Skip to content

chore: clear dependency advisories and bump CI to Node 24#15

Merged
edgarsj merged 3 commits into
mainfrom
chore/security-and-ci-updates
Jun 25, 2026
Merged

chore: clear dependency advisories and bump CI to Node 24#15
edgarsj merged 3 commits into
mainfrom
chore/security-and-ci-updates

Conversation

@edgarsj

@edgarsj edgarsj commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Release-prep chores: clear all GitHub-reported dependency vulnerabilities and move CI to Node 24.

Security — npm audit now reports 0 vulnerabilities (was 30: 1 critical, 4 high, 23 moderate, 2 low)

Cross-checked against the repo's actual Dependabot alerts, not just npm audit.

  • @xmldom/xmldom → 0.9.10 — the only affected runtime dependency. Resolves the high-severity XML injection + serialization DoS advisories. Within the existing ^0.9.8 range.
  • npm audit fix (non-force) cleared the critical (handlebars) and remaining high (basic-ftp, ws) advisories across the dev/test toolchain.
  • Added overrides for the two stragglers whose parents pin vulnerable ranges — both dev-only:
    • esbuild^0.28.1 (from web-test-runner / rollup-plugin-esbuild / tsx; advisory was dev-server-on-Windows arbitrary file read, CI runs Ubuntu; esbuild has no deps so the pin is safe)
    • js-yaml^4.2.0 (buried under jest's coverage tooling via babel-plugin-istanbul → @istanbuljs/load-nyc-config; no fixed 3.x release exists; only reachable via Babel coverage-config loading, never attacker input)

CI — Node 20 → 24

  • All 3 jobs in .github/workflows/ci.yml and the verify job (plus the commented publish job) in release.yml.

Verification

All green locally with the updated dependency tree:

  • npm run format:check
  • npm run build
  • npm test154 unit/integration tests pass (coverage runs, confirming the js-yaml 4.x override doesn't break Babel coverage tooling)
  • npm run test:browser37 browser tests pass (confirming the esbuild 0.28 override doesn't break @web/dev-server-esbuild bundling)
  • npm audit0 vulnerabilities

Notes

This bumps CI to Node 24 but does not change the package's declared engine support. Let me know if you'd also like an engines field / matrix change.

edgarsj added 3 commits June 26, 2026 02:01
Security:
- Bump @xmldom/xmldom to 0.9.10 (the only affected runtime dependency;
  resolves high-severity XML injection + serialization DoS advisories).
- npm audit fix clears the critical handlebars and high basic-ftp/ws
  advisories across the dev/test toolchain.
- Add overrides for esbuild (^0.28.1) and js-yaml (^4.2.0) to clear the
  remaining dev-only advisories that the parents pin to vulnerable ranges.
- npm audit now reports 0 vulnerabilities.

CI:
- Bump GitHub Actions Node from 20 to 24 in ci.yml and release.yml.

Verified: format:check, build, 154 unit/integration tests, and 37 browser
tests all pass with the updated dependency tree.
actions/checkout@v4 and actions/setup-node@v4 declare the node20 runtime,
which GitHub now force-runs on node24 and is deprecating. v5 is the first
major of each that natively targets node24, resolving the warning without
pulling in the additional breaking changes from v6/v7.
actions/create-release@v1 is archived and runs on the node12 runtime.
Replace it with `gh release create`, which ships pre-installed on the
runner and runs as a shell step, so there is no action runtime to
deprecate. Behavior is preserved: a non-draft, non-prerelease release on
the pushed tag with notes from the extracted release_notes.md.
@edgarsj edgarsj merged commit 6cab6b8 into main Jun 25, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant