The Web Unit Tests CI job runs npm audit --audit-level=moderate as a gate, and it now fails on 7 accumulated advisories in apps/web dependencies (all fix available via npm audit fix). This blocks any PR that touches apps/web (surfaced on the edit-draft PR #110, which only changed one line of TS). Not caused by that change — pre-existing, newly-crossed-the-threshold advisories.
Advisories
- DOMPurify (moderate, runtime) — multiple
IN_PLACE/hook/Trusted-Types XSS bypasses (GHSA-x4vx-rjvf-j5p4, -76mc-f452-cxcm, -hpcv-96wg-7vj8, -r47g-fvhr-h676, -vxr8-fq34-vvx9, -gvmj-g25r-r7wr, -rp9w-3fw7-7cwq, -cmwh-pvxp-8882). Most relevant since it's runtime sanitization.
- vite (high) —
server.fs.deny bypass on Windows (GHSA-fx2h-pf6j-xcff) — dev server only.
- ws (high) — memory-exhaustion DoS (GHSA-96hv-2xvq-fx4p).
- @babel/core (moderate) — arbitrary file read via sourceMappingURL (GHSA-4x5r-pxfx-6jf8) — build only.
- esbuild (moderate) — dev-server arbitrary file read on Windows (GHSA-g7r4-m6w7-qqqr) — dev only.
- js-yaml (high, transitive) — quadratic DoS in merge keys (GHSA-h67p-54hq-rp68).
- launch-editor (low) — NTLMv2 hash disclosure on Windows (GHSA-v6wh-96g9-6wx3) — dev only.
Total: 2 low, 3 moderate, 2 high.
Recommended fix (own PR — verify web build + unit tests + e2e after)
Run npm audit fix in apps/web (non---force first for semver-compatible updates; assess --force only for the residual vite/esbuild majors), regenerate package-lock.json, and confirm npm run build/unit/e2e pass. DOMPurify should be prioritized (runtime XSS). Kept out of the edit-draft PR to avoid coupling a dep bump to a feature merge; that PR was admin-merged past this pre-existing gate.
The Web Unit Tests CI job runs
npm audit --audit-level=moderateas a gate, and it now fails on 7 accumulated advisories inapps/webdependencies (allfix available via npm audit fix). This blocks any PR that touchesapps/web(surfaced on the edit-draft PR #110, which only changed one line of TS). Not caused by that change — pre-existing, newly-crossed-the-threshold advisories.Advisories
IN_PLACE/hook/Trusted-Types XSS bypasses (GHSA-x4vx-rjvf-j5p4, -76mc-f452-cxcm, -hpcv-96wg-7vj8, -r47g-fvhr-h676, -vxr8-fq34-vvx9, -gvmj-g25r-r7wr, -rp9w-3fw7-7cwq, -cmwh-pvxp-8882). Most relevant since it's runtime sanitization.server.fs.denybypass on Windows (GHSA-fx2h-pf6j-xcff) — dev server only.Total: 2 low, 3 moderate, 2 high.
Recommended fix (own PR — verify web build + unit tests + e2e after)
Run
npm audit fixinapps/web(non---forcefirst for semver-compatible updates; assess--forceonly for the residual vite/esbuild majors), regeneratepackage-lock.json, and confirmnpm run build/unit/e2e pass. DOMPurify should be prioritized (runtime XSS). Kept out of the edit-draft PR to avoid coupling a dep bump to a feature merge; that PR was admin-merged past this pre-existing gate.