Conversation
36degrees
changed the title
npm audit
36degrees
changed the title
Contributor
Author
|
Pushed another commit to also update lodash |
Fix 4 vulnerabilities (1 moderate, 3 high) by running `npm audit fix --omit=dev`: ## brace-expansion <1.1.13 Severity: moderate brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v fix available via `npm audit fix` node_modules/brace-expansion Transitive dependency of glob and nodemon: ``` $ npm ls brace-expansion govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ glob@10.5.0 │ └─┬ minimatch@9.0.9 │ └── brace-expansion@2.0.2 └─┬ nodemon@3.0.3 └─┬ minimatch@3.1.5 └── brace-expansion@1.1.12 ``` Fix by updating to 1.1.13 and 2.0.3. Changes: - https://npmdiff.dev/brace-expansion/1.1.12/1.1.13/ - https://npmdiff.dev/brace-expansion/2.0.2/2.0.3/ ## path-to-regexp <0.1.13 Severity: high path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - GHSA-37ch-88jc-xwx2 fix available via `npm audit fix` node_modules/path-to-regexp Transitive dependency of express: ``` $ npm ls path-to-regexp govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ express@4.22.1 └── path-to-regexp@0.1.12 ``` Fix by updating to 0.1.13. Changes: https://npmdiff.dev/path-to-regexp/0.1.12/0.1.13/ ## picomatch <=2.3.1 Severity: high Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj fix available via `npm audit fix` node_modules/picomatch Transitive dependency of browser-sync, chokidar and jest-environment-jsdom: ``` $ npm ls picomatch govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ browser-sync@3.0.4 │ └─┬ micromatch@4.0.8 │ └── picomatch@2.3.1 ├─┬ chokidar@3.6.0 │ ├─┬ anymatch@3.1.2 │ │ └── picomatch@2.3.1 deduped │ └─┬ readdirp@3.6.0 │ └── picomatch@2.3.1 deduped └─┬ jest-environment-jsdom@29.7.0 └─┬ jest-util@29.7.0 └── picomatch@2.3.1 deduped ``` Fix by updating to 2.3.2. Changes: https://npmdiff.dev/picomatch/2.3.1/2.3.2/ ## socket.io-parser 4.0.0 - 4.2.5 Severity: high socket.io allows an unbounded number of binary attachments - GHSA-677m-j7p3-52f9 fix available via `npm audit fix` node_modules/socket.io-parser Transitive dependency of browser-sync: ``` $ npm ls socket.io-parser govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ browser-sync@3.0.4 ├─┬ browser-sync-ui@3.0.4 │ └─┬ socket.io-client@4.8.1 │ └── socket.io-parser@4.2.4 deduped └─┬ socket.io@4.8.1 └── socket.io-parser@4.2.4 ``` Fix by updating to 4.2.6. Changes: https://npmdiff.dev/socket.io-parser/4.2.4/4.2.6/
Fix 2 vulnerabilities (1 moderate, 1 high) in our dev dependencies by running `npm audit fix`: ## brace-expansion 2.0.0 - 2.0.2 Severity: moderate brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v fix available via `npm audit fix` node_modules/glob/node_modules/brace-expansion ``` $ npm ls brace-expansion govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ glob@10.5.0 │ └─┬ minimatch@9.0.9 │ └── brace-expansion@2.0.2 └─┬ nodemon@3.0.3 └─┬ minimatch@3.1.5 └── brace-expansion@1.1.13 ``` Fix by updating to 1.1.13 and 2.0.3. Changes: - https://npmdiff.dev/brace-expansion/1.1.12/1.1.13/ - https://npmdiff.dev/brace-expansion/2.0.2/2.0.3/ Changes already reviewed because the same bumps were made in the previous commit. ## flatted <=3.4.1 Severity: high flatted vulnerable to unbounded recursion DoS in parse() revive phase - GHSA-25h7-pfq9-p65f Prototype Pollution via parse() in NodeJS flatted - GHSA-rf6f-7fwh-wjgh fix available via `npm audit fix` node_modules/flatted ``` $ npm ls flatted govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ eslint-plugin-cypress@2.15.1 └─┬ eslint@8.52.0 └─┬ file-entry-cache@6.0.1 └─┬ flat-cache@3.0.4 └── flatted@3.2.7 ``` Fix by updating to 3.4.2. Changes: https://npmdiff.dev/flatted/3.2.7/3.4.2/ This leaves 4 low severity vulnerabilities in @tootallnate/once which is blocked on updating to Jest v30 (#2515).
Fix 1 high severity vulnerability by running npm audit fix --omit=dev: ## lodash <=4.17.23 Severity: high lodash vulnerable to Code Injection via `_.template` imports key names - GHSA-r5fr-rjxr-66jc lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - GHSA-f23m-r3pf-42rh fix available via `npm audit fix` node_modules/lodash lodash is a direct dependency, and a transitive dependency of browser-sync and portscanner as well as cypress and wait-on (dev dependencies): ``` % npm ls lodash govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ browser-sync@3.0.4 │ └─┬ easy-extender@2.3.4 │ └── lodash@4.17.23 deduped ├─┬ cypress@13.6.5 │ └── lodash@4.17.23 deduped ├── lodash@4.17.23 ├─┬ portscanner@2.2.0 │ └─┬ async@2.6.4 │ └── lodash@4.17.23 deduped └─┬ wait-on@7.2.0 └── lodash@4.17.23 deduped ``` Fix by updating to 4.18.1. Changes: https://npmdiff.dev/lodash/4.17.23/4.18.1/
36degrees
force-pushed
the
npm-audit-2026-03-30
branch
from
bdaa244 to
25c5ad2
Compare
owenatgov
approved these changes
Apr 8, 2026
Contributor
owenatgov
left a comment
owenatgov
left a comment
There was a problem hiding this comment.
Cracking. I've tried re-running the plugins e2e test but it's also not required so if it fails again just cause it's timing out this can probably just get merged.
github-project-automation
Bot
moved this from Needs review 🔍
to Done 🏁
in GOV.UK Design System cycle board
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Non-developer dependencies:
Fix 5 vulnerabilities (1 moderate, 4 high) by running
npm audit fix --omit=dev:brace-expansion <1.1.13
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via
npm audit fixnode_modules/brace-expansion
Transitive dependency of glob and nodemon:
Fix by updating to 1.1.13 and 2.0.3.
Changes:
path-to-regexp <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - GHSA-37ch-88jc-xwx2
fix available via
npm audit fixnode_modules/path-to-regexp
Transitive dependency of express:
Fix by updating to 0.1.13.
Changes: https://npmdiff.dev/path-to-regexp/0.1.12/0.1.13/
picomatch <=2.3.1
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via
npm audit fixnode_modules/picomatch
Transitive dependency of browser-sync, chokidar and jest-environment-jsdom:
Fix by updating to 2.3.2.
Changes: https://npmdiff.dev/picomatch/2.3.1/2.3.2/
socket.io-parser 4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - GHSA-677m-j7p3-52f9
fix available via
npm audit fixnode_modules/socket.io-parser
Transitive dependency of browser-sync:
Fix by updating to 4.2.6.
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via
_.templateimports key names - GHSA-r5fr-rjxr-66jclodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omit- GHSA-f23m-r3pf-42rhfix available via
npm audit fixnode_modules/lodash
Direct dependency, and a transitive dependency of browser-sync and portscanner as well as cypress and wait-on (dev dependencies):
Fix by updating to 4.18.1.
Changes: https://npmdiff.dev/lodash/4.17.23/4.18.1/
Dev-only dependencies
Fix 2 vulnerabilities (1 moderate, 1 high) in our dev dependencies by running
npm audit fix:brace-expansion 2.0.0 - 2.0.2
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via
npm audit fixnode_modules/glob/node_modules/brace-expansion
Fix by updating to 1.1.13 and 2.0.3.
Changes:
Changes already reviewed because the same bumps were made in the previous commit.
flatted <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - GHSA-rf6f-7fwh-wjgh
fix available via
npm audit fixnode_modules/flatted
Fix by updating to 3.4.2.
Changes: https://npmdiff.dev/flatted/3.2.7/3.4.2/
This leaves 4 low severity vulnerabilities in @tootallnate/once which is blocked on updating to Jest v30 (#2515).