Skip to content

chore(deps): run npm audit fix#56

Open
caugner wants to merge 1 commit into
mainfrom
npm-audit-fix
Open

chore(deps): run npm audit fix#56
caugner wants to merge 1 commit into
mainfrom
npm-audit-fix

Conversation

@caugner
Copy link
Copy Markdown
Contributor

@caugner caugner commented May 26, 2026

Description

Result of running npm audit fix in each directory with package-lock.json.

Motivation

Resolve vulnerabilities that may potentially affect us.

Additional details

See: https://docs.npmjs.com/cli/commands/npm-audit

/rust-js/site/

Before:

# npm audit report

ajv  7.0.0-alpha.0 - 8.17.1
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

fast-uri  <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
fix available via `npm audit fix`
node_modules/fast-uri

follow-redirects  <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - https://github.com/advisories/GHSA-r4q5-vmmm-2653
fix available via `npm audit fix`
node_modules/follow-redirects

node-forge  <=1.3.3
Severity: high
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) - https://github.com/advisories/GHSA-2328-f5f3-gj25
Forge has signature forgery in Ed25519 due to missing S > L check - https://github.com/advisories/GHSA-q67f-28xg-22rw
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - https://github.com/advisories/GHSA-5m6q-g25r-mvwx
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field   - https://github.com/advisories/GHSA-ppp5-5v6c-4jwp
fix available via `npm audit fix`
node_modules/node-forge

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

qs  <=6.15.1
Severity: moderate
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs
  body-parser  1.20.3 - 1.20.4 || 2.0.0-beta.1 - 2.0.2
  Depends on vulnerable versions of qs
  node_modules/body-parser
  express  4.21.0 - 4.22.1 || 5.0.0-alpha.1 - 5.0.1
  Depends on vulnerable versions of qs
  node_modules/express

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@14.0.0, which is a breaking change
node_modules/serialize-javascript
  copy-webpack-plugin  6.1.1 - 13.0.1
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin
  terser-webpack-plugin  4.2.1 - 5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix`
node_modules/uuid
  sockjs  >=0.3.17
  Depends on vulnerable versions of uuid
  node_modules/sockjs
    webpack-dev-server  *
    Depends on vulnerable versions of sockjs
    node_modules/webpack-dev-server

webpack  5.49.0 - 5.104.0
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - https://github.com/advisories/GHSA-8fgc-7cc6-rx7x
fix available via `npm audit fix`
node_modules/webpack


ws  8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
fix available via `npm audit fix`
node_modules/ws

17 vulnerabilities (1 low, 11 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

After:

# npm audit report

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@14.0.0, which is a breaking change
node_modules/serialize-javascript
  copy-webpack-plugin  6.1.1 - 13.0.1
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install webpack-dev-server@1.16.5, which is a breaking change
node_modules/uuid
  sockjs  >=0.3.17
  Depends on vulnerable versions of uuid
  node_modules/sockjs
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of sockjs
    node_modules/webpack-dev-server

5 vulnerabilities (4 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Diff:

--- before
+++ after
@@ -1,63 +1,5 @@
 # npm audit report
 
-ajv  7.0.0-alpha.0 - 8.17.1
-Severity: moderate
-ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
-fix available via `npm audit fix`
-node_modules/ajv
-
-fast-uri  <=3.1.1
-Severity: high
-fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
-fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
-fix available via `npm audit fix`
-node_modules/fast-uri
-
-follow-redirects  <=1.15.11
-Severity: moderate
-follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - https://github.com/advisories/GHSA-r4q5-vmmm-2653
-fix available via `npm audit fix`
-node_modules/follow-redirects
-
-node-forge  <=1.3.3
-Severity: high
-Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) - https://github.com/advisories/GHSA-2328-f5f3-gj25
-Forge has signature forgery in Ed25519 due to missing S > L check - https://github.com/advisories/GHSA-q67f-28xg-22rw
-Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - https://github.com/advisories/GHSA-5m6q-g25r-mvwx
-Forge has signature forgery in RSA-PKCS due to ASN.1 extra field   - https://github.com/advisories/GHSA-ppp5-5v6c-4jwp
-fix available via `npm audit fix`
-node_modules/node-forge
-
-path-to-regexp  <0.1.13
-Severity: high
-path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
-fix available via `npm audit fix`
-node_modules/path-to-regexp
-
-picomatch  <=2.3.1 || 4.0.0 - 4.0.3
-Severity: high
-Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
-Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
-Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
-Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
-fix available via `npm audit fix`
-node_modules/picomatch
-node_modules/tinyglobby/node_modules/picomatch
-
-qs  <=6.15.1
-Severity: moderate
-qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
-qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
-qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
-fix available via `npm audit fix`
-node_modules/qs
-  body-parser  1.20.3 - 1.20.4 || 2.0.0-beta.1 - 2.0.2
-  Depends on vulnerable versions of qs
-  node_modules/body-parser
-  express  4.21.0 - 4.22.1 || 5.0.0-alpha.1 - 5.0.1
-  Depends on vulnerable versions of qs
-  node_modules/express
-
 serialize-javascript  <=7.0.4
 Severity: high
 Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
@@ -68,38 +10,21 @@
   copy-webpack-plugin  6.1.1 - 13.0.1
   Depends on vulnerable versions of serialize-javascript
   node_modules/copy-webpack-plugin
-  terser-webpack-plugin  4.2.1 - 5.3.16
-  Depends on vulnerable versions of serialize-javascript
-  node_modules/terser-webpack-plugin
 
 uuid  <11.1.1
 Severity: moderate
 uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
-fix available via `npm audit fix`
+fix available via `npm audit fix --force`
+Will install webpack-dev-server@1.16.5, which is a breaking change
 node_modules/uuid
   sockjs  >=0.3.17
   Depends on vulnerable versions of uuid
   node_modules/sockjs
-    webpack-dev-server  *
+    webpack-dev-server  >=2.0.0-beta
     Depends on vulnerable versions of sockjs
     node_modules/webpack-dev-server
 
-webpack  5.49.0 - 5.104.0
-webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - https://github.com/advisories/GHSA-8fgc-7cc6-rx7x
-fix available via `npm audit fix`
-node_modules/webpack
+5 vulnerabilities (4 moderate, 1 high)
 
-
-ws  8.0.0 - 8.20.0
-Severity: moderate
-ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
-fix available via `npm audit fix`
-node_modules/ws
-
-17 vulnerabilities (1 low, 11 moderate, 5 high)
-
-To address issues that do not require attention, run:
-  npm audit fix
-
 To address all issues (including breaking changes), run:
   npm audit fix --force

Related issues and pull requests

@caugner caugner requested review from a team and LeoMcA and removed request for a team May 26, 2026 14:40
@caugner caugner marked this pull request as ready for review May 26, 2026 14:44
@caugner caugner requested review from a team as code owners May 26, 2026 14:44
@caugner caugner requested review from MendyBerger and dipikabh May 26, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LeoMcA LeoMcA Awaiting requested review from LeoMcA LeoMcA was automatically assigned from mdn/engineering

@dipikabh dipikabh Awaiting requested review from dipikabh dipikabh is a code owner automatically assigned from mdn/content-team

@MendyBerger MendyBerger Awaiting requested review from MendyBerger MendyBerger is a code owner automatically assigned from mdn/webassembly

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caugner @mdn-bot