Skip to content

chore(deps): patch dev-only transitive advisories (js-yaml, uuid) via overrides#62

Merged
dknauss merged 2 commits into
mainfrom
chore/bump-js-yaml-4.2
Jun 23, 2026
Merged

chore(deps): patch dev-only transitive advisories (js-yaml, uuid) via overrides#62
dknauss merged 2 commits into
mainfrom
chore/bump-js-yaml-4.2

Conversation

@dknauss

@dknauss dknauss commented Jun 22, 2026

Copy link
Copy Markdown
Owner

What

Patches the dev-only transitive npm advisories that are safely fixable via overrides, following the established pattern from #60. None of these ships in the plugin — all are dev/test/build tooling.

Advisory Package Fix Status
GHSA-h67p-54hq-rp68 — ReDoS in YAML merge keys js-yaml <= 4.1.1 override → ^4.2.0 ✅ fixed
GHSA-w5hq-g745-h8pq — missing buffer bounds check uuid < 11.1.1 override → ^14.0.0 ✅ fixed

Only js-yaml was raised as a GitHub Dependabot alert (#53); the uuid one surfaces only in npm audit.

js-yaml → 4.2.0

Only vulnerable copy was js-yaml@3.14.2 via Jest coverage tooling (babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@^3.13.1). API-safe: load-nyc-config only calls .load(), present in both v3 and v4. Dedups the v3 subtree (prunes v3-only argparse@1 + sprintf-js).

uuid → 14.0.x

Vulnerable copies were uuid@8.3.2 (via sockjs / webpack-dev-server) and uuid@9.0.1 (via @wordpress/components); uuid 14.x was already in the tree. API-safe: sockjs uses require('uuid').v4, @wordpress/components uses named from 'uuid' — both still exported by v14; neither passes buf, so the flaw was never reachable. Dedups nine nested @wordpress/*/node_modules/uuid copies.

Verification

  • npm ls js-yaml → only 4.2.0 · npm ls uuid → only 14.0.1 (no vulnerable copies)
  • npm audit no longer lists js-yaml or uuid
  • npm run build ✅ · npm test → 668 passed ✅ · load-nyc-config requires cleanly ✅
  • Lockfiles net smaller (pure dedup); no runtime/production deps touched

Deliberately NOT fixed (no safe override)

  • showdown ReDoS (GHSA-rmmh-p597-ppvv) — vulnerable range is <= 2.1.0, and 2.1.0 is the latest published version. No patched release exists to override to. (Reaches us via @wordpress/blocks/components.)
  • @opentelemetry/core baggage (GHSA-8988-4f7v-96qf) — fix is only in 2.8.0, a major bump. The installed 1.30.1 sits in a version-locked 1.x OpenTelemetry stack pulled via @sentry/node; forcing core to 2.x alone would break its 1.x peers. This needs an upstream Sentry dependency bump, not an override.

Both remain dev-only and were not raised as Dependabot alerts.

🤖 Generated with Claude Code

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.80%. Comparing base (e7c829b) to head (62750d1).

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #62   +/-   ##
=======================================
  Coverage   80.80%   80.80%           
=======================================
  Files          44       44           
  Lines        3084     3084           
  Branches      523      523           
=======================================
  Hits         2492     2492           
  Misses        185      185           
  Partials      407      407           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dknauss dknauss changed the title chore(deps): force js-yaml >=4.2.0 via override to clear ReDoS advisory chore(deps): patch dev-only transitive advisories (js-yaml, uuid) via overrides Jun 22, 2026
dknauss and others added 2 commits June 22, 2026 19:50
Resolves Dependabot GHSA-h67p-54hq-rp68 (js-yaml <= 4.1.1: quadratic-complexity
DoS in YAML merge-key handling, patched in 4.2.0). The only vulnerable copy was
js-yaml@3.14.2, pulled transitively through Jest coverage tooling
(babel-plugin-istanbul -> @istanbuljs/load-nyc-config -> js-yaml@^3.13.1) and
never shipped in the plugin.

Add a js-yaml override (matching the prior dev-only override pattern) so the one
straggler dedupes up to the 4.2.0 already resolved across the rest of the tree.
The override is API-safe: load-nyc-config calls js-yaml's .load(), which exists
in both v3 and v4. Collapsing the v3 subtree also prunes its v3-only argparse@1
and sprintf-js. Build, unit tests (668), and load-nyc-config all verified green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…dvisory

Clears GHSA-w5hq-g745-h8pq (uuid < 11.1.1: missing buffer bounds check when a
buf argument is supplied). The vulnerable copies were uuid@8.3.2 (via sockjs,
a webpack-dev-server transitive) and uuid@9.0.1 (via @wordpress/components);
uuid 14.x was already resolved elsewhere in the tree.

Add a uuid override (matching the js-yaml/serialize-javascript dev-only override
pattern) so every copy unifies on 14.0.1 — >= the 11.1.1 patch floor and a clean
dedup of nine nested @wordpress/* copies. API-safe: sockjs uses require('uuid').v4
and @wordpress/components uses a named `from 'uuid'` import, both still exported
by uuid 14.x; neither passes buf, so the flaw was never reachable. Build and unit
tests (668) verified green.

Note: the remaining npm-audit advisories (showdown ReDoS, @opentelemetry/core
baggage) have no safe override — showdown has no published fix above the
vulnerable 2.1.0, and @opentelemetry/core's fix is a 2.x major that would break
its version-locked 1.x peers pulled via @sentry/node.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dknauss dknauss force-pushed the chore/bump-js-yaml-4.2 branch from 20b90ac to 62750d1 Compare June 23, 2026 01:50
@dknauss dknauss merged commit 1a5df5b into main Jun 23, 2026
15 checks passed
@dknauss dknauss deleted the chore/bump-js-yaml-4.2 branch June 23, 2026 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant