/audit-deps#65
Closed
chriskehayias wants to merge 1 commit into
Closed
Conversation
Resolves 5 of 7 npm audit findings by updating transitive deps via their parents (undici, vite, esbuild, js-yaml, @babel/core). Bumps all direct deps to latest within existing semver ranges, notably next 16.2.6 -> 16.2.10 (picks up the 2026 Next.js security releases) and better-auth 1.6.11 -> 1.6.23. Remaining: 1 moderate (postcss <8.5.10) bundled inside next itself; the only npm-offered fix is a next@9.3.3 downgrade (false positive). Build-time only, requires untrusted CSS input — accepted risk until Next bumps its internal pin. Verified: build passes, lint clean, 272/272 tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/audit-deps
Committed. Here's the full audit report.
Dependency Audit Report — MPNext
Date: 2026-07-06 · Deps audited: 592 (138 prod, 489 dev) · Status: ✅ Fixes applied, verified, committed (
0fc8dd9)Security Issues
npm auditfound 7 vulnerabilities (2 high, 3 moderate, 2 low) before remediation. Every one is in a dev/build/test transitive — none in the production runtime request path. 5 of 7 are now resolved.jsdom(Vitest test env)server.fs.denybypass on Windows)vitest,@vitejs/plugin-react(dev server)eslint/@eslint/eslintrctsx,viteeslint-plugin-react-hooks</style>in stringify)nextThe one remaining finding (
postcss <8.5.10bundled inside Next.js — the top-levelpostcssis patched at 8.5.16) is a false-positive fix: npm's only offered remedy is downgradingnextto 9.3.3, which I did not apply. It's exploitable only when PostCSS stringifies untrusted CSS at build time; this app builds trusted first-party CSS, so real-world risk is negligible. It clears when Next bumps its internal pin.Runtime CVE research (Next.js / better-auth)
Web research surfaced a significant 2026 wave of Next.js CVEs (May 2026 coordinated release patching ~13 advisories: middleware/proxy bypass, SSRF, cache poisoning, XSS, DoS; plus the CVE-2026-445xx series against 16.2.4). npm audit did not flag the installed 16.2.6 for these (already past the patch line), but I bumped to 16.2.10 anyway to pick up all subsequent 16.2.x patches.
better-authsearches were unavailable (search API flapping) — no advisory surfaced via npm audit for 1.6.x; updated 1.6.11 → 1.6.23 regardless.Updates Applied (safe — all within existing semver majors)
All direct deps moved to latest-in-range. Notable:
Deferred — Major Upgrades (plan for, needs testing)
eslint-config-next16. Deferred.Verification
npm run build— compiled, TypeScript passed, all 7 routes generated (Better Auth warnings are just unset env vars in this worktree, unrelated to deps)npm run lint— cleannpm run test:run— 272/272 passingRecommended next steps
eslint-config-nextconfirms compatibility.postcssto clear the last moderate finding.Sources:
🤖 Generated by Harness via Claude Code