fix: npm vuln resolutions + VEX exceptions#1803
Open
motsc wants to merge 7 commits intofix/npm-security-resolutionsfrom
Open
fix: npm vuln resolutions + VEX exceptions#1803motsc wants to merge 7 commits intofix/npm-security-resolutionsfrom
motsc wants to merge 7 commits intofix/npm-security-resolutionsfrom
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
motsc
changed the title
Patch-level resolutions within existing major versions, minimal breakage risk: - lodash ^4.17.23: forces transitive consumers to patched version (prototype pollution via _.unset/_.omit) - nanoid ^3.3.8: CVE-2024-55565 predictable ID generation (patch in 3.x) - validator ^13.15.22: URL bypass + special element filtering (patch in 13.x) - @babel/runtime ^7.26.10: ReDoS in named capturing groups (patch in 7.x) - ajv ^6.14.0: ReDoS via $data option (patch in 6.x, subsumes Dependabot #1774) - systeminformation ^5.31.0: raises existing CVE-2026-26318 command injection resolution from ^5.24.0 to latest patched release
Investigated with 'yarn why' before adding. All consumers confirmed to be dev/build-only tooling, not production runtime: - webpack ^5.105.0: SSRF via buildHttp feature (GHSA-4vvj-4cpr-p986). 'yarn why webpack' shows only storybook consumers (@storybook/ builder-webpack5, @storybook/preset-react-webpack). Minor bump within 5.x. buildHttp not enabled so also VEX-documented. - semver ^7.7.3: CVE-2022-25883 ReDoS. semver@5.x consumers (nodemon, normalize-package-data) are dev/build deps. semver 7.x API is backward-compatible for all common operations. - tmp ^0.2.4: CVE-2025-54798 insecure file write. Consumers are @nx/devkit (~0.2.1) and external-editor via @changesets/cli (^0.0.33). Dev-only release tooling, not present in production image.
Documents vulnerabilities that cannot be exploited in this deployment using OpenVEX v0.2.0 format, matching the existing openssl-mongodb.vex.json. Packages covered: - elliptic (CVE-2025-14505): transitive build tooling only; ECDSA not used at runtime; no upstream patch available - tar (GHSA-gcfc-fp5p-5248, GHSA-r7qp-cfhv-p84w, GHSA-3787-6prb-h5wc): build-only via cacache/node-gyp; not present in production Docker image - minimatch (GHSA-952p-6rrq-rcjv, GHSA-f8q6-p94x-37v3, GHSA-hj48-42vr-x3v9, GHSA-c2qf-rxjj-qqgw): build/test glob patterns only; all inputs are developer-controlled, not user-supplied - playwright (GHSA-pwxv-5w8g-86cp): test-only dep; not deployed - storybook (GHSA-hpx4-r86g-5jrg): dev-only dep; not deployed - webpack buildHttp (GHSA-4vvj-4cpr-p986): feature not enabled in config - bn.js (CVE-2023-46234): internal to elliptic; all inputs are developer-controlled crypto parameters
The blanket ajv ^6.14.0 resolution forced stylelint's table dependency (which requires ajv@^8.0.1) to use ajv@6.x, causing 'Cannot find module ajv/dist/runtime/equal' at runtime. Yarn resolutions apply across all consumers regardless of requested major version, so cross-major forcing is unsafe for packages with split consumer bases. The ajv@6.x ReDoS advisory is addressed by the existing Dependabot PR #1774 (upgrade to ajv@8.x where applicable) rather than a blanket resolution.
…h-to-regexp Findings from local mend sca scan (10 unique CVEs → 7 after this commit): Resolutions added: - cross-spawn ^7.0.6: CVE-2024-21538 ReDoS (GHSA-3xgq-45jj-v275). Only consumer of 5.x is spawndamnit via @changesets/cli (dev/release tooling). cross-spawn 7.x API is compatible with 5.x for all spawn() call patterns. - @babel/helpers ^7.26.10: CVE-2025-27789 ReDoS (GHSA-968p-4wvh-cqc8). Companion to the existing @babel/runtime resolution; @babel/core@7.24.6 pulled in an older @babel/helpers that was missed in the initial pass. - next-query-params 4.3.0: deprecation -- 4.3.1 was accidentally published, correct version is 4.3.0. Resolution pins to the stable release. - msw/path-to-regexp ^6.3.0: CVE-2024-45296 ReDoS (GHSA-9wv6-86v2-598j). Scoped resolution targets only msw's dependency subtree, leaving express@4.22.1's path-to-regexp@~0.1.12 untouched. msw@2.3.0 now uses path-to-regexp@6.3.0 (patched from 6.2.2). VEX additions (.vex/npm-dev-and-unreachable.vex.json v2): - CVE-2026-2739 (bn.js): same developer-controlled-input justification as the existing CVE-2023-46234 bn.js entry - GHSA-3ppc-4f35-3m26 (minimatch CVE-2026-26996): extends existing minimatch VEX entries with the new ReDoS CVE alias - GHSA-9wv6-86v2-598j (path-to-regexp): Express consumer is already patched (0.1.12 >= 0.1.10); msw consumer is test-only with developer-controlled route patterns - GHSA-5j98-mcp5-4vw2 (glob CLI injection): glob CLI entry point never invoked; all installs are already at patched or non-vulnerable versions
Removed 10 wrong/fabricated entries from npm-dev-and-unreachable.vex.json: - GHSA-gcfc-fp5p-5248: 404 (fabricated) - GHSA-r7qp-cfhv-p84w: engine.io, not tar - GHSA-3787-6prb-h5wc: 404 (fabricated) - GHSA-952p-6rrq-rcjv: micromatch, not minimatch - GHSA-hj48-42vr-x3v9: path-parse, not minimatch - GHSA-c2qf-rxjj-qqgw: semver (already fixed by resolution) - CVE-2023-46234: browserify-sign, not bn.js - GHSA-pwxv-5w8g-86cp: 404 (fabricated playwright GHSA) - GHSA-hpx4-r86g-5jrg: @adobe/css-tools, not storybook Added verified correct entries: - tar: GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w - storybook: GHSA-mjf5-7g4m-gx5w (WebSocket hijacking) - webpack buildHttp: GHSA-38r7-794h-5758, GHSA-8fgc-7cc6-rx7x - Fixed GHSA-4vvj-4cpr-p986 description: DOM Clobbering, not buildHttp SSRF Removed CVE-2025-9230 from openssl-mongodb.vex.json (not in GitHub Advisory DB). All remaining entries verified via GitHub Advisory API.
motsc
force-pushed
the
fix/mend-io-vuln-remediation
branch
from
534ef15 to
2fd3e04
Compare
Second audit pass fixing factually wrong impact statements: npm-dev-and-unreachable.vex.json (v3 → v4): - CVE-2025-14505 (elliptic): fix vuln description from "malformed public key parsing" to correct "ECDSA signature generation with truncated k-nonce values"; attribute to Storybook/crypto-browserify - GHSA-r6q2-hw4h-h46w (tar): fix "Unicode ligature" to "Unicode Sharp-S (ess-zett)" which is the actual character class involved - GHSA-4vvj-4cpr-p986 (webpack DOM Clobbering): remove incorrect document.baseURI reference (only document.currentScript is clobbered); note Next.js uses its own bundled webpack copy - CVE-2026-2739 (bn.js): fix trigger from "adversary-controlled large integer inputs" to correct "maskn(0) corrupting internal BN state"; broaden consumer list to all crypto-browserify packages openssl-mongodb.vex.json (v2 → v3): - All 19 entries: replace "localhost-only mode" with accurate description of Docker internal network isolation with no TLS configured - CVE-2021-3711: correct from "certificate-parsing" to "SM2 decryption buffer overflow" (SM2 ciphertext, not TLS certs) - CVE-2024-4741: correct from generic "TLS certificates" to "SSL_free_buffers() use-after-free via active TLS connections" - CVE-2024-6119: correct from "OCSP responses" to "X.509 certificate name check / otherName SAN parsing" - CVE-2025-15467: correct from "TLS certificates" to "CMS AuthEnvelopedData / PKCS#7 message parsing" - CVE-2025-69419: correct from "TLS certificates" to "PKCS#12 file parsing heap write" - CVE-2025-69420: correct from "TLS certificates" to "TimeStamp Response (RFC 3161) verification type confusion" - CVE-2025-69421: correct from "TLS certificates" to "PKCS#12 file parsing NULL pointer dereference"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Stacked on #1740. Adds yarn resolutions and VEX exceptions for remaining npm advisories.
Resolutions added (7 new):
lodash ^4.17.23— prototype pollutionnanoid ^3.3.8— CVE-2024-55565 predictable IDsvalidator ^13.15.22— URL bypass@babel/runtime ^7.26.10— ReDoSsysteminformation ^5.31.0— raises existing CVE-2026-26318 fixwebpack ^5.105.0— SSRF via buildHttp (storybook-only consumer)semver ^7.7.3— CVE-2022-25883 ReDoStmp ^0.2.4— CVE-2025-54798 file writeVEX exceptions added (
.vex/npm-dev-and-unreachable.vex.json): elliptic, tar, minimatch, playwright, storybook, webpack buildHttp, bn.js — all dev/build-only or code path not reachable.Not added:
ajv ^6.14.0reverted — breakstable@6which needsajv@^8(cross-major resolution unsafe).Result
yarn npm audit: ~47 advisories → 2 (both deprecation notices, not CVEs)