Skip to content

Release: security remediation + updates#6

Merged
gibbsie merged 1 commit into
mainfrom
release-github-2026-06-19
Jun 19, 2026
Merged

Release: security remediation + updates#6
gibbsie merged 1 commit into
mainfrom
release-github-2026-06-19

Conversation

@gibbsie

@gibbsie gibbsie commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Security sweep: remediate Dependabot & CodeQL alerts (deps, sanitization, logging, RNG)

Summary

Resolves the open Dependabot (61) and CodeQL Code Scanning (21) alerts on the repository. The bulk are fixed via dependency upgrades and targeted code changes; a small set of non-applicable / no-patch findings are risk-accepted with documented justifications. Backend + frontend builds, the full backend test suite, and cdk synth are all green.

Dependency upgrades (Dependabot)

Package Change Clears
shell-quote (via concurrently 9→10) dev tool major bump CRITICAL GHSA-w7jw-789q-3m8p
aws-cdk-lib 2.100→2.260 (+ aws-cdk CLI →2.1128) synth-time re-vendor fast-uri, brace-expansion (high/mod)
dompurify override ^3.4.0→^3.4.9 (resolves 3.4.10) patch 21 dompurify advisories
vite 6.4.2→6.4.3 (frontend) patch GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3
@aws-sdk/s3-request-presigner+client-s3 →^3.1070.0 SDK realignment keeps backend tsc green after audit-fix re-resolution
uuid 13.0.0→13.0.2 (frontend) patch GHSA-w5hq-g745-h8pq (13.x range)
js-yaml override →4.2.0 override GHSA-h67p-54hq-rp68
minimatch override →9.0.9 (via @typescript-eslint) dev-chain override GHSA-7r86-cg39-jmmj
@smithy/util-stream ^4.5.25 declare phantom dep fixes a previously-undeclared import surfaced by the lockfile regen

Plus a semver-safe npm audit fix across root/frontend/backend lockfiles. esbuild was intentionally not forced to 0.28.x: it is already at 0.25.11 (not flagged by npm audit; the dev-server advisory is fixed at 0.25.0), and vite 6.4.3 pins ^0.25 — forcing 0.28 would break the frontend build.

Code security fixes (CodeQL)

Rule Count Fix Files
js/incomplete-multi-character-sanitization 6 Strip HTML to a fixed point (loop until stable) so nesting/overlap (<scr<script>ipt>) can't reintroduce stripped tags. Plain-text contract + idempotency preserved. backend/src/utils/notifier-base.ts, validation.ts
js/bad-tag-filter 2 Tolerate malformed/nested/unterminated tags in the strippers notifier-base.ts, validation.ts
py/clear-text-logging-sensitive-data 5 Log only non-sensitive metadata (status, IDs, responseData keys) instead of the full CFN response body; response contract unchanged cfnresponse.py
js/biased-cryptographic-random 2 Replace modulo-over-random-bytes with crypto.randomInt (unbiased) for char selection and the Fisher–Yates shuffle; password guarantees preserved user-management-resolver.ts

Risk-accepted dismissals

Dependabot (7, tolerable_risk):

  • dompurify GHSA-x4vx-rjvf-j5p4 (×2 manifests) — no upstream patch; all other dompurify advisories cleared by 3.4.10.
  • thrift GHSA-526f-jxpj-jmg2 / GHSA-r67j-r569-jrwp — transitive via @databricks/sql (optional, lazily-loaded adapter); 526f unpatched, r67j pinned by parent.
  • aws-sdk (v2) GHSA-j965-2qgj-vjmq — EOL, transitive only; tracked for AWS SDK v3 migration.
  • uuid GHSA-w5hq-g745-h8pq <11.1.1 (×2) — code uses only uuid.v4(); advisory affects v1/v3/v5/v6 generation we never call.

Code Scanning (6) — js/insufficient-password-hash:

  • app-api-authorizer.ts (production) — false positive: the hashed value is a 256-bit CSPRNG API token (randomBytes(32)), not a user password; the offline-brute-force threat model doesn't apply and SHA-256 of a high-entropy token is standard token-storage practice.
  • 5 test-file occurrences — used in tests.

