fix: 남은 Dependabot 보안 알림을 해결합니다#1009
Merged
Merged
Conversation
Replace gray-matter with a js-yaml 4 frontmatter parser so the repository can use patched js-yaml without breaking MDX search indexing, and pin the remaining vulnerable transitive packages reported by Dependabot. Constraint: GitHub Dependabot still reports open alerts for @babel/core, dompurify, js-yaml, and website-analysis ws/js-yaml after PR #1007. Rejected: Forcing js-yaml 4 under gray-matter | gray-matter calls removed yaml.safeLoad and fails existing tests. Confidence: high Scope-risk: moderate Directive: Keep frontmatter parsing intentionally narrow unless MDX metadata requirements expand. Tested: npm install --package-lock-only --ignore-scripts in root and scripts/website-analysis; npm ci --ignore-scripts in root; npm audit --audit-level=low in root and scripts/website-analysis; frontmatter parse smoke; npm run test:run; npm run lint; git diff --check. Not-tested: full production build; PR CI pending. Co-Authored-By: Atlas <atlas@jk.agent>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
문제 현상
PR #1007 병합 후에도 GitHub Dependabot security alert 페이지에 11개 경고가 남아 있습니다.
대상 alert:
@babel/coreCVE-2026-49356, patched7.29.6이상dompurify, patched3.4.9이상js-yamlCVE-2026-53550, patched4.2.0이상wsCVE-2026-48779, patched8.21.0이상구현 내용
@babel/core,dompurify,js-yaml,ws를 patched version 이상으로 고정했습니다.scripts/website-analysisoverride에js-yaml과wspatched version을 추가했습니다.gray-matter는js-yaml@4와 호환되지 않아 제거하고,js-yaml@4.2.0기반의 repo-local frontmatter parser로 대체했습니다.normalizeMdxForLLM과 문서 검색 인덱스 parser가 새 frontmatter parser를 사용하도록 변경했습니다.검증
npm install --package-lock-only --ignore-scripts(root)npm install --package-lock-only --ignore-scripts(scripts/website-analysis)npm ci --ignore-scripts(root)npm audit --audit-level=low(root): 0 vulnerabilitiesnpm audit --audit-level=low(scripts/website-analysis): 0 vulnerabilitiesnpm run test:run: 9 files / 91 tests passednpm run lintgit diff --check참고
단순히
gray-matter하위js-yaml만4.2.0으로 강제하면gray-matter가 제거된yaml.safeLoadAPI를 호출해 기존 테스트가 실패했습니다. 그래서gray-matter의존성을 제거하고 필요한 frontmatter parsing만 직접 유지했습니다.