fix: resolve high-severity npm audit vulnerabilities blocking CI#1033
fix: resolve high-severity npm audit vulnerabilities blocking CI#1033timowestnosto merged 3 commits intomainfrom
Conversation
Co-authored-by: timowestnosto <13622115+timowestnosto@users.noreply.github.com>
Co-authored-by: timowestnosto <13622115+timowestnosto@users.noreply.github.com>
| "access": "public" | ||
| }, | ||
| "overrides": { | ||
| "minimatch": "^10.2.1" |
There was a problem hiding this comment.
@copilot can't this be just bumped in package-lock without this override declaration?
There was a problem hiding this comment.
Unfortunately no. The vulnerable minimatch versions (3.1.2, 9.0.5) come from transitive dependencies (eslint, typescript-eslint, typedoc) that have specific version constraints in their package.json files (e.g., "minimatch": "^3.1.2"). Simply running npm update minimatch doesn't affect these nested dependencies.
The overrides field is the standard npm solution for this scenario - it forces all instances of minimatch throughout the dependency tree to use the secure version, regardless of what individual packages specify. Without it, we'd need to wait for each package maintainer to update their minimatch dependency, which could take months.
I tested removing the override and running npm update, and it left the vulnerable versions in place, causing npm audit to fail with 13 high-severity issues.
There was a problem hiding this comment.
Pull request overview
This PR addresses high-severity npm audit vulnerabilities that were blocking CI builds. The changes apply a minimatch version override and run npm audit fix to resolve security issues.
Changes:
- Added npm override for
minimatch@^10.2.1to address GHSA-3ppc-4f35-3m26 ReDoS vulnerability across all transitive dependencies - Upgraded
markdown-itfrom 14.1.0 to 14.1.1 vianpm audit fix - Updated dependency tree to support minimatch v10 (brace-expansion v5.0.2, balanced-match v4.0.3)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Added npm overrides section with minimatch version constraint |
| package-lock.json | Applied minimatch override across all dependencies, upgraded markdown-it, removed obsolete packages (concat-map, jackspeak, @isaacs/cliui), and updated supporting dependencies |
|
🎉 This PR is included in version 11.2.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Context
CI builds failing on
npm audit --audit-level=highdue to high-severity ReDoS vulnerabilities in transitive dependencies.Changes:
minimatch@^10.2.1to patch GHSA-3ppc-4f35-3m26 across all transitive dependencies (eslint, typescript-eslint, typedoc, graphql-config)npm audit fixto resolvemarkdown-itvulnerabilityNotes:
Related Jira ticket
N/A
Screenshots
N/A
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.