Skip to content

Fix package security vulnerabilities#11

Merged
edgarsj merged 2 commits into
mainfrom
fix/package-security-updates
Mar 17, 2026
Merged

Fix package security vulnerabilities#11
edgarsj merged 2 commits into
mainfrom
fix/package-security-updates

Conversation

@edgarsj

@edgarsj edgarsj commented Mar 15, 2026

Copy link
Copy Markdown
Owner

Summary

  • Run npm audit fix to resolve high/critical vulnerabilities in transitive dependencies
  • Fixes issues in rollup, minimatch, koa, basic-ftp, diff, qs, and brace-expansion
  • Remaining 6 moderate-severity alerts are deep in @web/test-runner-chrome (yauzl/puppeteer chain) and require a breaking change to fix — left as-is since they only affect dev test tooling

Test plan

  • All 122 tests pass

Update transitive dependencies to resolve high/critical vulnerabilities
in rollup, minimatch, koa, basic-ftp, diff, qs, and brace-expansion.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

…errors

Bump all dependencies to latest within their declared semver ranges.
Fix Uint8Array/BufferSource type incompatibilities introduced by stricter
TypeScript 5.9 and @types/node typings in Web Crypto API calls.
@edgarsj

edgarsj commented Mar 15, 2026

Copy link
Copy Markdown
Owner Author

@greptileai please check

@greptile-apps

greptile-apps Bot commented Mar 15, 2026

Copy link
Copy Markdown

Greptile Summary

Resolves high/critical npm audit vulnerabilities via npm audit fix, bumps dependencies within semver ranges (notably TypeScript to 5.9.3), and fixes the resulting type errors. The TypeScript source changes wrap Uint8Array-typed arguments to crypto.subtle.digest() and subtle.verify() in new Uint8Array() to satisfy TS 5.9's stricter BufferSource typing — these are purely type-level fixes with no behavioral change at runtime.

  • Security: npm audit fix addresses high/critical vulnerabilities in transitive deps (rollup, minimatch, koa, basic-ftp, diff, qs, brace-expansion). 6 moderate-severity alerts remain in dev-only @web/test-runner-chrome chain.
  • TypeScript 5.9 fix: Three call sites in verification.ts and rsa-digestinfo-workaround.ts now wrap Uint8Array args with new Uint8Array() to produce Uint8Array<ArrayBuffer>, which is assignable to BufferSource. Other crypto.subtle call sites in the codebase already use ArrayBuffer-typed parameters and are unaffected.
  • No logic changes: All modifications are mechanical type fixes; runtime behavior is identical.

Confidence Score: 5/5

  • This PR is safe to merge — it only updates dependency versions and applies mechanical type fixes with no behavioral changes.
  • The lockfile changes are standard npm audit fix output. The TypeScript changes are minimal, well-understood fixes for a known TS 5.9 breaking change (BufferSource no longer accepts bare Uint8Array). All 122 tests pass. No logic was altered.
  • No files require special attention.

Important Files Changed

Filename Overview
package-lock.json Lockfile updated by npm audit fix and semver-range dependency bumps; TypeScript moved from 5.8.x to 5.9.3. 6 moderate vulnerabilities remain in dev-only @web/test-runner-chrome chain.
src/core/rsa-digestinfo-workaround.ts Wraps dataToVerify (typed Uint8Array) in new Uint8Array() to satisfy TS 5.9's stricter BufferSource type for crypto.subtle.digest(). Functionally equivalent — no behavioral change.
src/core/verification.ts Two changes: wraps fileContent in browserDigest() and wraps signatureBytes/signedData in verifySignedInfo() with new Uint8Array() for TS 5.9 BufferSource compatibility. No behavioral change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm audit fix] --> B[package-lock.json updated]
    B --> C[TypeScript bumped to 5.9.3]
    C --> D{TS 5.9 stricter BufferSource type}
    D --> E[verification.ts:browserDigest]
    D --> F[verification.ts:verifySignedInfo]
    D --> G[rsa-digestinfo-workaround.ts:verifyRsa...]
    E --> H["Wrap fileContent in new Uint8Array()"]
    F --> I["Wrap signatureBytes & signedData in new Uint8Array()"]
    G --> J["Wrap dataToVerify in new Uint8Array()"]
    H --> K[Uint8Array → Uint8Array⟨ArrayBuffer⟩]
    I --> K
    J --> K
    K --> L[Satisfies BufferSource type ✓]
Loading

Last reviewed commit: ddfe4e4

@edgarsj edgarsj merged commit 1babe95 into main Mar 17, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant