Skip to content

fix: patch high/critical npm security vulnerabilities across JS apps#304

Open
Nick Robinson (nickrobinson) wants to merge 1 commit into
mainfrom
claude/fervent-planck-lns1d9
Open

fix: patch high/critical npm security vulnerabilities across JS apps#304
Nick Robinson (nickrobinson) wants to merge 1 commit into
mainfrom
claude/fervent-planck-lns1d9

Conversation

@nickrobinson

Copy link
Copy Markdown
Contributor

Summary

Patches all automatically-fixable security vulnerabilities (minor/patch bumps only) across the five JavaScript/TypeScript apps. All changes were verified with npm audit returning 0 vulnerabilities after patching.


Fixed vulnerabilities

javascript-web

Package Severity Fix Advisory
vite ≤6.4.2 → 6.4.3 High server.fs.deny bypass on Windows alternate paths GHSA-fx2h-pf6j-xcff
vite ≤6.4.2 → 6.4.3 Moderate NTLMv2 hash disclosure via UNC path (launch-editor) GHSA-v6wh-96g9-6wx3
js-yaml 4.0–4.1.1 → 4.2.0 Moderate Quadratic-complexity DoS via repeated aliases GHSA-h67p-54hq-rp68

javascript-tui

Package Severity Fix Advisory
@babel/core ≤7.29.0 → 7.30+ Low Arbitrary file read via sourceMappingURL comment GHSA-4x5r-pxfx-6jf8
js-yaml 4.1.1 → 4.2.0 Moderate Quadratic-complexity DoS GHSA-h67p-54hq-rp68

electron

Package Severity Fix Advisory
vite ≤6.4.2 → 6.4.3 High server.fs.deny bypass GHSA-fx2h-pf6j-xcff
undici 7.0–7.27 → 7.28+ High TLS bypass, HTTP header injection, WebSocket DoS, SOCKS5 pool reuse, keep-alive poisoning, SameSite downgrade, cross-user cache disclosure (7 CVEs) multiple
@babel/core ≤7.29.0 Low Arbitrary file read GHSA-4x5r-pxfx-6jf8
js-yaml 4.1.1 → 4.2.0 Moderate Quadratic-complexity DoS GHSA-h67p-54hq-rp68

react-native

Package Severity Fix Advisory
shell-quote ≤1.8.3 Critical Newline injection in .op values allows shell command injection GHSA-w7jw-789q-3m8p
ws 7.0–7.5.10 High Memory exhaustion DoS via tiny fragments GHSA-96hv-2xvq-fx4p
qs override: 6.14.2 → 6.15.3 Moderate stringify crash on null entries in comma-format arrays GHSA-q8mj-m7cp-5q26
js-yaml override: 4.1.1 → 4.2.0 Moderate Quadratic-complexity DoS GHSA-h67p-54hq-rp68
launch-editor, @eslint/eslintrc, @babel/core, joi Low–Moderate Various Multiple

react-native-expo

Package Severity Fix Advisory
shell-quote ≤1.8.3 Critical Newline injection / shell command injection GHSA-w7jw-789q-3m8p
form-data 4.0.0–4.0.5 → 4.0.6 High CRLF injection via unescaped multipart field names GHSA-fjxv-7rqg-78g4
ws 7.0–7.5.10 High Memory exhaustion DoS GHSA-96hv-2xvq-fx4p
@babel/core, launch-editor, js-yaml Low–Moderate Various Multiple

MANUAL INTERVENTION REQUIRED

react-native-expouuid via expo ecosystem (4× Moderate)

Alert: uuid <11.1.1 — Missing buffer bounds check in v3/v5/v6 when buf is provided
Path: expo > @expo/cli > @expo/metro-config > @expo/config > @expo/config-plugins > xcode > uuid
Advisory: https://github.com/advisories/GHSA-... (npm advisory 1119441)

What was tried:

  • npm audit fix — reports fix requires isSemVerMajor: true (expo downgrade to 46.0.21, which is not a valid upgrade path from 55.x)
  • Adding a "uuid": ">=11.1.1" resolution would force xcode onto uuid v11 which has a completely different API (uuid v11 changed the export shape), likely breaking xcode package at runtime

Suggested fix: Wait for expo 55.x to ship a patched @expo/config-plugins that updates its xcode dependency to a version that uses uuid ≥11.1.1, or pin xcode to a version that has already made this update.


