Skip to content

Fix security vulnerabilities with targeted solutions #1759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 5, 2025
Merged

Fix security vulnerabilities with targeted solutions #1759

merged 2 commits into from
Jul 5, 2025

Conversation

wycats
Copy link
Contributor

@wycats wycats commented Jul 5, 2025

Summary

This PR fixes all reported security vulnerabilities using targeted solutions rather than blanket overrides.

Approach

  1. Fixed directly where possible:

    • Updated vite from 6.1.1 to 7.0.2 (fixes esbuild vulnerability)
    • Updated mocha from 10.2.0 to 11.7.1 in @glimmer/vm-babel-plugins (fixes nanoid and serialize-javascript vulnerabilities)

  2. Added minimal overrides for third-party issues:

    • @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability (from tracerbench)
    • d3-color: Fix ReDoS vulnerability (from tracerbench)
    • got: Fix UNIX socket redirect vulnerability (from auto-dist-tag)
    • esbuild: Ensure all transitive dependencies use secure version

Vulnerabilities Fixed

All 7 vulnerabilities resolved:

  • 2 HIGH: d3-color ReDoS, lodash.template command injection
  • 5 MODERATE: got redirect, nanoid predictability, esbuild dev server, serialize-javascript XSS, additional esbuild instances

Follow-up Actions

We should file issues with upstream packages:

  • tracerbench: Update @oclif/plugin-warn-if-update-available and d3-color dependencies
  • auto-dist-tag: Update package-json dependency to get newer got

Test Plan

  • pnpm audit shows no vulnerabilities
  • pnpm install completes successfully
  • All tests pass
  • No functionality regressions

wycats added 2 commits July 3, 2025 22:13
@wycats
Fix security vulnerabilities in dependencies
3e26088 
- Add targeted pnpm overrides for vulnerable dependencies:
  - @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability
  - brace-expansion: Fix ReDoS vulnerability
  - d3-color: Fix ReDoS vulnerability
  - esbuild: Fix dev server request vulnerability
  - got: Fix UNIX socket redirect vulnerability
  - nanoid: Fix predictable generation vulnerability
  - serialize-javascript: Fix XSS vulnerability
  - tar-fs: Fix path traversal vulnerabilities
- All 18 vulnerabilities resolved (previously: 2 low, 12 moderate, 4 high)
@wycats
Fix security vulnerabilities with targeted solutions
108c04f 
- Update vite to v7 to fix esbuild vulnerability
- Update mocha in vm-babel-plugins to fix nanoid and serialize-javascript vulnerabilities
- Add minimal pnpm overrides for third-party packages:
  - @oclif/plugin-warn-if-update-available: Fix lodash.template vulnerability (tracerbench)
  - d3-color: Fix ReDoS vulnerability (tracerbench)
  - got: Fix UNIX socket redirect vulnerability (auto-dist-tag)
  - esbuild: Ensure all transitive dependencies use secure version

All 7 vulnerabilities resolved (previously: 5 moderate, 2 high)
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2025

This PRmain
Dev 
588K └─┬ .
169K   ├── runtime
160K   ├── syntax
100K   ├── compiler
 58K   ├── opcode-compiler
 27K   ├── manager
 24K   ├── validator
 11K   ├── program
8.9K   ├── reference
7.2K   ├── destroyable
6.3K   ├── util
4.3K   ├── node
3.4K   ├── global-context
2.5K   ├── wire-format
1.0K   ├── vm
969B   ├── encoder
844B   ├── vm-babel-plugins
606B   └── owner

588K └─┬ .
169K   ├── runtime
160K   ├── syntax
100K   ├── compiler
 58K   ├── opcode-compiler
 27K   ├── manager
 24K   ├── validator
 11K   ├── program
8.9K   ├── reference
7.2K   ├── destroyable
6.3K   ├── util
4.3K   ├── node
3.4K   ├── global-context
2.5K   ├── wire-format
1.0K   ├── vm
969B   ├── encoder
844B   ├── vm-babel-plugins
606B   └── owner
Prod 
231K └─┬ .
 70K   ├── syntax
 63K   ├── runtime
 48K   ├── compiler
 18K   ├── opcode-compiler
7.9K   ├── manager
5.1K   ├── validator
4.8K   ├── program
3.6K   ├── reference
2.4K   ├── util
2.1K   ├── node
1.6K   ├── wire-format
1.5K   ├── destroyable
737B   ├── vm
594B   ├── global-context
516B   ├── encoder
469B   ├── vm-babel-plugins
155B   └── owner

231K └─┬ .
 70K   ├── syntax
 63K   ├── runtime
 48K   ├── compiler
 18K   ├── opcode-compiler
7.9K   ├── manager
5.1K   ├── validator
4.8K   ├── program
3.6K   ├── reference
2.4K   ├── util
2.1K   ├── node
1.6K   ├── wire-format
1.5K   ├── destroyable
737B   ├── vm
594B   ├── global-context
516B   ├── encoder
469B   ├── vm-babel-plugins
155B   └── owner

NullVoxPopuli
NullVoxPopuli approved these changes Jul 5, 2025
View reviewed changes
Copy link
Contributor

@NullVoxPopuli NullVoxPopuli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems good

@NullVoxPopuli NullVoxPopuli merged commit 2e8ec9f into main Jul 5, 2025
9 checks passed
@NullVoxPopuli NullVoxPopuli deleted the fix-security-vulnerabilities branch July 5, 2025 17:41
@github-actions github-actions bot mentioned this pull request Jul 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NullVoxPopuli NullVoxPopuli NullVoxPopuli approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wycats @NullVoxPopuli