chore(deps): patch dev-only transitive advisories (js-yaml, uuid) via overrides#62
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #62 +/- ##
=======================================
Coverage 80.80% 80.80%
=======================================
Files 44 44
Lines 3084 3084
Branches 523 523
=======================================
Hits 2492 2492
Misses 185 185
Partials 407 407 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Resolves Dependabot GHSA-h67p-54hq-rp68 (js-yaml <= 4.1.1: quadratic-complexity DoS in YAML merge-key handling, patched in 4.2.0). The only vulnerable copy was js-yaml@3.14.2, pulled transitively through Jest coverage tooling (babel-plugin-istanbul -> @istanbuljs/load-nyc-config -> js-yaml@^3.13.1) and never shipped in the plugin. Add a js-yaml override (matching the prior dev-only override pattern) so the one straggler dedupes up to the 4.2.0 already resolved across the rest of the tree. The override is API-safe: load-nyc-config calls js-yaml's .load(), which exists in both v3 and v4. Collapsing the v3 subtree also prunes its v3-only argparse@1 and sprintf-js. Build, unit tests (668), and load-nyc-config all verified green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…dvisory Clears GHSA-w5hq-g745-h8pq (uuid < 11.1.1: missing buffer bounds check when a buf argument is supplied). The vulnerable copies were uuid@8.3.2 (via sockjs, a webpack-dev-server transitive) and uuid@9.0.1 (via @wordpress/components); uuid 14.x was already resolved elsewhere in the tree. Add a uuid override (matching the js-yaml/serialize-javascript dev-only override pattern) so every copy unifies on 14.0.1 — >= the 11.1.1 patch floor and a clean dedup of nine nested @wordpress/* copies. API-safe: sockjs uses require('uuid').v4 and @wordpress/components uses a named `from 'uuid'` import, both still exported by uuid 14.x; neither passes buf, so the flaw was never reachable. Build and unit tests (668) verified green. Note: the remaining npm-audit advisories (showdown ReDoS, @opentelemetry/core baggage) have no safe override — showdown has no published fix above the vulnerable 2.1.0, and @opentelemetry/core's fix is a 2.x major that would break its version-locked 1.x peers pulled via @sentry/node. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
20b90ac to
62750d1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Patches the dev-only transitive npm advisories that are safely fixable via
overrides, following the established pattern from #60. None of these ships in the plugin — all are dev/test/build tooling.<= 4.1.1^4.2.0< 11.1.1^14.0.0Only js-yaml was raised as a GitHub Dependabot alert (#53); the uuid one surfaces only in
npm audit.js-yaml → 4.2.0
Only vulnerable copy was
js-yaml@3.14.2via Jest coverage tooling (babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@^3.13.1). API-safe: load-nyc-config only calls.load(), present in both v3 and v4. Dedups the v3 subtree (prunes v3-onlyargparse@1+sprintf-js).uuid → 14.0.x
Vulnerable copies were
uuid@8.3.2(via sockjs / webpack-dev-server) anduuid@9.0.1(via @wordpress/components); uuid 14.x was already in the tree. API-safe: sockjs usesrequire('uuid').v4, @wordpress/components uses namedfrom 'uuid'— both still exported by v14; neither passesbuf, so the flaw was never reachable. Dedups nine nested@wordpress/*/node_modules/uuidcopies.Verification
npm ls js-yaml→ only 4.2.0 ·npm ls uuid→ only 14.0.1 (no vulnerable copies)npm auditno longer lists js-yaml or uuidnpm run build✅ ·npm test→ 668 passed ✅ ·load-nyc-configrequires cleanly ✅Deliberately NOT fixed (no safe override)
<= 2.1.0, and 2.1.0 is the latest published version. No patched release exists to override to. (Reaches us via @wordpress/blocks/components.)2.8.0, a major bump. The installed1.30.1sits in a version-locked 1.x OpenTelemetry stack pulled via@sentry/node; forcing core to 2.x alone would break its 1.x peers. This needs an upstream Sentry dependency bump, not an override.Both remain dev-only and were not raised as Dependabot alerts.
🤖 Generated with Claude Code