Skip to content

Fix npm audit vulnerabilities#52

Merged
mcollina merged 1 commit into
mainfrom
fix-audit
Jul 9, 2026
Merged

Fix npm audit vulnerabilities#52
mcollina merged 1 commit into
mainfrom
fix-audit

Conversation

@mcollina

@mcollina mcollina commented Jul 9, 2026

Copy link
Copy Markdown
Member

What

npm audit fix — package-lock.json only, all updates within existing semver ranges (package.json untouched).

Why

The Security Audit CI job (npm audit --audit-level=high) fails on every PR right now: 29 advisories accumulated since CI last ran on main in January, including 2 critical and 11 high (protobufjs, node-forge, lodash, path-to-regexp, ...). This currently blocks #51 and any other PR.

Result

  • Before: 29 vulnerabilities (2 critical, 11 high, 14 moderate, 2 low)
  • After: 3 moderate (webpack-dev-server, dev-only), below the CI gate

Verified locally: audit gate passes, typecheck clean, webpack CLI build succeeds, flamegraph + parser test suites pass (42/42 Chromium).

npm audit fix resolves 26 of 29 advisories (all high and critical ones)
within existing semver ranges; only 3 moderate webpack-dev-server
advisories remain, below the CI audit gate of --audit-level=high.
@mcollina mcollina merged commit b0114ba into main Jul 9, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant