Skip to content

chore(root): patch transitive security vulnerabilities#426

Merged
magnusrand merged 1 commit into
mainfrom
copilot/fix-security-issues
Jun 23, 2026
Merged

chore(root): patch transitive security vulnerabilities#426
magnusrand merged 1 commit into
mainfrom
copilot/fix-security-issues

Conversation

Copilot AI commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

💡 Hvorfor?

Patcher kjente CVE-er i transitive avhengigheter:

Pakke Sårbarhet Alvorlighet
undici 6.24.0 CVE-2025-22620 + WebSocket DoS High
ws 7.5.10 / 8.20.1 Memory exhaustion via tiny fragments High
send 0.19.0 CVE-2024-43799 (XSS i feilside) Medium
express 4.21.2 Transitiv send-sårbarhet Medium
serve-static 1.16.2 Bruker sårbar send Medium

🔧 Hvordan?

Resolution-overrides i root package.json:

  • undici: 6.24.0 → 6.27.0
  • ws@npm:^7.5.10: 7.5.10 → 7.5.11
  • ws@npm:^8.x / ~8.x: 8.20.1 → 8.21.0
  • express@npm:^4.16.4 / ^4.18.2: 4.21.2 → 4.22.2 (pulls patched send ~0.19.1 and serve-static ~1.16.2)
  • send@npm:0.19.0: → 0.19.2
  • serve-static@npm:1.16.2: → 1.16.3

Ingen endring for konsumenter — kun interne/transitive avhengigheter er oppdatert.

🧩 Type endring

  • 🐞 Feilretting
  • 🚀 Ny funksjonalitet
  • 💥 Breaking change (krever kodeendringer hos brukere)
  • 📝 Dokumentasjonsoppdatering
  • 🧹 Refaktorering (ingen funksjonelle endringer)
  • ⚡️ Ytelsesforbedring
  • 🏗️ Bygg-/CI-endring

🖼️ Skjermbilder

Ikke relevant.

💬 Tilleggsnotater

  • express 4.22.2 er API-kompatibel med 4.21.2 (minor bump innenfor ^4.x-range).
  • ws 7.5.11 er patch-bump for firebase-tools' ^7.5.10-range.
  • webpack-dev-middleware 5.3.4 har ingen registrert advisory i GitHub Advisory DB per nå — ble ikke endret.
  • Lockfile regenerert med yarn install --mode=update-lockfile. Full yarn install + build/test bør verifiseres i CI.

💣 Breaking changes (om aktuelt)

Ingen. Alle oppgraderinger er innenfor eksisterende semver-ranges.

✅ Sjekkliste

  • Navnestandarder følges
  • Kode og Figma reflekterer hverandre
  • Dokumentasjonen er oppdatert (hvis aktuelt)
  • Ingen ubrukte imports / varsler / console.logs

🧪 Testing

  • Lockfile oppdatert med --mode=update-lockfile uten feil

  • Build og tester bør verifiseres av CI

  • Testet med skjermleser

  • Testet i Safari og Firefox

  • Testet i dokumentasjonsiden

chore(root): patch transitive security vulnerabilities
4597d8f 
Resolve CVEs in transitive dependencies:
- undici 6.24.0 → 6.27.0 (CVE-2025-22620, memory exhaustion DoS)
- ws ^7.5.10 → 7.5.11, ^8.x → 8.21.0 (memory exhaustion DoS)
- express ^4.16.4/^4.18.2 → 4.22.2 (fixes transitive send CVE-2024-43799)
- send 0.19.0 → 0.19.2 (CVE-2024-43799 XSS in error page)
- serve-static 1.16.2 → 1.16.3 (uses patched send)

AI-assistant: Claude (claude-sonnet-4-6)
@magnusrand magnusrand marked this pull request as ready for review June 22, 2026 20:21
@magnusrand magnusrand requested a review from a team as a code owner June 22, 2026 20:21
Copilot AI review requested due to automatic review settings June 22, 2026 20:21
Copilot AI reviewed Jun 22, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates root-level Yarn resolutions and regenerates the lockfile to patch known CVEs in transitive dependencies (not consumer-facing runtime/API changes to the design system packages).

Changes:

  • Bumps/forces patched transitive versions for undici, ws, and express via root resolutions.
  • Updates related transitive packages (send, serve-static, etc.) as reflected in yarn.lock.
  • Regenerates yarn.lock to lock the updated dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Updates root resolutions to steer transitive dependencies to patched versions.
yarn.lock Regenerated lockfile reflecting updated/patch-resolved versions (e.g., undici, ws, express, send, serve-static).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines +230 to +231
"send@npm:0.19.0": "0.19.2",
"serve-static@npm:1.16.2": "1.16.3",
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown

Preview for this PR in prd (updated for commit 4597d8f):

https://entur-design-system--preview-426-copilot-fix-security-zzesudus.web.app
(Expires Mon, 29 Jun 2026 20:35:40 GMT)

@magnusrand magnusrand merged commit aa9f8cd into main Jun 23, 2026
14 checks passed
@magnusrand magnusrand deleted the copilot/fix-security-issues branch June 23, 2026 05:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@magnusrand magnusrand

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@magnusrand