fix(security): remove dead babel-cli@6 and babel-preset-env@1 devDeps#471
fix(security): remove dead babel-cli@6 and babel-preset-env@1 devDeps#471conorluddy wants to merge 8 commits into
Conversation
β¦okie Register endpoint now uses rateLimitTenPerTenMins (10/10min) matching login, magic-login, and reset-password β previously only had the loose 100-req/10-min global limiter. RESIDENT_TOKEN cookie exposed the user's internal ID unnecessarily on every login/refresh response. Removed from all auth flows (login, refreshToken, magicLoginWithToken, googleCallback). logout and refreshToken now resolve userId via DB token lookup instead of trusting a separate cookie. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
β¦alidate comment logout: degrade gracefully when refresh token not in DB (expired/purged) β cookie is already cleared so user is effectively logged out regardless. Fix misleading MISSING_USER_ID β REFRESH_TOKEN_REQUIRED error message. Add test for token-not-found path. refreshToken: add explanatory comment on the intentional delete-before-validate ordering (token theft detection: nuke all sessions on any suspicious reuse). Use guard clause to remove redundant if(token)/if(!token) double-check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary > Stacks on #467 β merge that first. - **Medium:** `jwt.sign` and `jwt.verify` now explicitly specify `algorithm: 'HS256'` / `algorithms: ['HS256']`. Prevents algorithm confusion attacks (e.g. `alg: none`) if the library ever changes its default or an attacker crafts a malicious token. - **Medium:** `express.json()` now has an explicit `limit: '10kb'` β makes the body size cap intentional and documented rather than relying on the library default. ## Test plan - [ ] `npm run lint && npm test` green - [ ] Manual: attempt a JWT with `alg: none` β verify rejected - [ ] Manual: send a JSON body >10kb β verify 413 response π€ Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
body-parser sets err.status = 413 on entity.too.large errors, but the error handler had no case for it β falling through to 500. Add explicit check before the catch-all so oversized bodies return 413 as expected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
# Conflicts: # package.json
- Remove dead constants REFRESH_TOKEN_COUNTERPART_REQUIRED and TOKEN_USER_INVALID (no consumers remain after RESIDENT_TOKEN cross-check removal) - Remove stale residentToken and xsrfToken cookie entries from Swagger JSDoc - Add TODO comment to skipped logout test explaining wrong method and stale response - Expand refreshToken controller comment to make CUID2 enumeration trade-off explicit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
These v6 packages were unused β all Jest ESM transforms already use @babel/core@7 and @babel/preset-env@7. Removing them clears 24 critical CVEs (babel-traverse chain) and drops audit count from 39 to 7. No behaviour change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Reportβ
All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #471 +/- ##
==========================================
+ Coverage 83.71% 83.78% +0.06%
==========================================
Files 109 109
Lines 1781 1776 -5
Branches 295 294 -1
==========================================
- Hits 1491 1488 -3
Misses 190 190
+ Partials 100 98 -2 β View full report in Codecov by Sentry. π New features to boost your workflow:
|
Code Review -- PR 471: remove dead babel-cli@6 and babel-preset-env@1 devDepsThis is a clean, focused dependency hygiene change. The removal of babel-cli@6 and babel-preset-env@1 is correct -- both packages are genuinely unused (all Jest ESM transforms already go through @babel/core@7 / babel-jest) and their presence was dragging in the babel-traverse CVE cascade. Positives
Issues / Concerns1. This PR includes all the changes from PR #470 Both PRs modify the same auth files (logout.ts, refreshToken.ts, googleCallback.ts, etc.). These look like they diverged from the same point on main, not stacked branches. Merging either first will cause conflicts in the other. Coordinate with PR #470 -- rebase this branch on top of fix/security-high once that is merged, then the diff for this PR will reduce to only the babel removal (package.json + package-lock.json). 2. Remaining 7 vulnerabilities The PR description notes the audit count drops to 7 (5 moderate, 2 high). It would be helpful to document what those remaining 7 are in the PR description or a follow-up issue -- specifically: are the 2 high-severity ones known/accepted, and do any have available fixes or mitigations? 3. package-lock.json version alignment After this PR, both package.json and package-lock.json show 0.3.14, which is correct. However if this is rebased on top of PR #470 (which has the 0.3.8 lock file), make sure to run npm install to regenerate the lock file cleanly. Summary
Reviewed with Claude Code |
Summary
babel-cli@^6.26.0andbabel-preset-env@^1.7.0fromdevDependencies@babel/core@7,@babel/preset-env@7, andbabel-jestbabel-traverseCVE cascade, reducing audit count from 39 vulnerabilities (24 critical, 7 high) to 7 (5 moderate, 2 high)Test plan
npm installβ clean, no errorsnpm run lintβ no errorsnpm auditβ 0 critical, 0 critical-high remainingπ€ Generated with Claude Code