Skip to content

Web app: 7 npm audit advisories block the Web Unit Tests CI gate (audit-level=moderate) #119

Description

@bhekanik

The Web Unit Tests CI job runs npm audit --audit-level=moderate as a gate, and it now fails on 7 accumulated advisories in apps/web dependencies (all fix available via npm audit fix). This blocks any PR that touches apps/web (surfaced on the edit-draft PR #110, which only changed one line of TS). Not caused by that change — pre-existing, newly-crossed-the-threshold advisories.

Advisories

  • DOMPurify (moderate, runtime) — multiple IN_PLACE/hook/Trusted-Types XSS bypasses (GHSA-x4vx-rjvf-j5p4, -76mc-f452-cxcm, -hpcv-96wg-7vj8, -r47g-fvhr-h676, -vxr8-fq34-vvx9, -gvmj-g25r-r7wr, -rp9w-3fw7-7cwq, -cmwh-pvxp-8882). Most relevant since it's runtime sanitization.
  • vite (high) — server.fs.deny bypass on Windows (GHSA-fx2h-pf6j-xcff) — dev server only.
  • ws (high) — memory-exhaustion DoS (GHSA-96hv-2xvq-fx4p).
  • @babel/core (moderate) — arbitrary file read via sourceMappingURL (GHSA-4x5r-pxfx-6jf8) — build only.
  • esbuild (moderate) — dev-server arbitrary file read on Windows (GHSA-g7r4-m6w7-qqqr) — dev only.
  • js-yaml (high, transitive) — quadratic DoS in merge keys (GHSA-h67p-54hq-rp68).
  • launch-editor (low) — NTLMv2 hash disclosure on Windows (GHSA-v6wh-96g9-6wx3) — dev only.

Total: 2 low, 3 moderate, 2 high.

Recommended fix (own PR — verify web build + unit tests + e2e after)

Run npm audit fix in apps/web (non---force first for semver-compatible updates; assess --force only for the residual vite/esbuild majors), regenerate package-lock.json, and confirm npm run build/unit/e2e pass. DOMPurify should be prioritized (runtime XSS). Kept out of the edit-draft PR to avoid coupling a dep bump to a feature merge; that PR was admin-merged past this pre-existing gate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions