Skip to content

/audit-deps#65

Closed
chriskehayias wants to merge 1 commit into
mainfrom
harness/audit-deps-auq9c0
Closed

/audit-deps#65
chriskehayias wants to merge 1 commit into
mainfrom
harness/audit-deps-auq9c0

Conversation

@chriskehayias

Copy link
Copy Markdown
Contributor

/audit-deps


Committed. Here's the full audit report.

Dependency Audit Report — MPNext

Date: 2026-07-06 · Deps audited: 592 (138 prod, 489 dev) · Status: ✅ Fixes applied, verified, committed (0fc8dd9)

Security Issues

npm audit found 7 vulnerabilities (2 high, 3 moderate, 2 low) before remediation. Every one is in a dev/build/test transitive — none in the production runtime request path. 5 of 7 are now resolved.

Package Severity Reaches prod? Source (transitive via) Status
undici 7.25.0 High (TLS bypass, DoS, header injection — 7 CVEs) No jsdom (Vitest test env) ✅ Fixed → 7.28+
vite 8.0.13 High (server.fs.deny bypass on Windows) No vitest, @vitejs/plugin-react (dev server) ✅ Fixed → 8.0.16+
js-yaml 4.1.1 Moderate (quadratic DoS) No eslint / @eslint/eslintrc ✅ Fixed → 4.1.2+
esbuild 0.28.0 Low (dev-server file read, Windows) No tsx, vite ✅ Fixed
@babel/core 7.29.0 Low (arbitrary file read via sourcemap) No eslint-plugin-react-hooks ✅ Fixed
postcss 8.4.31 Moderate (XSS via </style> in stringify) Build-time only bundled inside next ⚠️ Accepted risk
next (via postcss) Moderate Build-time only self ⚠️ Accepted risk

The one remaining finding (postcss <8.5.10 bundled inside Next.js — the top-level postcss is patched at 8.5.16) is a false-positive fix: npm's only offered remedy is downgrading next to 9.3.3, which I did not apply. It's exploitable only when PostCSS stringifies untrusted CSS at build time; this app builds trusted first-party CSS, so real-world risk is negligible. It clears when Next bumps its internal pin.

Runtime CVE research (Next.js / better-auth)

Web research surfaced a significant 2026 wave of Next.js CVEs (May 2026 coordinated release patching ~13 advisories: middleware/proxy bypass, SSRF, cache poisoning, XSS, DoS; plus the CVE-2026-445xx series against 16.2.4). npm audit did not flag the installed 16.2.6 for these (already past the patch line), but I bumped to 16.2.10 anyway to pick up all subsequent 16.2.x patches. better-auth searches were unavailable (search API flapping) — no advisory surfaced via npm audit for 1.6.x; updated 1.6.11 → 1.6.23 regardless.

Updates Applied (safe — all within existing semver majors)

All direct deps moved to latest-in-range. Notable:

Package From To Notes
next 16.2.6 16.2.10 2026 security releases
better-auth 1.6.11 1.6.23 auth library — kept current
react / react-dom 19.2.6 19.2.7 patch
openai 6.38.0 6.45.0 minor
zod 4.4.x 4.4.3 patch
several @radix-ui/* latest minor UI primitives

Deferred — Major Upgrades (plan for, needs testing)

Package Current Latest Risk Notes
eslint 9.39.4 10.6.0 Medium Major; requires flat-config/plugin compat review vs eslint-config-next 16. Deferred.
@types/node 25.9.4 26.1.0 Low Types-only major; align with your Node runtime version before bumping.

Verification

  • npm run build — compiled, TypeScript passed, all 7 routes generated (Better Auth warnings are just unset env vars in this worktree, unrelated to deps)
  • npm run lint — clean
  • npm run test:run272/272 passing

Recommended next steps

  1. Now: Nothing urgent — committed changes cover all safely-fixable issues.
  2. Soon: Evaluate the ESLint 10 major upgrade once eslint-config-next confirms compatibility.
  3. Track: Watch for a Next.js 16.2.x release that bumps its internal postcss to clear the last moderate finding.

Sources:

🤖 Generated by Harness via Claude Code

Resolves 5 of 7 npm audit findings by updating transitive deps via their
parents (undici, vite, esbuild, js-yaml, @babel/core). Bumps all direct
deps to latest within existing semver ranges, notably next 16.2.6 -> 16.2.10
(picks up the 2026 Next.js security releases) and better-auth 1.6.11 -> 1.6.23.

Remaining: 1 moderate (postcss <8.5.10) bundled inside next itself; the only
npm-offered fix is a next@9.3.3 downgrade (false positive). Build-time only,
requires untrusted CSS input — accepted risk until Next bumps its internal pin.

Verified: build passes, lint clean, 272/272 tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@chriskehayias chriskehayias deleted the harness/audit-deps-auq9c0 branch July 9, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant