Skip to content

fix(deps): resolve 31 Dependabot alerts in frontend dependencies#16

Open
wstlima wants to merge 1 commit into
AlphaHorizon-AI:mainfrom
wstlima:fix/frontend-deps-security
Open

fix(deps): resolve 31 Dependabot alerts in frontend dependencies#16
wstlima wants to merge 1 commit into
AlphaHorizon-AI:mainfrom
wstlima:fix/frontend-deps-security

Conversation

@wstlima

@wstlima wstlima commented Jul 10, 2026

Copy link
Copy Markdown

Fixes #7

Summary

Dependabot flagged 31 open vulnerabilities across both frontend package-lock.json files, concentrated in:

  • axios <1.16.0 — 20 advisories, several High: SSRF via no_proxy bypass, prototype-pollution gadgets enabling credential theft/auth bypass/response tampering, Proxy-Authorization credential leakage across redirects, ReDoS via cookie name injection
  • react-router-dom <7.15.1 — includes an advisory for vendored turbo-stream v2 allowing arbitrary constructor invocation via TYPE_ERROR deserialization, leading to unauthenticated RCE (High)
  • form-data 4.0.0–4.0.5 (both frontends, transitive via axios) — CRLF injection via unescaped multipart field names/filenames (High)
  • vite <8.0.16server.fs.deny bypass on Windows alternate paths (High)
  • @babel/core, brace-expansion, js-yaml, postcss — lower-severity fixes pulled in transitively

All fixes are patch/minor bumps within each package's existing ^ semver range — no major version changes.

How

cd frontend && npm ci
npm install --package-lock-only axios@1.16.0 react-router-dom@7.15.1 vite@8.0.16
npm audit fix

cd ../gensui/frontend && npm ci
npm audit fix

Test plan

  • npm audit reports 0 vulnerabilities in both frontend/ and gensui/frontend/
  • npm run build succeeds cleanly in both
  • Does not touch frontend/dist/ (committed build artifacts) — dependency-only change

Dependabot flagged 31 open vulnerabilities across both frontend
package-lock.json files (frontend/ = main Shogun/Tenshu UI,
gensui/frontend/ = Gensui admin UI), concentrated in a handful of
transitive/direct packages:

- axios <1.16.0 (frontend/) — 20 advisories, several High: SSRF via
  no_proxy bypass, prototype-pollution gadgets enabling credential
  theft / auth bypass / response tampering, Proxy-Authorization
  credential leakage across redirects, ReDoS via cookie name
  injection.
- react-router-dom <7.15.1 (frontend/) — includes GHSA for vendored
  turbo-stream v2 allowing arbitrary constructor invocation via
  TYPE_ERROR deserialization, leading to unauthenticated RCE (High).
- form-data 4.0.0–4.0.5 (both frontends, transitive via axios) — CRLF
  injection via unescaped multipart field names/filenames (High).
- vite <8.0.16 (frontend/) — server.fs.deny bypass on Windows
  alternate paths (High).
- @babel/core, brace-expansion, js-yaml, postcss — lower-severity
  fixes pulled in transitively.

All fixes are patch/minor bumps within each package's existing `^`
semver range in package.json — no major version changes. Applied via:

  cd frontend && npm ci
  npm install --package-lock-only axios@1.16.0 react-router-dom@7.15.1 vite@8.0.16
  npm audit fix

  cd ../gensui/frontend && npm ci
  npm audit fix

Verified after each: `npm audit` reports 0 vulnerabilities, `npm run
build` succeeds cleanly in both frontend/ and gensui/frontend/.

Does not touch frontend/dist/ (committed build artifacts) — this PR
is dependency-only; a rebuild is a separate concern for whoever
deploys from this branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

31 open Dependabot-class vulnerabilities in frontend/gensui-frontend dependencies (axios, react-router-dom, form-data, vite)

1 participant