Verification

  • backend npm run build → exit 0; frontend npm run build → exit 0
  • Backend tests: 3075 passed, 0 failed, 7 skipped
  • Frontend tests: 1546 passed
  • CDK_DOCKER=docker npx cdk synth → exit 0, all 6 stacks synthesize; arbiter-stack CDK-synth suites green (Python Lambda layer bundled via Docker)

@gibbsie
Release: security remediation + workshop updates
a4198c2 
Squash of GitLab main since the initial release. Supersedes GitHub
Dependabot PR #2 (react-router/react-router-dom -> 7.18.0, ahead of 7.17.0).

- Dependency security upgrades (concurrently 10, aws-cdk-lib 2.260,
  dompurify 3.4.10, vite 6.4.3, uuid 13.0.2, js-yaml/minimatch overrides)
  clearing the open Dependabot advisories; no-patch items risk-accepted.
- CodeQL: HTML sanitization hardening, CFN response log redaction,
  unbiased crypto.randomInt for temp passwords.
- Post-release workshop updates (fabrication, progress UI, specs).
@gibbsie gibbsie self-assigned this Jun 19, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 19, 2026
View reviewed changes
Comment thread arbiter/seedConfig/cfnresponse.py
Comment on lines +33 to +41
"Response status: {}; physicalResourceId={}; stackId={}; requestId={}; "
"logicalResourceId={}; dataKeys={}".format(
responseStatus,
responseBody['PhysicalResourceId'],
event['StackId'],
event['RequestId'],
event['LogicalResourceId'],
list(responseData.keys()) if isinstance(responseData, dict) else [],
)
Comment thread backend/src/lambda/cognito-secret-handler/cfnresponse.py
Comment on lines +33 to +41
"Response status: {}; physicalResourceId={}; stackId={}; requestId={}; "
"logicalResourceId={}; dataKeys={}".format(
responseStatus,
responseBody['PhysicalResourceId'],
event['StackId'],
event['RequestId'],
event['LogicalResourceId'],
list(responseData.keys()) if isinstance(responseData, dict) else [],
)
Comment thread backend/src/lambda/seed-admin-user/cfnresponse.py
Comment on lines +33 to +41
"Response status: {}; physicalResourceId={}; stackId={}; requestId={}; "
"logicalResourceId={}; dataKeys={}".format(
responseStatus,
responseBody['PhysicalResourceId'],
event['StackId'],
event['RequestId'],
event['LogicalResourceId'],
list(responseData.keys()) if isinstance(responseData, dict) else [],
)
Comment thread backend/src/lambda/seed-organizations/cfnresponse.py
Comment on lines +33 to +41
"Response status: {}; physicalResourceId={}; stackId={}; requestId={}; "
"logicalResourceId={}; dataKeys={}".format(
responseStatus,
responseBody['PhysicalResourceId'],
event['StackId'],
event['RequestId'],
event['LogicalResourceId'],
list(responseData.keys()) if isinstance(responseData, dict) else [],
)
Comment thread backend/src/lambda/update-email-templates/cfnresponse.py
Comment on lines +33 to +41
"Response status: {}; physicalResourceId={}; stackId={}; requestId={}; "
"logicalResourceId={}; dataKeys={}".format(
responseStatus,
responseBody['PhysicalResourceId'],
event['StackId'],
event['RequestId'],
event['LogicalResourceId'],
list(responseData.keys()) if isinstance(responseData, dict) else [],
)
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 19, 2026
View reviewed changes
Comment thread backend/src/utils/validation.ts
let previous: string;
do {
previous = sanitized;
sanitized = sanitized.replace(SCRIPT_BLOCK_RE, '').replace(HTML_TAG_RE, '');
@gibbsie gibbsie changed the title Release: security remediation + updates Bump: security remediation + updates Jun 19, 2026
@gibbsie gibbsie changed the title Bump: security remediation + updates Release: security remediation + updates Jun 19, 2026
@gibbsie gibbsie merged commit c4b9680 into main Jun 19, 2026
6 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gibbsie gibbsie

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gibbsie @github-advanced-security