npm security audit fixes

[r0h0gg6]

ERN Platform — CVE Remediation Summary

Overview

Remediates 14 unique CVEs identified in the ERN Platform Vulnerability Assessment across 8 ERN packages (v0.53.7). The platform is sunsetting in ~1 year, so only targeted security patches are applied — no feature changes.

Each vulnerable package was evaluated against the 6-tier Fix Classification Decision Tree, starting at Priority 1 (most preferred) and escalating only when higher-priority fixes were not viable.

---

Per-Package Decision Tree Analysis

1. semver — ReDoS Vulnerability

Dependency chain: ern-api-impl-gen → semver@7.3.5 (direct)

Priority	Strategy	Viable?	Rationale
P1	Direct dep upgrade, no code change	Yes	semver is a direct dependency of ern-api-impl-gen. Bumping 7.3.5 → ^7.5.2 is a semver-compatible minor/patch upgrade. No API changes — drop-in replacement.

Fix applied: Updated ern-api-impl-gen/package.json — "semver": "7.3.5" → "semver": "^7.5.2"
Additional: Added "semver": "^7.5.2" to root resolutions to cover any other transitive instances across the monorepo.

---

2. @octokit/rest — Multiple CVEs in v18 Transitive Dependency Tree

Dependency chain: ern-core → @octokit/rest@18.5.3 (direct), ern-orchestrator → @octokit/rest@18.5.3 (direct)

Priority	Strategy	Viable?	Rationale
P1	Direct dep upgrade, no code change	No	No patched version exists within v18.x. Upgrade requires major version jump (v18 → v20), which introduces breaking TypeScript types and API changes.
P2	Direct dep upgrade, with code change	Yes	Upgraded to ^20.1.1 and adapted GitHubApi.ts to handle Octokit v20 breaking changes.

Fix applied:

• ern-core/package.json — "@octokit/rest": "18.5.3" → "@octokit/rest": "^20.1.1"
• ern-orchestrator/package.json — "@octokit/rest": "18.5.3" → "@octokit/rest": "^20.1.1"
• ern-core/src/GitHubApi.ts — Two categories of code changes:
  • Buffer.from() encoding — Adapted content encoding to match Octokit v20's API contract
  • : Promise<any> return type annotations — Added explicit return types on createBranch, deleteBranch, createTag, deleteTag, and updateFileContent to resolve TypeScript compilation errors caused by Octokit v20's overhauled type definitions

---

3. plist / xmldom — XML Parsing Vulnerability

Dependency chain: ern-core → xcode-ern → simple-plist → plist → xmldom

Priority	Strategy	Viable?	Rationale
P1	Direct dep upgrade	No	plist is not a direct dependency — it's 3 levels deep.
P2	Direct dep upgrade with code	No	Same — not direct.
P3	Upgrade parent, no code change	No	xcode-ern is abandoned — no newer version exists with updated transitive deps.
P4	Upgrade parent with code	No	No version to upgrade to.
P5	Replace with alternative	No	xcode-ern is a forked Xcode project parser tightly integrated into ERN's iOS container generation. Replacing it would require significant refactoring beyond security-patch scope.
P6	Yarn resolution	Yes	Force plist to ^3.0.5 across the monorepo, which includes the patched xmldom.

Fix applied: Root package.json resolutions — "plist": "^3.0.5"

---

4. simple-plist — Inherited Vulnerability via plist

Dependency chain: ern-core → xcode-ern → simple-plist@1.1.0

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	xcode-ern is abandoned.
P5	Replace alternative	No	Same tight coupling as above.
P6	Yarn resolution	Yes	Force simple-plist to ^1.3.1 which depends on the patched plist.

Fix applied: Root package.json resolutions — "simple-plist": "^1.3.1"

---

5. deep-extend — Prototype Pollution

Dependency chain: Transitive dependency via archived/unmaintained parent packages

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	Parent packages are archived/unmaintained with no patched releases.
P5	Replace alternative	No	Disproportionate effort for a sunsetting platform.
P6	Yarn resolution	Yes	Force deep-extend to ^0.6.0 which includes the prototype pollution fix.

