Skip to content

Fix npm audit vulnerabilities in client and server#370

Draft
phoenixy1 wants to merge 1 commit into
masterfrom
ah-security-patches-jul2026
Draft

Fix npm audit vulnerabilities in client and server#370
phoenixy1 wants to merge 1 commit into
masterfrom
ah-security-patches-jul2026

Conversation

@phoenixy1

Copy link
Copy Markdown
Collaborator

Resolve all open npm audit / Dependabot advisories (5 high, 4 moderate on master) via non-breaking transitive dependency bumps; lockfiles only, no package.json or API changes.

  • form-data → 4.0.6 (CRLF injection, high; client + server)
  • ws → 8.21.0 (DoS, high; client + server)
  • vite → 8.1.4 (fs.deny bypass / launch-editor NTLM disclosure, high; client)
  • js-yaml → 4.3.0 (quadratic-complexity DoS, moderate; client + server)
  • react-router → 6.30.4 (open redirect, moderate; client)

Audit counts (via public npm registry): server 4 high + 1 moderate → 0; client 4 high + 3 moderate → 0.

Resolve all open high/moderate advisories reported by npm audit via
non-breaking transitive dependency bumps (lockfiles only):
- form-data 4.0.x -> 4.0.6 (CRLF injection, high)
- ws 8.20.1 -> 8.21.0 (DoS, high)
- vite 8.0.x -> 8.1.4 (fs.deny bypass / launch-editor NTLM, high; client)
- js-yaml 4.1.1 -> 4.3.0 (DoS, moderate)
- react-router 6.30.3 -> 6.30.4 (open redirect, moderate; client)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant