PER-14336: Remediate npm vulnerabilities, update Docusaurus to 3.10.1, and remove unused dependencies#619
Merged
Merged
Conversation
- Remove `npm` from production dependencies (~25 vulns eliminated) - Update axios 1.8.4 → 1.14.0 (pinned, fixes DoS CVE-2026-25639) - Update lodash 4.17.21 → 4.17.23 (pinned, fixes prototype pollution) - Update @playwright/test 1.50.0 → 1.58.2 (fixes SSL cert bypass) - Update all @docusaurus/* packages 3.7.0 → 3.9.2 - Update react-syntax-highlighter 15.6.1 → 16.1.1 (fixes prismjs XSS) - Update react-code-blocks 0.0.9-0 → 0.1.6 - Add npm overrides for transitive vulns (serialize-javascript, node-forge, cross-spawn, picomatch, minimatch) - Add ajv@8 + ajv-formats as devDependencies to fix schema-utils@4 compat - Remove stale packageManager field (yarn@1.22.22 with no yarn.lock) - Add .github/dependabot.yml for automated npm + GH Actions updates Remaining 10 vulns are in @untitaker/hyperlink (dev-only) and react-code-blocks (bundled prismjs, no upstream fix available). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for permitio-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
- lodash: no imports in source code (transitive deps have own copies) - ignore-styles: zero references in codebase - postcss-preset-env: not in any PostCSS config (only tailwindcss/autoprefixer used) - remark-gfm: Docusaurus 3.x has built-in GFM support - @babel/register: commented out in docusaurus.config.js Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
zeevmoney
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces npm security vulnerabilities and simplifies the dependency graph by upgrading key packages, removing unused/abnormal dependencies, adding npm overrides for vulnerable transitive deps, and introducing Dependabot for ongoing automated updates.
Changes:
- Upgraded Docusaurus, axios, Playwright, and code-highlighting packages; removed several unused dependencies.
- Added npm
overridesentries to remediate vulnerable transitive dependencies. - Added
.github/dependabot.ymlto enable weekly npm and GitHub Actions update scanning.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Dependency upgrades/removals plus new npm overrides and devDependency additions. |
| .github/dependabot.yml | Adds weekly Dependabot update configuration for npm and GitHub Actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Newer @argos-ci/core no longer auto-detects the GitHub token and requires an explicit ARGOS_TOKEN secret. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Argos notifications ↗︎ Awaiting the start of a new Argos build… |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolve conflicts with master (#622 removed argos.yml, #621 added webpackbar override). Drop all Argos infrastructure now that visual regression CI is gone: @argos-ci/cli, @argos-ci/playwright, @playwright/test, the tests/ directory, playwright.config.js, and Playwright .gitignore entries. Keep PER-14336 security overrides (serialize-javascript, node-forge, cross-spawn, picomatch, minimatch) and add the new webpackbar override from master. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nto per-14336/remediate-npm-vulns * origin/per-14336/remediate-npm-vulns:
node-forge is no longer in the dependency tree after the @Docusaurus 3.9.2 bump and unused-dependency removal — it is absent from package-lock.json, so the `node-forge: ">=1.4.0"` override no longer remediates anything. Removing it (lockfile unchanged on npm install). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
zeevmoney
requested review from
CarlosMion,
EliMoshkovich,
Zivxx,
dshoen619,
omer9564 and
shuvyA
omer9564
approved these changes
Jun 2, 2026
EliMoshkovich
approved these changes
Jun 2, 2026
omer9564
approved these changes
Jun 2, 2026
Bump @docusaurus/* 3.9.2 -> 3.10.1 and pin axios 1.16.1. Remove @svgr/webpack, file-loader, url-loader, and ajv-formats, which have no references in source or webpack config and are not consumed by the dependency tree. Apply npm audit fix to clear remaining high-severity transitive advisories. Build, hyperlink check, and local browse pass; remaining audit findings are 23 moderate from two unfixable transitive roots (uuid via webpack-dev-server, prismjs via react-code-blocks). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
zeevmoney
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lodash,ignore-styles,postcss-preset-env,remark-gfm,@babel/register,npm,@svgr/webpack,file-loader,url-loaderaxios, Docusaurus ecosystem3.7.0→3.10.1,react-syntax-highlighter,react-code-blocks); remove the Playwright/Argos visual-regression setup; add npmoverridesfor transitive vulnerabilitiespackageManageryarn fieldLinear Issue
PER-14336
What changed
Removed unused dependencies
lodashignore-stylespostcss-preset-envremark-gfm@babel/registernpm@svgr/webpackfile-loaderurl-loaderfile-loaderDirect dependency updates
axios@docusaurus/*(7 pkgs)react-syntax-highlighterreact-code-blocksRemoved test infrastructure
playwright.config.js,tests/screenshot.spec.js,tests/screenshot.css) and dropped@playwright/testand@argos-ci/*. Removes the@playwright/testCVE surface. The Argos CI job was removed separately.Infrastructure
.github/dependabot.yml— weekly npm + GitHub Actions update scanningajv@8.18.0as a devDependency — forcesajv@8to the hoisted root soschema-utils@4(the webpack loaders under Docusaurus) resolves correctly. Without it, older loaders pullajv@6to the root and the build can fail withCannot find module 'ajv/dist/compile/codegen'.overridesfor:got,serialize-javascript,cross-spawn,picomatch,minimatch,webpackbarnpm audit fix(semver-safe) to clear remaining high-severity transitive advisoriespackageManager: yarn@1.22.22field (no yarn.lock exists)Remaining vulnerabilities (23 moderate, 0 high, 0 critical)
All trace to two transitive roots with no available fix:
uuid(buffer bounds, GHSA-w5hq-g745-h8pq) →sockjs→webpack-dev-server→ the@docusaurus/*packages. Dev-server only (docusaurus start); never ships to the static site.prismjs(<1.30.0DOM clobbering) →refractor→react-syntax-highlighter→react-code-blocks. No upstream fix; used to render code blocks.Test plan
docusaurus build— production build succeeds on Docusaurus 3.10.1npm run hyperlink— 0 bad links, 0 bad anchors across 2392 files (503 documents)npm audit— 0 critical, 0 high, 23 moderate (all unfixable transitive)Tests
Generated with Claude Code
Automated iterations
(at commit 601e5d9)
node-forge: ">=1.4.0"override frompackage.json. node-forge dropped out of the dependency tree after the@docusaurusbump and unused-dependency removal (absent frompackage-lock.json), so the override no longer remediated anything. Lockfile unchanged.Verified clean (no change needed): the Dependabot
dependency-type: "development"group is valid per the GitHub Dependabot options reference (supported for npm); all otheroverrides(got,serialize-javascript,cross-spawn,picomatch,minimatch,webpackbar) are present in the lockfile and satisfy their constraints; Playwright was removed cleanly with no dangling references.No HIGH/CRITICAL findings.