Skip to content

Fix production dependency audit issues#2

Draft
RandomPerson208 wants to merge 7 commits into
developfrom
fix-dependency-audit-issues
Draft

Fix production dependency audit issues#2
RandomPerson208 wants to merge 7 commits into
developfrom
fix-dependency-audit-issues

Conversation

@RandomPerson208

Copy link
Copy Markdown
Owner

What changed

  • Refreshed package-lock.json to pick up patched transitive versions for production audit findings:
    • ajv 6.12.6 -> 6.15.0
    • brace-expansion 1.1.12 -> 1.1.15
    • minimatch 3.1.2 -> 3.1.5
    • path-to-regexp 0.1.12 -> 0.1.13
    • qs 6.15.1 -> 6.15.3
    • side-channel / side-channel-list patch updates required by qs

Why

npm audit --omit=dev reported production dependency vulnerabilities in transitive packages used by the app. Running a focused, non-forcing audit fix updates only the lockfile entries needed to clear the production audit without introducing major dependency upgrades.

Impact

This is a lockfile-only security maintenance update. Runtime dependency ranges in package.json are unchanged.

Validation

  • npm audit --omit=dev -> found 0 vulnerabilities
  • npm run test -> passed lint, build, Jest unit/localization tests, and legacy Tap tests

Notes

A full dev-inclusive npm audit still reports vulnerabilities that require separate dependency decisions, bundled dependency updates, or breaking major upgrades, including tap, fastly, plotly.js, copy-webpack-plugin, canvas, and Scratch GUI/render/VM transitive packages. I intentionally did not include those breaking upgrades in this focused production audit PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant