Skip to content

fix(security): resolve all pnpm audit vulnerabilities#66

Merged
davidamunga merged 2 commits into
mainfrom
fix/security-audit
Jul 14, 2026
Merged

fix(security): resolve all pnpm audit vulnerabilities#66
davidamunga merged 2 commits into
mainfrom
fix/security-audit

Conversation

@davidamunga

@davidamunga davidamunga commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Summary

  • Upgrades vite from ^7.0.4^7.3.6, patching 4 dev-server CVEs (server.fs.deny bypass ×2, arbitrary file read via WebSocket, NTLMv2 hash disclosure) and 1 path traversal in optimised deps
  • Adds pnpm.overrides to pin patched transitive deps that can't be fixed by upgrading direct dependencies:
Package Path Fix
rollup vite>rollup >=4.59.0 (arbitrary file write via path traversal)
postcss vite>postcss >=8.5.10 (XSS via unescaped </style>)
picomatch vite>picomatch ^4.0.4 (ReDoS via extglob quantifiers)
picomatch micromatch>picomatch ^2.3.2 (ReDoS + POSIX class injection, changesets only)
tmp exceljs>tmp >=0.2.6 (path traversal via unsanitised prefix)
uuid exceljs>uuid >=11.1.1 (missing buffer bounds check)
minimatch glob>minimatch ^3.1.4 (ReDoS, exceljs archiver chain)
minimatch readdir-glob>minimatch ^5.1.8 (ReDoS, exceljs archiver chain)
brace-expansion@1 exceljs>archiver>… ^1.1.13 (zero-step sequence DoS)
brace-expansion@2 exceljs>archiver>… ^2.0.3 (zero-step sequence DoS)
js-yaml @changesets/parse>js-yaml ^3.15.0 (quadratic-complexity DoS)
js-yaml read-yaml-file>js-yaml ^4.2.0 (quadratic-complexity DoS)
@babel/core @vitejs/plugin-react>@babel/core ^7.29.6 (arbitrary file read via sourceMappingURL)

Result: pnpm auditNo known vulnerabilities found (was 24: 13 high, 10 moderate, 1 low)

Test plan

  • pnpm audit returns "No known vulnerabilities found"
  • pnpm build succeeds
  • Security audit CI job passes

- Upgrade vite ^7.0.4 → ^7.3.6 (fixes 4 vite dev-server CVEs + 5 advisories)
- Add pnpm.overrides to pin patched transitive deps:
    rollup >=4.59.0 (path traversal in vite>rollup)
    postcss >=8.5.10 (XSS in vite>postcss)
    vite>picomatch ^4.0.4 (ReDoS in vite>picomatch)
    micromatch>picomatch ^2.3.2 (ReDoS in changesets>picomatch)
    tmp >=0.2.6 (path traversal in exceljs>tmp)
    uuid >=11.1.1 (buffer bounds in exceljs>uuid)
    glob>minimatch ^3.1.4, readdir-glob>minimatch ^5.1.8 (ReDoS in exceljs>archiver)
    brace-expansion@1 ^1.1.13, brace-expansion@2 ^2.0.3 (DoS in exceljs>archiver)
    @changesets/parse>js-yaml ^3.15.0, read-yaml-file>js-yaml ^4.2.0 (DoS in changesets)
    @vitejs/plugin-react>@babel/core ^7.29.6 (arbitrary file read via sourceMappingURL)
Repository owner deleted a comment from cursor Bot Jul 14, 2026
@davidamunga davidamunga self-assigned this Jul 14, 2026
@davidamunga davidamunga changed the title fix: resolve all 24 pnpm audit vulnerabilities fix(security): resolve all pnpm audit vulnerabilities Jul 14, 2026
@cursor

cursor Bot commented Jul 14, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@davidamunga
davidamunga merged commit 6db1781 into main Jul 14, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant