Security review (2026-05-25): SEC-17 qs+ws moderate advisories, fixed inline; closed SEC-02#169
Merged
Merged
Conversation
… inline; closed SEC-02 security headers bun audit surfaced two new moderate transitive advisories since the last round: qs (DoS via the MCP SDK's express dependency) and ws (memory disclosure via dev/test tooling). Neither is reachable in production; both fixed via package.json overrides (qs ^6.15.2, ws ^8.20.1) so bun audit is clean again. With no new application code since the prior round, also closed the long-standing SEC-02 by adding web/frontend/public/_headers: enforced X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy, plus a Report-Only CSP staged so it cannot break the live map/fonts before a CSP-report pass on the Pages deploy. https://claude.ai/code/session_01SbpR5PPukRADh2PXqGX5EW
|
Preview Deployment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Periodic whole-repo security review for 2026-05-25. No new application code landed since the last round (2026-05-18, up to
03760b4) — the only commit since is the prior review's own PR — so re-verification confirmed the SEC-01 / SEC-10 / SEC-11 / SEC-12 / SEC-15 / SEC-16 fixes all hold byte-for-byte. No Critical or High findings.New finding fixed inline
bun auditsurfaced two new moderate transitive advisories:qs(>=6.11.1 <=6.15.1, GHSA-q8mj-m7cp-5q26,stringifyDoS) pulled in via@modelcontextprotocol/sdk → express. The express HTTP transport is unused on Workers; our onlyqstoken is a localURLSearchParamsvariable inmcp-api/src/tools/audit.ts:42. Not reachable in production.ws(>=8.0.0 <8.20.1, GHSA-58qx-3vcg-4xpx, memory disclosure) pulled in via dev/test tooling (jsdom,miniflare,wrangler). Never ships to the Workers runtime or static frontend.package.jsonoverridesbumps toqs@^6.15.2andws@^8.20.1.bun auditis clean again; the single-entry resolutions areqs@6.15.2andws@8.21.0.Long-standing finding closed inline
web/frontend/public/_headers. Enforced:X-Frame-Options: DENY,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin,Permissions-Policy. CSP ships asContent-Security-Policy-Report-Only(with allowances for OSM/OpenTopoMap/ArcGIS tiles, Mapbox api/events, Google Fonts, andblob:workers for Mapbox GL) — staged Report-Only so it cannot break the live map/fonts before a CSP-report pass on the Pages deploy. Flipping to enforce is tracked as scope-gap Add dark/light/system theme switching commands #8.Verification
bun audit→ No vulnerabilities foundbun run typecheck:all→ cleanbun run test:all→ green (251 competition-api + 21 mcp-api + engine/airscore/root). Thewsminor bump did not break the miniflare-backed test runners.The full round (methodology, prior-findings status table, SEC-17 writeup, re-checked-clean list, scope gaps, and next-review pointers) is appended to
docs/security-review.mdunder the 2026-05-25 — Re-review section._headersCSP has not been verified against a live Pages deploy — it ships Report-Only precisely so it can't break the site before that verification. See scope-gap #8.https://claude.ai/code/session_01SbpR5PPukRADh2PXqGX5EW
Generated by Claude Code