Skip to content

chore(security): fix npm audit vulnerabilities in sample-app#90

Draft
calebwilson706 wants to merge 1 commit into
fix/windows-hooks-cross-platformfrom
security/npm-audit-fix
Draft

chore(security): fix npm audit vulnerabilities in sample-app#90
calebwilson706 wants to merge 1 commit into
fix/windows-hooks-cross-platformfrom
security/npm-audit-fix

Conversation

@calebwilson706

Copy link
Copy Markdown
Contributor

Summary

Fixes npm audit vulnerabilities in exercises/sample-app. Applied the safe npm audit fix plus the breaking npm audit fix --force, both verified against typecheck and unit tests.

Audit results

Stage Vulnerabilities
Before 10 (1 critical, 3 high, 6 moderate)
After npm audit fix (safe) 4 (1 critical, 1 high, 2 moderate) – all in the esbuild/vite/vite-node/vitest chain
After npm audit fix --force + safe fix 1 (1 low)

Packages bumped

Safe fix (transitive, resolved via package-lock only): path-to-regexp, postcss, qs (via express/body-parser), rollup and related sub-dependencies.

Breaking fix (applied, KEPT): vitest ^1.0.0^4.1.10 (SemVer major). This pulled forward the vulnerable esbuild / vite / vite-node chain used only by the test runner. vitest is a devDependency, so runtime is unaffected.

Verification

Check Baseline (before force fix) After force fix
npm run typecheck (tsc --noEmit) ✅ pass ✅ pass
npm test (vitest run) ✅ 9/9 pass (vitest 1.6.1) ✅ 9/9 pass (vitest 4.1.10)

Tests and typecheck are no worse than baseline, so the breaking vitest v4 upgrade was kept. Playwright e2e was intentionally not run (requires browser install); typecheck + unit tests are sufficient verification per scope.

Remaining / deferred

  • 1 low-severity advisory remains: esbuild (GHSA-g7r4-m6w7-qqqr, arbitrary file read on the dev server, Windows only) nested under tsx (node_modules/tsx/node_modules/esbuild). npm audit fix reports a fix as available but is a no-op — it cannot be resolved without an upstream tsx update. Low severity, dev-server only, deferred.

🤖 Generated with Claude Code

Resolves npm audit alerts in exercises/sample-app.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant