[DependOnMe] Bulk security fix - 14 issues

[mayuran-deriv]

Bulk Security Fix

This pull request was automatically generated by DependOnMe to fix 14 security issues at once.

Issues Fixed

• Critical: 0
• High: 7
• Medium: 3
• Low: 4

Files Modified

• package.json

AI Summary

Fixed 14 security issues across multiple packages:

HIGH PRIORITY FIXES (7 issues):

• CVE-2026-26960, CVE-2026-24842, CVE-2026-23950, CVE-2026-23745: Updated tar to ^7.5.8 to fix multiple arbitrary file read/write vulnerabilities
• CVE-2026-25547: Updated @isaacs/brace-expansion to ^5.0.1 to fix uncontrolled resource consumption
• CVE-2026-22029: Added override for @remix-run/router to ^1.23.2 to fix React Router XSS vulnerability
• CVE-2025-15284: Updated qs to ^6.14.2 to fix DoS via memory exhaustion

MEDIUM PRIORITY FIXES (3 issues):

• CVE-2025-13465: Updated lodash and lodash-es to ^4.17.23 to fix prototype pollution vulnerability
• CVE-2026-22036: Added undici ^6.23.0 to dependencies and overrides to fix unbounded decompression vulnerability

LOW PRIORITY FIXES (4 issues):

• CVE-2026-2391: qs update to ^6.14.2 also fixes comma parsing DoS (covered above)
• CVE-2025-68157, CVE-2025-68458: Updated webpack to ^5.104.1 to fix SSRF vulnerabilities in buildHttp
• CVE-2026-24001: Updated diff to ^8.0.3 to fix DoS vulnerability in jsdiff

⚠️ Risk Assessment:

• Low Risk: lodash, qs, undici, webpack updates (patch/minor versions)
• Medium Risk: tar, @isaacs/brace-expansion (likely transitive dependencies)
• Medium Risk: diff update to v8.x (major version jump - check if used directly in code)
• Low Risk: @remix-run/router (transitive via react-router-dom)

🧪 Testing Checklist:

• Run npm install to update package-lock.json
• Run full test suite (npm test)
• Test build process (npm run build)
• Verify webpack builds work (npm run build:webpack)
• Check for TypeScript/type errors
• Test React Router functionality (navigation, redirects)
• If using diff package directly, test diff/patch operations
• Test file upload/download features (tar package usage)
• Test in development environment before production
• Monitor for any runtime errors related to updated packages

📋 Manual Steps Needed:

1. Delete node_modules and package-lock.json
2. Run npm install to generate new lock file with secure versions
3. Test thoroughly in development environment
4. Check if any code directly imports/uses the diff package (major version update)
5. Monitor application logs for any issues after deployment

Note: Most fixes use npm overrides to force transitive dependencies to secure versions. This is the safest approach when parent packages haven't updated their dependencies yet.

---

This PR was created by DependOnMe - Automated Security Issue Management

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

package.json

Package	Version	License	Issue Type
lodash	^4.17.23	Null	Unknown License
lodash-es	^4.17.23	Null	Unknown License
qs	^6.14.2	Null	Unknown License
tar	^7.5.8	Null	Unknown License
undici	^6.23.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/lodash	^4.17.23	Unknown	Unknown
npm/lodash-es	^4.17.23	Unknown	Unknown
npm/qs	^6.14.2	Unknown	Unknown
npm/tar	^7.5.8	Unknown	Unknown
npm/undici	^6.23.0	Unknown	Unknown

Scanned Manifest Files

package.json

• diff@^8.0.3
• lodash@^4.17.23
• lodash-es@^4.17.23
• qs@^6.14.2
• tar@^7.5.8
• undici@^6.23.0
• webpack@^5.104.1
• webpack@^5.92.1

[github-actions]

Claude finished @mayuran-deriv's task in 3m 31s —— View job

---

PR Review: [DependOnMe] Bulk security fix - 14 issues

• Gather context and understand the request
• Read changed files (package.json)
• Analyze CI failure and dependency changes
• Post final review summary

---

Summary

This PR addresses 14 CVEs entirely via package.json changes, which is the right approach for forcing secure transitive dependency versions using npm overrides. However, there are several issues that need addressing before this can be merged.

---

🔴 Critical (Build Broken)

package-lock.json was not regenerated

The CI build fails at "Install dependencies" because npm ci requires the lock file to be in sync with package.json. Error from CI logs:

npm error Invalid: lock file's diff@7.0.0 does not satisfy diff@8.0.3
npm error Invalid: lock file's lodash@4.17.21 does not satisfy lodash@4.17.23
npm error Invalid: lock file's qs@6.14.0 does not satisfy qs@6.15.0
npm error Missing: tar@7.5.9 from lock file
npm error Invalid: lock file's undici@5.29.0 does not satisfy undici@6.23.0
npm error Invalid: lock file's webpack@5.103.0 does not satisfy webpack@5.105.2
npm error Invalid: lock file's @remix-run/router@1.23.1 does not satisfy @remix-run/router@1.23.2

The PR description acknowledges this (manual step #1/#2) but the lock file update was never committed. This PR cannot be merged until package-lock.json is regenerated and committed.

Required action: Run npm install locally and commit the updated package-lock.json. Fix this →

---

🟠 High Priority

undici added to dependencies (should be overrides only)

undici is a Node.js-only HTTP client. This is a browser-based React PWA — undici has no business in the runtime bundle. It should remain in overrides only (which already forces the secure version for transitive deps). Adding it to dependencies risks unintentional bundle inflation.

// package.json - Current (problematic)
"dependencies": {
    "undici": "^6.23.0",   // ← Remove from here
},
"overrides": {
    "undici": "^6.23.0"    // ← Keep this; this is all that's needed
}

tar added to dependencies (should be overrides only)

tar is not imported anywhere in the project source code (confirmed via code search). It's a transitive build-tool dependency. Adding it to dependencies is unnecessary and increases the project's explicit dependency surface. The overrides entry already handles the security fix.

---

🟡 Medium Priority

diff major version bump: v7.0.0 → ^8.0.3

The current lock file has diff@7.0.0 as a peer dependency of another package. Jumping to ^8.0.3 is a major version change. The diff v8 API has breaking changes (e.g., callback-based API removed). Any tooling in the project that depends on diff as a peer dep needs to be verified for compatibility.

Action: Identify which package has diff as a peer dependency (check node_modules entries after running npm install), and verify that package supports diff@8.x.

lodash, lodash-es, qs added to direct dependencies unnecessarily

None of these are directly imported in the project source (the codebase only uses lodash.debounce from a separate package). Adding them to dependencies pollutes the project's explicit dependency tree. The overrides entries alone are sufficient to force transitive deps to use secure versions:

// These entries in "dependencies" are unnecessary:
"lodash": "^4.17.23",    // No direct import found in src/
"lodash-es": "^4.17.23", // No direct import found in src/
"qs": "^6.14.2",         // No direct import found in src/

---

🟢 Low Priority

webpack appears in both devDependencies and overrides

Both entries specify ^5.104.1. The devDependencies entry is sufficient; the overrides entry is redundant (it only matters for transitive deps). Not harmful, but adds noise.

---

What's Done Well

• Using npm overrides to force transitive dependency versions is the correct approach for CVE remediation when upstream packages haven't released patches.
• @remix-run/router ^1.23.2 override is a clean patch-level fix for the XSS CVE.
• @isaacs/brace-expansion ^5.0.1 and cross-spawn ^7.0.6 overrides are correct.
• CVEs are well-documented in the PR body.

---

Recommended Changes Before Merge

1. Run npm install and commit the updated package-lock.json (blocker)
2. Move undici out of dependencies (keep in overrides only)
3. Move tar out of dependencies (keep in overrides only)
4. Consider moving lodash, lodash-es, qs out of dependencies (keep in overrides only)
5. Verify diff v8 peer dependency compatibility after running npm install

[github-actions]

Name	Result
Build status	Failed ❌
Action URL	Visit Action