Skip to content

fix(security): patch critical vulns#269

Open
anupsv wants to merge 1 commit intomainfrom
fix/security-patch-critical-vulns
Open

fix(security): patch critical vulns#269
anupsv wants to merge 1 commit intomainfrom
fix/security-patch-critical-vulns

Conversation

@anupsv
Copy link
Copy Markdown
Contributor

@anupsv anupsv commented Apr 4, 2026

Summary

  • Added npm overrides field to match existing yarn resolutions — the package-lock.json was stale with vulnerable versions while yarn.lock already had safe ones
  • Updated fast-xml-parser resolution from 5.5.95.5.10 in both resolutions and overrides
  • Regenerated package-lock.json so npm audit no longer reports false positives

Vulnerabilities Fixed (3 Critical)

Package Old Version Safe Version CVEs
fast-xml-parser 5.2.5 (in lock) 5.5.10 GHSA-37qj-frw5-hhjh, GHSA-m7jm-9gc2-mpf2, GHSA-jmr7-xgp7-cmfj, GHSA-fj3w-jwp8-x2g3, GHSA-8gc5-j5rx-235r, GHSA-jp2q-39xq-3w4g
form-data 4.0.3 (in lock) 4.0.5 GHSA-fjxv-7rqg-78g4
handlebars 4.7.8 (in lock) 4.7.9 GHSA-3mfm-83xf-c92r, GHSA-2w6w-674q-4c4q, GHSA-2qvq-rjwj-gvw9, GHSA-7rx3-28cr-v5wh, GHSA-442j-39wm-28r2, GHSA-xjpj-3mr7-gcpf, GHSA-xhpv-hc6g-r9c6, GHSA-9cx6-37pm-9jff

Root Cause

The resolutions field (yarn-only) was already added in a prior commit, so yarn.lock correctly pinned safe versions. However, the npm overrides equivalent was missing, leaving package-lock.json with the older vulnerable versions. This caused npm audit to report 3 criticals that were already mitigated in yarn.

Test plan

  • npm audit --audit-level=critical reports 0 critical vulnerabilities
  • yarn audit --level critical reports 0 critical vulnerabilities
  • yarn install --frozen-lockfile succeeds

🤖 Generated with Claude Code

@anupsv @claude
fix(security): patch critical vulns
41112ae 
- Add npm overrides for form-data (4.0.5), fast-xml-parser (5.5.10), handlebars (4.7.9)
- Regenerate package-lock.json to reflect safe versions (was stale with vulnerable versions)
- Update yarn resolutions from 5.5.9 to 5.5.10 for fast-xml-parser
- Resolves 3 critical CVEs: GHSA-fjxv-7rqg-78g4, GHSA-37qj-frw5-hhjh, GHSA-3mfm-83xf-c92r and related advisories

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
eigencloud-docs Ready Ready Preview Apr 4, 2026 11:29pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antojoseph antojoseph Awaiting requested review from antojoseph antojoseph is a code owner

@NimaVaziri NimaVaziri Awaiting requested review from NimaVaziri NimaVaziri is a code owner

@MC1823315 MC1823315 Awaiting requested review from MC1823315 MC1823315 is a code owner

@mmurrs mmurrs Awaiting requested review from mmurrs mmurrs is a code owner

@MadelineAu MadelineAu Awaiting requested review from MadelineAu MadelineAu is a code owner

@solimander solimander Awaiting requested review from solimander solimander is a code owner

@Gajesh2007 Gajesh2007 Awaiting requested review from Gajesh2007 Gajesh2007 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anupsv