Skip to content

chore(deps): resolve npm audit vulnerabilities#615

Open
hitesh-shetty-cstk wants to merge 1 commit into
develop_v4from
fix/npm-audit-security-updates
Open

chore(deps): resolve npm audit vulnerabilities#615
hitesh-shetty-cstk wants to merge 1 commit into
develop_v4from
fix/npm-audit-security-updates

Conversation

@hitesh-shetty-cstk

Copy link
Copy Markdown
Contributor

Summary

Resolves all npm audit vulnerabilities in the SDK (previously 3 high, 2 moderate → now 0).

Changes

  • dompurify 3.4.13.4.11 (direct runtime dependency) — picks up the DOMPurify XSS / config-pollution advisory fixes. This is the only production dependency affected and the only one that ships in the published package.
  • Added an overrides block pinning transitive dev/test-tooling deps to patched versions:
    • form-data ^4.0.6 (via jsdom)
    • ws ^8.21.0 (via jsdom)
    • vite ^7.3.6 (via vitest — kept on 7.x to avoid a breaking major bump to vite 8)
    • js-yaml ^4.3.0 (via @commitlint/cli, eslint)

Verification

  • npm audit0 vulnerabilities
  • npm run build succeeds
  • Full unit test suite passes — 861 tests, 111 files

Notes

  • The four transitive packages are dev/test tooling only; they never reach a consumer's bundle.
  • Deliberately avoided npm audit fix --force, which would have bumped vite to 8 and broken the test suite. Fixes were applied surgically to keep the lockfile churn minimal.

Bump dompurify 3.4.1 -> 3.4.11 (direct runtime dep) to pick up the
DOMPurify XSS / config-pollution advisory fixes, and add overrides
pinning transitive dev-tooling deps to patched versions:

- form-data ^4.0.6 (via jsdom)
- ws ^8.21.0 (via jsdom)
- vite ^7.3.6 (via vitest; stays on 7.x to avoid a breaking major bump)
- js-yaml ^4.3.0 (via commitlint, eslint)

npm audit now reports 0 vulnerabilities. Build and the full unit test
suite (861 tests) pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@hitesh-shetty-cstk hitesh-shetty-cstk requested review from a team as code owners July 1, 2026 10:13
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 0 0 10 ✅ Passed
🟠 High Severity 0 0 25 ✅ Passed
🟡 Medium Severity 0 0 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 0 0 15 / 30 days ✅ Passed
🟠 High 0 0 30 / 120 days ✅ Passed
🟡 Medium 0 0 90 / 365 days ✅ Passed
🔵 Low 0 0 180 / 365 days ✅ Passed

✅ BUILD PASSED - All security checks passed

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 67.11% 2508 / 3737
🔵 Statements 65.99% 2548 / 3861
🔵 Functions 64.51% 449 / 696
🔵 Branches 61.4% 1513 / 2464
File CoverageNo changed files found.
Generated in workflow #850 for commit 334cac8 by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant