From 82e67bf8ad0fe17571c2be5a86cafb452773137c Mon Sep 17 00:00:00 2001 From: Utkarsh Singh <6995377+vib795@users.noreply.github.com> Date: Sat, 20 Jun 2026 12:31:33 -0500 Subject: [PATCH] chore(security): pin undici >=7.28.0, clear 7 advisories, release v3.0.8 undici 7.25.0 reached the build toolchain transitively via @vscode/vsce -> cheerio -> undici. v7.28.0 fixes seven advisories (two high: GHSA-vmh5-mc38-953g SOCKS5 TLS validation bypass, GHSA-pr7r-676h-xcf6 shared-cache cross-user disclosure; plus five moderate/low). Pinned via npm overrides to >=7.28.0 <8 to stay on the v7 line cheerio expects (^7.12.0), avoiding a major bump. npm audit: 0 vulnerabilities (full and --omit=dev). Dev-scope only; shipped runtime (simple-git, @octokit/rest) unchanged. Supersedes #38. Co-Authored-By: Claude Opus 4.8 --- README.md | 4 ++++ package-lock.json | 24 ++++++++++++------------ package.json | 5 +++-- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index fa9f6a1..698f16a 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ ## What's new +### v3.0.8 + +- 🔒 **Security patch** — cleared seven newly-disclosed `undici` advisories (two high: TLS validation bypass in the SOCKS5 ProxyAgent and shared-cache cross-user disclosure, plus five moderate/low) reaching the build toolchain transitively through `@vscode/vsce → cheerio`. Pinned to `undici >=7.28.0 <8` via npm `overrides`, staying on the v7 line `cheerio` expects. `npm audit` reports 0 vulnerabilities for both the full and production trees; the shipped runtime is unchanged. + ### v3.0.7 - 🔒 **Security patch** — cleared three newly-disclosed advisories in the build toolchain: `markdown-it` quadratic-complexity DoS (advisory #51), `form-data` CRLF injection (high), and `js-yaml` merge-key DoS, all pinned via npm `overrides`. `@typescript-eslint` updated to 8.61.1. `npm audit` reports 0 vulnerabilities for both the full and production trees; the shipped runtime is unchanged. diff --git a/package-lock.json b/package-lock.json index 4a15000..3dfa5ad 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "flaunt-github", - "version": "3.0.7", + "version": "3.0.8", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "flaunt-github", - "version": "3.0.7", + "version": "3.0.8", "license": "MIT", "dependencies": { "@octokit/rest": "^22.0.1", @@ -2571,6 +2571,16 @@ "url": "https://github.com/sponsors/fb55" } }, + "node_modules/cheerio/node_modules/undici": { + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=20.18.1" + } + }, "node_modules/chokidar": { "version": "3.6.0", "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", @@ -6767,16 +6777,6 @@ "dev": true, "license": "MIT" }, - "node_modules/undici": { - "version": "7.25.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz", - "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=20.18.1" - } - }, "node_modules/undici-types": { "version": "7.24.6", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz", diff --git a/package.json b/package.json index 823232b..794f9fa 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "flaunt-github", "displayName": "Flaunt GitHub", "description": "Passively tracks coding activity and commits a rolling journal to a private GitHub repo. Dashboard, shareable profile badge, optional AI daily summaries.", - "version": "3.0.7", + "version": "3.0.8", "publisher": "UtkarshSingh", "icon": "images/logo.png", "license": "MIT", @@ -159,6 +159,7 @@ "brace-expansion": ">=5.0.6", "markdown-it": ">=14.2.0", "form-data": ">=4.0.6", - "js-yaml": ">=4.2.0" + "js-yaml": ">=4.2.0", + "undici": ">=7.28.0 <8" } }