Fix production dependency audit issues#2
Draft
RandomPerson208 wants to merge 7 commits into
Draft
Conversation
…ovate/postcss-8.x chore(deps): update dependency postcss to v8.5.16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
package-lock.jsonto pick up patched transitive versions for production audit findings:ajv6.12.6 -> 6.15.0brace-expansion1.1.12 -> 1.1.15minimatch3.1.2 -> 3.1.5path-to-regexp0.1.12 -> 0.1.13qs6.15.1 -> 6.15.3side-channel/side-channel-listpatch updates required byqsWhy
npm audit --omit=devreported production dependency vulnerabilities in transitive packages used by the app. Running a focused, non-forcing audit fix updates only the lockfile entries needed to clear the production audit without introducing major dependency upgrades.Impact
This is a lockfile-only security maintenance update. Runtime dependency ranges in
package.jsonare unchanged.Validation
npm audit --omit=dev->found 0 vulnerabilitiesnpm run test-> passed lint, build, Jest unit/localization tests, and legacy Tap testsNotes
A full dev-inclusive
npm auditstill reports vulnerabilities that require separate dependency decisions, bundled dependency updates, or breaking major upgrades, includingtap,fastly,plotly.js,copy-webpack-plugin,canvas, and Scratch GUI/render/VM transitive packages. I intentionally did not include those breaking upgrades in this focused production audit PR.