Verification

After patching, npm audit returns 0 vulnerabilities for:

  • javascript-web
  • javascript-tui
  • electron
  • react-native ✅ (both package-lock.json and yarn.lock)
  • react-native-expo ✅ for all fixable issues (4 moderate expo/uuid remain — see above)

Generated by Claude Code

javascript-web:
- vite <=6.4.2 → 6.4.3 (high: server.fs.deny bypass + NTLMv2 hash disclosure)
- js-yaml 4.0-4.1.1 → 4.2.0 (moderate: quadratic-complexity DoS)

javascript-tui:
- @babel/core <=7.29.0 → 7.30+ (low: arbitrary file read via sourceMappingURL)
- js-yaml 4.1.1 → 4.2.0 (moderate: quadratic-complexity DoS)

electron:
- vite <=6.4.2 → 6.4.3 (high: server.fs.deny bypass + NTLMv2 hash disclosure)
- undici 7.0-7.27 → 7.28+ (high: multiple TLS/header injection/DoS CVEs)
- @babel/core <=7.29.0 → 7.30+ (low: arbitrary file read)
- js-yaml 4.1.1 → 4.2.0 (moderate: quadratic-complexity DoS)

react-native:
- shell-quote <=1.8.3 → 1.8.4+ (critical: newline injection in .op values)
- ws 6.0-6.2.3 / 7.0-7.5.10 → 7.5.11+ (high: memory exhaustion DoS)
- qs override: 6.14.2 → 6.15.3 (moderate: stringify crash on null in comma arrays)
- js-yaml override: 4.1.1 → 4.2.0 (moderate: quadratic-complexity DoS)
- @babel/core, launch-editor, @eslint/eslintrc (low/moderate)

react-native-expo:
- shell-quote <=1.8.3 → 1.8.4+ (critical: newline injection)
- form-data >=4.0.0 <4.0.6 → 4.0.6 (high: CRLF injection via multipart names)
- ws 6.0-6.2.3 / 7.0-7.5.10 → 7.5.11+ (high: memory exhaustion DoS)
- @babel/core, launch-editor, js-yaml (low/moderate)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates dependency lockfiles (and React Native overrides/resolutions) across multiple JS/TS apps to patch reported npm security vulnerabilities, primarily by bumping affected transitive packages to non-vulnerable versions.

Changes:

  • Bumps vulnerable dependencies (e.g., vite, undici, shell-quote, ws, qs, js-yaml, various @babel/*) to patched versions via lockfile updates.
  • Adds/updates overrides and resolutions in react-native/package.json to force patched versions.
  • Regenerates yarn.lock for react-native alongside package-lock.json updates.

Reviewed changes

Copilot reviewed 1 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
react-native/yarn.lock Updates Yarn v1 lock entries to patched dependency versions (incl. shell-quote, ws, Babel toolchain).
react-native/package.json Updates overrides/resolutions for js-yaml and qs (and retains other pinned transitive deps).
react-native/package-lock.json Updates npm lock entries for patched packages (e.g., js-yaml@4.2.0, qs@6.15.3, ws@7.5.11, shell-quote@1.10.0).
react-native-expo/package-lock.json Updates Expo ecosystem dependencies and patched transitive packages (e.g., form-data@4.0.6, ws@7.5.11, shell-quote@1.10.0).
javascript-web/package-lock.json Updates js-yaml and vite to patched versions in the npm lockfile.
javascript-tui/package-lock.json Updates Babel toolchain and js-yaml to patched versions in the npm lockfile.
electron/package-lock.json Updates vite, undici, js-yaml, and Babel toolchain to patched versions in the npm lockfile.
Files not reviewed (5)
  • electron/package-lock.json: Generated file
  • javascript-tui/package-lock.json: Generated file
  • javascript-web/package-lock.json: Generated file
  • react-native-expo/package-lock.json: Generated file
  • react-native/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 2524 to +2527
"node_modules/js-yaml": {
"version": "4.1.1",
"version": "4.3.0",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz",
"integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==",
Comment on lines 4678 to 4682
"node_modules/js-yaml": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
"version": "4.3.0",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz",
"integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==",
"dev": true,
Comment on lines 117 to +120
"node_modules/@babel/core": {
"version": "7.29.0",
"resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
"integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
"version": "7.29.7",
"resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz",
"integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==",
Comment on lines 3388 to 3392
"node_modules/js-yaml": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
"version": "4.3.0",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz",
"integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==",
"dev": true,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants