Skip to content

Fix all npm audit advisories (0 vulnerabilities)#211

Merged
yurynix merged 1 commit into
mainfrom
fix/npm-audit-7day-cooldown
Jun 29, 2026
Merged

Fix all npm audit advisories (0 vulnerabilities)#211
yurynix merged 1 commit into
mainfrom
fix/npm-audit-7day-cooldown

Conversation

@yurynix

@yurynix yurynix commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What

Clears all 12 advisories reported by npm audit — from 4 critical / 4 high / 3 moderate / 1 low down to 0 vulnerabilities.

Every fix was applied with --min-release-age=7, so no version published within the last 7 days is pulled in (supply-chain cooldown — avoids the window when a freshly-compromised release is most likely live).

Changes

Consumer-facing (production transitive deps — these reach apps using the SDK):

Package Path Advisory Fix
form-data axios → form-data CRLF injection (High) 4.0.5 → 4.0.6
ws socket.io-client → engine.io-client → ws mem disclosure / DoS (High) 8.21.0
engine.io-client socket.io-client pulled vulnerable ws 6.6.6

Dev-only tooling (no consumer impact — devDependencies, never shipped):

Package Advisory Fix
vitest, @vitest/ui, @vitest/coverage-v8, @vitest/coverage-istanbul UI server arbitrary file read/exec (Critical) 1.6.1 → 4.1.9
vite, vite-node, esbuild path traversal / dev-server request smuggling pulled transitively by vitest 4

Only package.json + package-lock.json change.

Verification

  • npm auditfound 0 vulnerabilities
  • npm test (type checks + 172 unit tests) → all pass on vitest 4
  • Cooldown confirmed: vitest 4.1.9 (published 2026-06-15) and form-data 4.0.6 (2026-06-12) are both well over 7 days old

Notes

  • The vitest 1 → 4 major is a devDependency bump only; it does not affect the published package or its consumers. Tests pass unchanged; vitest 4 emits two non-fatal deprecation warnings (a non-top-level vi.mock in tests/unit/analytics.test.ts, and the now-ignored esbuild block in vitest.config.ts since v4 uses oxc) — cosmetic, left for a follow-up.

🤖 Generated with Claude Code

Clears all 12 advisories reported by `npm audit` (was: 4 critical, 4 high,
3 moderate, 1 low). All fixes were applied with `--min-release-age=7` so no
version published within the last 7 days is pulled in (supply-chain cooldown).

Consumer-facing (production transitive) deps:
- form-data 4.0.5 -> 4.0.6  (CRLF injection, via axios)
- ws 8.x -> 8.21.0          (mem disclosure / DoS, via socket.io-client)
- engine.io-client -> 6.6.6 (pulled patched ws)

Dev-only tooling (no consumer impact):
- vitest + @vitest/ui + @vitest/coverage-{v8,istanbul} 1.6.1 -> 4.1.9
  (UI server arbitrary file read/exec; pulls patched vite/vite-node/esbuild)

Test suite (172 tests) and type checks pass on vitest 4.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Claude encountered an error —— View job


I'll analyze this and get back to you.

@github-actions

Copy link
Copy Markdown

🚀 Package Preview Available!


Install this PR's preview build with npm:

npm i @base44-preview/sdk@0.8.34-pr.211.0879225

Prefer not to change any import paths? Install using npm alias so your code still imports @base44/sdk:

npm i "@base44/sdk@npm:@base44-preview/sdk@0.8.34-pr.211.0879225"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "@base44/sdk": "npm:@base44-preview/sdk@0.8.34-pr.211.0879225"
  }
}

Preview published to npm registry — try new features instantly!

@yurynix yurynix merged commit 2acfef9 into main Jun 29, 2026
5 of 6 checks passed
@yurynix yurynix deleted the fix/npm-audit-7day-cooldown branch June 29, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants