Skip to content

fix(security): upgrade 3 vulnerable packages#307

Open
razorgupta wants to merge 2 commits into
masterfrom
security/sca-fix-1764845909
Open

fix(security): upgrade 3 vulnerable packages#307
razorgupta wants to merge 2 commits into
masterfrom
security/sca-fix-1764845909

Conversation

@razorgupta

@razorgupta razorgupta commented Dec 4, 2025

Copy link
Copy Markdown
Contributor

Summary

  • Delete package-lock.json to eliminate malicious fsevents dependency (MAL-2023-462)
  • The lock file was the only thing pinning fsevents to a malicious version (1.1.2 / 1.2.4 / 1.2.9) that has been removed from the npm registry

Why delete the lock file instead of editing it?

  • fsevents is a transitive dependency — pulled in by webpack, chokidar, and other build tools — not a direct dependency in package.json
  • The malicious versions have been unpublished from npm — they cannot be resolved again
  • Deleting the lock file means a fresh npm install will generate a clean lock file with only safe versions
  • These repos have no active deployments affected by this change

Impact Assessment

  • fsevents is an optional, macOS-only, transitive dependency
  • No production service runs this dependency
  • No CI/CD workflow will break — verified across Drone, GitHub Actions, and Travis CI for all affected repos

Test plan

  • Verify PR passes CI checks
  • Confirm no deployed services are affected

Security fixes:
- @babel/preset-env: transitive → 7.28.5
- @babel/traverse: transitive → 7.28.5
- fsevents: transitive → 2.3.3

Addresses vulnerabilities:
- CVE-2023-45133
- CVE-2023-45311

Automated security fix by Security Bot
@razorgupta razorgupta added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability automated labels Dec 4, 2025
Comment thread package-lock.json
}
},
"terser": {
"node_modules/terser": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 9732 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
},
}
},
"node_modules/htmlnano/node_modules/terser": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 5505 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
},
"get-func-name": {
"node_modules/get-func-name": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 5135 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@razorgupta razorgupta changed the title Security: Fix 3 vulnerable packages fix: Delete package-lock.json to eliminate malicious fsevents (MAL-2023-462) Jun 2, 2026
@razorgupta razorgupta changed the title fix: Delete package-lock.json to eliminate malicious fsevents (MAL-2023-462) fix(security): upgrade 3 vulnerable packages Jun 2, 2026
@razorgupta

Copy link
Copy Markdown
Contributor Author

Apologies — a script accidentally modified this PR's title and description. The original title has been restored. The description may need to be manually restored by the PR author. Sorry for the inconvenience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant