Skip to content

fix(security): remove dead babel-cli@6 and babel-preset-env@1 devDeps#471

Closed
conorluddy wants to merge 8 commits into
mainfrom
fix/remove-legacy-babel-v6
Closed

fix(security): remove dead babel-cli@6 and babel-preset-env@1 devDeps#471
conorluddy wants to merge 8 commits into
mainfrom
fix/remove-legacy-babel-v6

Conversation

@conorluddy

Copy link
Copy Markdown
Owner

Summary

  • Removes babel-cli@^6.26.0 and babel-preset-env@^1.7.0 from devDependencies
  • These v6 packages were completely unused β€” all Jest ESM transforms already run via @babel/core@7, @babel/preset-env@7, and babel-jest
  • Dropping them clears the babel-traverse CVE cascade, reducing audit count from 39 vulnerabilities (24 critical, 7 high) to 7 (5 moderate, 2 high)
  • No runtime code changes, no test changes, no behaviour change

Test plan

  • npm install β€” clean, no errors
  • All unit test suites pass (71 passed; 5 integration failures are pre-existing, require live Postgres)
  • npm run lint β€” no errors
  • npm audit β€” 0 critical, 0 critical-high remaining

πŸ€– Generated with Claude Code

conorluddy and others added 8 commits February 28, 2026 15:41
…okie

Register endpoint now uses rateLimitTenPerTenMins (10/10min) matching
login, magic-login, and reset-password β€” previously only had the loose
100-req/10-min global limiter.

RESIDENT_TOKEN cookie exposed the user's internal ID unnecessarily on
every login/refresh response. Removed from all auth flows (login,
refreshToken, magicLoginWithToken, googleCallback). logout and
refreshToken now resolve userId via DB token lookup instead of trusting
a separate cookie.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…alidate comment

logout: degrade gracefully when refresh token not in DB (expired/purged) β€”
cookie is already cleared so user is effectively logged out regardless.
Fix misleading MISSING_USER_ID β†’ REFRESH_TOKEN_REQUIRED error message.
Add test for token-not-found path.

refreshToken: add explanatory comment on the intentional delete-before-validate
ordering (token theft detection: nuke all sessions on any suspicious reuse).
Use guard clause to remove redundant if(token)/if(!token) double-check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary

> Stacks on #467 β€” merge that first.

- **Medium:** `jwt.sign` and `jwt.verify` now explicitly specify
`algorithm: 'HS256'` / `algorithms: ['HS256']`. Prevents algorithm
confusion attacks (e.g. `alg: none`) if the library ever changes its
default or an attacker crafts a malicious token.
- **Medium:** `express.json()` now has an explicit `limit: '10kb'` β€”
makes the body size cap intentional and documented rather than relying
on the library default.

## Test plan
- [ ] `npm run lint && npm test` green
- [ ] Manual: attempt a JWT with `alg: none` β€” verify rejected
- [ ] Manual: send a JSON body >10kb β€” verify 413 response

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
body-parser sets err.status = 413 on entity.too.large errors, but the
error handler had no case for it β€” falling through to 500. Add explicit
check before the catch-all so oversized bodies return 413 as expected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove dead constants REFRESH_TOKEN_COUNTERPART_REQUIRED and TOKEN_USER_INVALID
  (no consumers remain after RESIDENT_TOKEN cross-check removal)
- Remove stale residentToken and xsrfToken cookie entries from Swagger JSDoc
- Add TODO comment to skipped logout test explaining wrong method and stale response
- Expand refreshToken controller comment to make CUID2 enumeration trade-off explicit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
These v6 packages were unused β€” all Jest ESM transforms already use
@babel/core@7 and @babel/preset-env@7. Removing them clears 24 critical
CVEs (babel-traverse chain) and drops audit count from 39 to 7.
No behaviour change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@conorluddy conorluddy closed this Feb 28, 2026
@codecov

codecov Bot commented Feb 28, 2026

Copy link
Copy Markdown

Codecov Report

βœ… All modified and coverable lines are covered by tests.
βœ… Project coverage is 83.78%. Comparing base (0e683e6) to head (b13c4e4).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #471      +/-   ##
==========================================
+ Coverage   83.71%   83.78%   +0.06%     
==========================================
  Files         109      109              
  Lines        1781     1776       -5     
  Branches      295      294       -1     
==========================================
- Hits         1491     1488       -3     
  Misses        190      190              
+ Partials      100       98       -2     

β˜” View full report in Codecov by Sentry.
πŸ“’ Have feedback on the report? Share it here.

πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • πŸ“¦ JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@claude

claude Bot commented Feb 28, 2026

Copy link
Copy Markdown

Code Review -- PR 471: remove dead babel-cli@6 and babel-preset-env@1 devDeps

This is a clean, focused dependency hygiene change. The removal of babel-cli@6 and babel-preset-env@1 is correct -- both packages are genuinely unused (all Jest ESM transforms already go through @babel/core@7 / babel-jest) and their presence was dragging in the babel-traverse CVE cascade.


Positives

  • The vulnerability reduction is significant: dropping from 39 vulnerabilities (24 critical, 7 high) to 7 (5 moderate, 2 high) by removing a single dependency tree is a compelling, low-risk change.
  • No runtime or test behaviour changes.
  • The PR description is well-documented with before/after audit counts.

Issues / Concerns

1. This PR includes all the changes from PR #470

Both PRs modify the same auth files (logout.ts, refreshToken.ts, googleCallback.ts, etc.). These look like they diverged from the same point on main, not stacked branches. Merging either first will cause conflicts in the other. Coordinate with PR #470 -- rebase this branch on top of fix/security-high once that is merged, then the diff for this PR will reduce to only the babel removal (package.json + package-lock.json).

2. Remaining 7 vulnerabilities

The PR description notes the audit count drops to 7 (5 moderate, 2 high). It would be helpful to document what those remaining 7 are in the PR description or a follow-up issue -- specifically: are the 2 high-severity ones known/accepted, and do any have available fixes or mitigations?

3. package-lock.json version alignment

After this PR, both package.json and package-lock.json show 0.3.14, which is correct. However if this is rebased on top of PR #470 (which has the 0.3.8 lock file), make sure to run npm install to regenerate the lock file cleanly.


Summary

Area Status
Dependency removal correctness Correct -- packages were unused
Vulnerability reduction Significant improvement
Overlap with PR #470 Must coordinate merge order
Remaining vulnerabilities Document or track the 2 high-severity ones

Reviewed with Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant