Fix security vulnerabilities - reduce from 29 to 7 vulnerabilities

SECURITY.md

@@ -0,0 +1,79 @@
+# Security Status
+
+## Summary
+This document tracks security vulnerabilities in the Lansing Codes Slackbot dependencies.
+
+**Last Updated**: October 2025
+
+## Current Status
+- **Total Vulnerabilities**: 7 (down from 29)
+- **Critical**: 2
+- **High**: 2
+- **Moderate**: 3
+- **Low**: 0
+
+## Fixed Vulnerabilities
+The following vulnerabilities have been addressed:
+- ✅ @grpc/grpc-js (moderate) - Updated firebase to 12.4.0
+- ✅ protobufjs (critical) - Fixed via dependency updates
+- ✅ body-parser (high) - Fixed via npm audit fix
+- ✅ path-to-regexp (high) - Fixed via npm audit fix
+- ✅ send (high) - Fixed via npm audit fix
+- ✅ semver (high) - Fixed via npm audit fix
+- ✅ cross-spawn (high) - Fixed via npm audit fix
+- ✅ tmp (high) - Updated standard to 17.1.2
+- ✅ brace-expansion (low) - Fixed via npm audit fix
+- ✅ word-wrap (moderate) - Fixed via npm audit fix
+- ✅ cookie (moderate) - Fixed via npm audit fix
+
+## Remaining Vulnerabilities
+
+### Cannot Fix Without Breaking Changes
+
+#### 1. connect-multiparty (High Severity)
+- **Package**: connect-multiparty
+- **Affected Dependency**: hubot@3.5.0
+- **Issue**: Arbitrary file upload vulnerability
+- **Why Not Fixed**: 
+  - Upgrading hubot to v9+ (which removes connect-multiparty) breaks compatibility with multiple hubot plugins:
+    - hubot-diagnostics (requires hubot ">=2 <10")
+    - hubot-help (requires hubot ">=2 <10")
+    - hubot-heroku-keepalive (requires hubot ">=2 <10")
+    - hubot-maps (requires hubot ">=2 <10")
+    - hubot-shipit (requires hubot ">=2 <10")
+  - Would require extensive refactoring of tests and initializers
+  - The hubot v9+ API has significant breaking changes (CommonJS to ESM)
+- **Mitigation**: The slackbot does not expose file upload functionality to users, limiting the attack surface.
+
+#### 2. form-data (Critical Severity)
+- **Package**: form-data
+- **Affected Dependency**: hubot-slack@4.10.0 → @slack/client@3.16.1 → request (deprecated)
+- **Issue**: Uses unsafe random function for choosing boundary
+- **Why Not Fixed**:
+  - hubot-slack depends on @slack/client@3.16.1
+  - @slack/client is deprecated and depends on the deprecated request package
+  - There is no updated version of hubot-slack that addresses this
+  - Downgrading hubot-slack would introduce more vulnerabilities
+- **Risk Assessment**: This is a critical vulnerability that should be monitored closely. The attack requires intercepting multipart form data and predicting boundaries. Consider this a known risk that requires a long-term solution (see Recommendations below).
+
+#### 3. tough-cookie (Moderate Severity)  
+- **Package**: tough-cookie
+- **Affected Dependency**: hubot-slack@4.10.0 → @slack/client@3.16.1 → request (deprecated)
+- **Issue**: Prototype pollution vulnerability
+- **Why Not Fixed**: Same dependency chain as form-data above
+- **Risk Assessment**: Prototype pollution can lead to security issues if user-controlled data is processed. This is a known risk that should be addressed as part of the long-term migration strategy.
+
+## Recommendations
+
+### Short Term
+- Monitor these packages for security updates from maintainers
+- Consider the risk acceptable given the mitigation factors
+
+### Long Term
+- Consider migrating from hubot to a modern bot framework that doesn't rely on deprecated packages
+- Alternatively, contribute to or fork hubot-slack to update its dependencies
+
+## Notes
+- The deprecated `request` package is the root cause of several remaining vulnerabilities
+- Slack has deprecated @slack/client in favor of @slack/web-api and @slack/rtm-api
+- The hubot ecosystem has limited active maintenance