Fix applied: Root package.json resolutions — "deep-extend": "^0.6.0"

---

6. ip — SSRF Vulnerability

Dependency chain: Transitive via http-proxy-agent chain

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	Intermediate packages in the chain don't have patched versions that drop the vulnerable ip version.
P5	Replace alternative	No	Disproportionate effort.
P6	Yarn resolution	Yes	Force ip to ^2.0.1 which patches the SSRF vulnerability.

Fix applied: Root package.json resolutions — "ip": "^2.0.1"

---

7. validator — ReDoS Vulnerability

Dependency chain: ern-api-gen → sway → json-refs → path-loader → ... → validator

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	sway has only one published version — no upgrade path exists.
P5	Replace alternative	No	sway is a Swagger validation library deeply integrated into ERN's API generation. Replacing it is out of scope.
P6	Yarn resolution	Yes	Force validator to ^13.15.22 which includes the ReDoS fix.

Fix applied: Root package.json resolutions — "validator": "^13.15.22"

---

8. trim-newlines — ReDoS Vulnerability

Dependency chain: Transitive dependency via unmaintained parent packages

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	No patched parent versions available.
P5	Replace alternative	No	Disproportionate effort.
P6	Yarn resolution	Yes	Force trim-newlines to ^3.0.1 which includes the ReDoS fix.

Fix applied: Root package.json resolutions — "trim-newlines": "^3.0.1"

---

9. @tootallnate/once — Transitive Vulnerability via http-proxy-agent

Dependency chain: Transitive via http-proxy-agent → agent-base → @tootallnate/once

Priority	Strategy	Viable?	Rationale
P1–P2	Direct dep upgrade	No	Not a direct dependency.
P3–P4	Upgrade parent	No	Intermediate packages don't have compatible versions that resolve this.
P5	Replace alternative	No	Disproportionate effort.
P6	Yarn resolution	Yes	Force @tootallnate/once to >=3.0.1.

Fix applied: Root package.json resolutions — "@tootallnate/once": ">=3.0.1"

---

Summary of Fix Distribution

Fix Tier	Count	Packages
P1 — Direct upgrade, no code	1	semver
P2 — Direct upgrade, with code	1	@octokit/rest (2 packages + 1 source file)
P6 — Yarn resolutions	7	plist, simple-plist, deep-extend, ip, validator, trim-newlines, @tootallnate/once

Why Are Most Fixes P6 (Yarn Resolutions)?

The majority of vulnerable packages are deeply nested transitive dependencies behind abandoned (xcode-ern), archived (code-push), single-version (sway), or deprecated (bugsnag-sourcemaps) parent packages. With no upstream maintainer to release patched versions, yarn resolutions are the only mechanism to force safe versions without forking or replacing entire dependency subtrees — which would be disproportionate effort for a platform sunsetting in ~1 year.

---

Files Changed

File	Change
package.json (root)	Added resolutions block with 8 transitive dependency overrides
ern-api-impl-gen/package.json	semver: 7.3.5 → ^7.5.2
ern-core/package.json	@octokit/rest: 18.5.3 → ^20.1.1
ern-orchestrator/package.json	@octokit/rest: 18.5.3 → ^20.1.1
ern-core/src/GitHubApi.ts	Buffer.from() updates + : Promise<any> return type annotations
yarn.lock	Regenerated against public registry (registry.yarnpkg.com)

Validation

• yarn install completes successfully
• yarn build passes across all packages
• Full test suite passes
• yarn audit confirms all 14 original CVEs resolved
• yarn.lock uses only public registry (registry.yarnpkg.com) — no internal registry references
• ern run-android / ern run-ios runtime validation against a consumer miniapp