifically frontend/package.json and frontend/package-lock.json).
2. Do not touch any backend or Python files (e.g., main.py, database.py) or UI React components (.jsx).
3. Add an overrides block in frontend/package.json to force secure versions of esbuild, vite, vitest, and any other flagged dependencies (like picomatch and axios if applicable) to ensure npm audit returns 0 vulnerabilities.
4. Run npm install inside the frontend folder to update the package-lock.json file accordingly.
5. Verify that npm audit returns zero vulnerabilities before committing.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: is there a issue with vite in this repo tha the pr are failing audit tests?

Assistant: Yes, there are issues related to vite and failing audit tests in this repository.

Specifically, Issue #112 ("Frontend NPM Dependency Vulnerabilities") was opened because npm audit identified vulnerabilities in frontend dependencies. vite and vitest were flagged with moderate severity vulnerabilities due to their dependency on esbuild.

This has caused problems in Pull Requests, notably where the GitHub Actions Security Audit workflow (npm run audit:ci) failed. In some attempts to fix this vulnerability, PRs encountered further CI failures when vite was bumped to a non-existent version (like vite@^7.4.0), breaking the npm install step.

User: what should we do?

Assistant: To resolve the vite and esbuild audit failures, you have a couple of options depending on how you want to proceed:

1. Review the Open Pull Request

There is currently an open PR (PR #214) titled "Update idb-keyval version in package.json" where a contributor notes they have "resolved the npm audit vulnerabilities and made the necessary overrides."

• Action: Review and test PR Update idb-keyval version in package.json #214. If their overrides successfully pass the CI npm audit checks and don't break the frontend build, you can approve and merge it.

2. Fix it Manually using NPM Overrides

If the PR isn't ready or you prefer to fix it yourself, the issue stems from vite and vitest relying on a vulnerable version of esbuild. You can force npm to use a patched version of esbuild via the package.json overrides feature.

1. Open frontend/package.json.
2. Add an overrides block to force a secure version of esbuild (and any other flagged packages like cross-spawn or picomatch):

  "overrides": {
    "esbuild": "^0.25.0",
    "vite": "^6.0.0",
    "vitest": "^3.0.0"
  }

(Make sure to check the latest stable versions of these packages that contain the security patches).

3. Run the following commands to apply and test the fix:

cd frontend
npm install
npm audit

4. Once npm audit returns 0 vulnerabilities, commit the updated package.json and package-lock.json files to fix the CI workflow.

User: if i merge pr 214 will it be ok?

Assistant: Merging PR #214 is not recommended.

Although the author claims it resolves the npm audit issues, a review of the files modified in the PR shows several major red flags:

1. Missing the Actual Fix: The PR title mentions updating idb-keyval, but that package isn't even modified in the package.json. Furthermore, while the PR adds some overrides for picomatch and axios, it completely misses the esbuild override needed to actually fix the vite and vitest vulnerabilities.
2. Unrelated Backend Changes (Breaking Code): The PR changes Python backend files (database.py and main.py) by hardcoding paths to Path.cwd() / "data" / .... This overrides the application's existing configuration setup and could break production deployments that rely on environment variables for file paths.
3. Unrelated UI Changes: The PR includes a massive "kitchen sink" of unrequested frontend changes across multiple React components (ReportDetailPage.jsx, ScanResultsPageV2.jsx, ScannerPage.jsx), making it very risky to merge.

What you should do instead:
Close PR #214 and manually apply the correct, minimal fix just for the frontend.

You can do this by adding the following overrides to frontend/package.json yourself:

  "overrides": {
    "esbuild": "^0.25.0",
    "vite": "^6.0.0",
    "vitest": "^3.0.0"
  }

Then run npm install and npm audit in the frontend folder to safely generate a clean package-lock.json without introducing unrelated bugs to the rest of your app.

User: you create a pr to fix the issue

Assistant: I'm preparing a pull request with the secure depe...

This pull request was created from Copilot chat.