Skip to content

Fix npm audit vulnerabilities#254

Open
Ravian18 wants to merge 1 commit into
JaapvanEkris:mainfrom
Ravian18:fix/npm-audit-vulnerabilities
Open

Fix npm audit vulnerabilities#254
Ravian18 wants to merge 1 commit into
JaapvanEkris:mainfrom
Ravian18:fix/npm-audit-vulnerabilities

Conversation

@Ravian18

@Ravian18 Ravian18 commented Jul 6, 2026

Copy link
Copy Markdown

Resolves all 12 vulnerabilities reported by npm audit (1 critical, 3 high, 7 moderate, 1 low). npm audit now reports 0 vulnerabilities.

Changes

  • npm audit fix to patch transitive and direct dependencies within their existing semver ranges (no manifest changes needed for these): shell-quote (critical), ws (high), linkify-it (high), @babel/* (high + low), tar, brace-expansion, ip-address, js-yaml, markdown-it, smol-toml.
  • Bumped markdownlint-cli2 devDependency ^0.22.0^0.23.0, the minimum release that clears the remaining markdown-it / js-yaml / smol-toml advisories.

The only runtime-path package among these is ws (via mqtt), bumped 8.20.08.21.0, which still satisfies mqtt's ^8.18.3 requirement. Everything else is build/lint/dev tooling.

Verification

  • npm audit → 0 vulnerabilities
  • npm run build → succeeds
  • npm run lint → 0 errors (eslint + markdownlint; markdownlint-cli2 0.23.0 lints all docs cleanly under the existing .markdownlint.json)
  • npm test was not run locally: the suite imports hci-socket, a Linux-only native BLE dependency that cannot install on macOS (EBADPLATFORM). CI runs the full suite on ubuntu-latest with BlueZ installed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant