Skip to content

fix(security): clear the last high advisories + repair the webpack build#226

Open
BreakableHoodie wants to merge 1 commit into
mainfrom
worktree-fix-backend-npm-audit-high
Open

fix(security): clear the last high advisories + repair the webpack build#226
BreakableHoodie wants to merge 1 commit into
mainfrom
worktree-fix-backend-npm-audit-high

Conversation

@BreakableHoodie

@BreakableHoodie BreakableHoodie commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What & why

Rebased onto main after #206 ("patch 60+ dependabot alerts") and #212 (webpack bump) merged. Those resolved most advisories; this PR clears the three highs still failing npm audit --audit-level=high for the backend workspace, which correspond to the remaining open Dependabot alerts.

Dependabot alerts resolved

# Package Severity Resolved to How
89 form-data high 4.0.6 lockfile (latest in-range)
88 multer high 2.2.0 root overrides
87 multer medium 2.2.0 root overrides
86 vite medium 8.0.16 lockfile (latest in-range)
85 vite high 8.0.16 lockfile (latest in-range)

multer needs a root override because every @nestjs/platform-express (incl. latest 11.x) pins multer to an exact 2.1.1, and npm only honors overrides from the workspaces-root package.json. #206's rxjs root override is preserved.

Supporting changes (required to land the above cleanly)

  • backend/webpack.config.js (new) + nest-cli.json — a webpack IgnorePlugin for MikroORM/knex optional DB drivers. main's nest build is currently broken (11 "Module not found" errors: sqlite3, mysql, tedious, …) because security: patch 60+ dependabot alerts and restrict workflow permissions #206's MikroORM 6.6.x bump makes webpack try to bundle optional drivers we don't install. This repairs it while preserving the existing "webpack": true bundling (we only use PostgreSQL).
  • @mikro-orm/*~6.6.15 (lockstep) — regenerating the lockfile otherwise left a dual @mikro-orm/core (6.6.14 + 6.6.15), which is unsafe for MikroORM's single-instance metadata/instanceof.
  • Pin @supabase/supabase-js to 2.78.0 — re-resolving otherwise pulls a newer 2.x whose auth client breaks tsc declaration emit (TS4094). Unrelated to the security fixes; easy to revert later.
  • http-exception.filter.ts — drops one now-redundant type assertion flagged by the updated typescript-eslint (no-unnecessary-type-assertion). No runtime change.

Verification

Verified in a clean checkout of this branch (CI-faithful):

  • npm ci — exit 0 (lockfile ↔ manifests in sync)
  • npm audit --audit-level=highexit 0, 0 high/critical
  • nest build — compiled successfully (0 errors)
  • tsc --noEmit — 0 errors
  • eslint — clean
  • vitest run — 4 files, 19 tests passed

Note: the breaking @fastify/static v9 and @nestjs/swagger bumps previously planned as follow-ups were already done in #206.

🤖 Generated with Claude Code

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

Rebased onto main after #206/#212. Those already fixed most advisories;
this clears the three highs still failing `npm audit --audit-level=high`
for the backend workspace (the open Dependabot alerts #85-89):

- multer -> 2.2.0 via a root `overrides` entry (every @nestjs/platform-express
  pins multer to an exact 2.1.1, so a root override is the only way to reach
  the patched version). rxjs override from #206 is preserved.
- form-data -> 4.0.6 and vite -> 8.0.16 via the regenerated lockfile
  (latest in-range; npm audit fix handles both non-breaking).

Supporting fixes required to land the above cleanly:

- backend/webpack.config.js (new) + nest-cli.json: a webpack IgnorePlugin
  for MikroORM/knex optional DB drivers. main's `nest build` is currently
  broken (11 "Module not found" errors) because #206's MikroORM 6.6.x bump
  makes webpack try to bundle uninstalled optional drivers; this repairs it.
- @mikro-orm/* aligned to ~6.6.15 (lockstep). Re-resolving otherwise left a
  dual @mikro-orm/core (6.6.14 + 6.6.15), which is unsafe for MikroORM's
  single-instance metadata.
- Pin @supabase/supabase-js to 2.78.0: re-resolving otherwise pulls a newer
  2.x that breaks tsc declaration emit (TS4094).
- Drop a now-redundant type assertion in http-exception.filter.ts flagged by
  the updated typescript-eslint.

Verified in a clean checkout of this branch: npm ci, audit (0 high/critical),
nest build, tsc --noEmit, eslint, and vitest (19 tests) all pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@BreakableHoodie
BreakableHoodie force-pushed the worktree-fix-backend-npm-audit-high branch from 3507c2b to edc0e3f Compare June 23, 2026 11:43
@BreakableHoodie BreakableHoodie changed the title fix(security): clear high/critical advisories blocking the npm-audit gate fix(security): clear the last high advisories + repair the webpack build Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants