fix(security): clear the last high advisories + repair the webpack build#226
Open
BreakableHoodie wants to merge 1 commit into
Open
fix(security): clear the last high advisories + repair the webpack build#226BreakableHoodie wants to merge 1 commit into
BreakableHoodie wants to merge 1 commit into
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Rebased onto main after #206/#212. Those already fixed most advisories; this clears the three highs still failing `npm audit --audit-level=high` for the backend workspace (the open Dependabot alerts #85-89): - multer -> 2.2.0 via a root `overrides` entry (every @nestjs/platform-express pins multer to an exact 2.1.1, so a root override is the only way to reach the patched version). rxjs override from #206 is preserved. - form-data -> 4.0.6 and vite -> 8.0.16 via the regenerated lockfile (latest in-range; npm audit fix handles both non-breaking). Supporting fixes required to land the above cleanly: - backend/webpack.config.js (new) + nest-cli.json: a webpack IgnorePlugin for MikroORM/knex optional DB drivers. main's `nest build` is currently broken (11 "Module not found" errors) because #206's MikroORM 6.6.x bump makes webpack try to bundle uninstalled optional drivers; this repairs it. - @mikro-orm/* aligned to ~6.6.15 (lockstep). Re-resolving otherwise left a dual @mikro-orm/core (6.6.14 + 6.6.15), which is unsafe for MikroORM's single-instance metadata. - Pin @supabase/supabase-js to 2.78.0: re-resolving otherwise pulls a newer 2.x that breaks tsc declaration emit (TS4094). - Drop a now-redundant type assertion in http-exception.filter.ts flagged by the updated typescript-eslint. Verified in a clean checkout of this branch: npm ci, audit (0 high/critical), nest build, tsc --noEmit, eslint, and vitest (19 tests) all pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
BreakableHoodie
force-pushed
the
worktree-fix-backend-npm-audit-high
branch
from
June 23, 2026 11:43
3507c2b to
edc0e3f
Compare
adinschmidt
approved these changes
Jul 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Rebased onto
mainafter #206 ("patch 60+ dependabot alerts") and #212 (webpack bump) merged. Those resolved most advisories; this PR clears the three highs still failingnpm audit --audit-level=highfor the backend workspace, which correspond to the remaining open Dependabot alerts.Dependabot alerts resolved
overridesoverridesmulterneeds a root override because every@nestjs/platform-express(incl. latest 11.x) pins multer to an exact2.1.1, and npm only honors overrides from the workspaces-rootpackage.json. #206'srxjsroot override is preserved.Supporting changes (required to land the above cleanly)
backend/webpack.config.js(new) +nest-cli.json— a webpackIgnorePluginfor MikroORM/knex optional DB drivers.main'snest buildis currently broken (11 "Module not found" errors:sqlite3,mysql,tedious, …) because security: patch 60+ dependabot alerts and restrict workflow permissions #206's MikroORM 6.6.x bump makes webpack try to bundle optional drivers we don't install. This repairs it while preserving the existing"webpack": truebundling (we only use PostgreSQL).@mikro-orm/*→~6.6.15(lockstep) — regenerating the lockfile otherwise left a dual@mikro-orm/core(6.6.14 + 6.6.15), which is unsafe for MikroORM's single-instance metadata/instanceof.@supabase/supabase-jsto2.78.0— re-resolving otherwise pulls a newer 2.x whose auth client breakstscdeclaration emit (TS4094). Unrelated to the security fixes; easy to revert later.http-exception.filter.ts— drops one now-redundant type assertion flagged by the updatedtypescript-eslint(no-unnecessary-type-assertion). No runtime change.Verification
Verified in a clean checkout of this branch (CI-faithful):
npm ci— exit 0 (lockfile ↔ manifests in sync)npm audit --audit-level=high— exit 0, 0 high/criticalnest build— compiled successfully (0 errors)tsc --noEmit— 0 errorseslint— cleanvitest run— 4 files, 19 tests passed🤖 Generated with Claude Code