fix: critical vulnerabilities in all packages

[yashoswalyo]

Resolves

Resolves multiple Critical vulns reported by npm audit

Previous

Package	Critical	High	Moderate	Low	Total
analytics-service	4	13	14	14	45
api-catalog-service	5	18	28	13	64
api-catalog-spa	9	29	27	5	70
api-gateway-service	14	39	28	7	88
apps-service	4	20	15	14	53
component-catalog-spa	5	41	24	14	84
developer-console-spa	5	38	23	14	80
feedback-service	6	21	12	16	55
feedback-spa	3	14	21	9	47
home-spa	5	20	13	12	50
lighthouse-service	7	24	11	15	57
lighthouse-spa	8	56	54	14	132
notifications-service	6	24	12	13	55
opc-base	2	30	12	1	45
reverse-proxy-service	2	17	13	17	49
search-service	6	24	13	15	58
search-spa	8	54	55	14	131
user-group-service	10	21	10	15	56
user-group-spa	14	50	116	13	193

After fixing vulnerabilities

Package	Critical	High	Moderate	Low	Total
analytics-service	0	2	6	12	20
api-catalog-service	0	4	4	12	20
api-catalog-spa	0	20	14	1	35
api-gateway-service	11	19	21	3	54
apps-service	0	5	6	9	20
component-catalog-spa	0	14	13	9	36
developer-console-spa	0	13	12	9	34
feedback-service	0	2	4	11	17
feedback-spa	0	4	9	9	22
home-spa	3	0	1	3	7
lighthouse-service	0	13	3	15	31
lighthouse-spa	3	51	45	12	111
notifications-service	0	3	9	9	21
opc-base	0	20	8	0	28
reverse-proxy-service	0	3	1	9	13
search-service	0	0	3	9	12
search-spa	3	46	46	12	107
user-group-service	2	0	5	9	16
user-group-spa	7	32	105	10	154

• The remediation effort resulted in a total reduction of 654 vulnerabilities across the workspace.
• All lockfiles are migrated to v2 (~node 16)

Does this PR introduce a breaking change

Might be needs testing

Ready-for-merge Checklist

• Expected files: all files in this pull request are related to one feature request or issue (no stragglers)?
• Does the change have appropriate unit tests?
• Did tests pass?
• Did you update or add any necessary documentation (README.md, WHY.md, etc.)?
• Was this feature demoed and the design review approved?

[deshmukhmayur]

AI Code Review

Reviewer: Auto (Cursor agent router)
Model: Composer
PR: #1797 — fix: critical vulnerabilities in all packages
Branch: fix-audit → master
Review date: 2026-06-03
Method: Static analysis of PR diff, metadata, CI check results, and failure logs via GitHub API

Note: This review was generated by AI (Auto / Composer). It should be treated as an automated first pass — please validate findings against team context, runtime behavior, and security policy before acting on them.

---

Executive Summary

Verdict	Request changes — not merge-ready
Scope	Monorepo-wide dependency audit remediation (~234k additions / ~79k deletions, mostly lockfiles)
CI status	8 failed / 11 passed (19 package jobs)
Risk level	High — major dependency upgrades touch production DB code, build tooling, and test infrastructure

The PR makes real progress reducing npm audit findings across the workspace, but it introduces CI regressions, leaves critical vulnerabilities in several packages, and includes upgrades incompatible with the repo’s Node 16 engine constraint.

---

What This PR Does Well

1. Meaningful vulnerability reduction — The before/after audit table shows substantial improvement in many packages (e.g. analytics-service 45→20, reverse-proxy-service 49→13, search-service 58→12).

2. Appropriate patch/minor bumps — Updates such as express 4.17→4.22, ejs 3.1.6→3.1.10, ws 7.5.5→7.5.11, and webpack minor bumps are reasonable and low-risk.

3. Correct Mongoose 6 connection cleanup — Removing deprecated options (useNewUrlParser, useCreateIndex, useUnifiedTopology, useFindAndModify) is the right approach for Mongoose 6 in:

   • apps-service
   • feedback-service
   • lighthouse-service
   • search-service
   • user-group-service

4. Partial CI success — 11 packages pass, including several backend services with Mongoose upgrades (feedback-service, lighthouse-service, search-service, api-gateway-service).

---

Blockers

1. CI failures (8 packages)

Package	Status	Root cause (from CI logs)
api-catalog-spa	Fail	@types/node uses TypeScript syntax incompatible with TS 4.6 (TS1005, TS1109 in http.d.ts, https.d.ts)
apps-service	Fail	Mongoose 6 / MongoDB driver API break: collection().insert() expects 3 args; mongodb-memory-server fails with libcrypto.so.1.1
feedback-spa	Fail	Same @types/node / TypeScript version mismatch
home-spa	Fail	TypeError: os.availableParallelism is not a function — Jest 30 requires Node ≥18.14; repo engines specify Node ^16.18.0
lighthouse-spa	Fail	npm ERESOLVE: @angular/cdk@12.2.4 vs @angular/common@11.2.14 peer conflict
opc-base	Fail	Rollup build error: Unexpected token (Note that you need plugins to import files that are not JavaScript)
search-spa	Fail	npm ERESOLVE: apollo-angular@2.0.4 peer requires Angular ≤10; project uses Angular 11
user-group-service	Fail	npm ERESOLVE: eslint@^8 conflicts with eslint-config-airbnb-base@14.2.1 (expects eslint ≤7)

The PR checklist marks “Did tests pass?” as unchecked, which aligns with CI.

2. PR claims do not fully match outcomes

Title: “fix: critical vulnerabilities in all packages”

The included audit table still shows 29 critical vulnerabilities remaining:

Package	Critical (after fix)
api-gateway-service	11
user-group-spa	7
home-spa	3
lighthouse-spa	3
search-spa	3
user-group-service	2

api-gateway-service passes CI but still reports 11 critical findings — this should be called out explicitly in the PR description or addressed.

Lockfile migration claim: “All lockfiles are migrated to v2 (~node 16)”

The diff shows 9 lockfiles moving from v1→v2 and 9 remaining at v1. This is a partial migration, not a complete one.

---

Detailed Findings

A. Mongoose 5 → 6 migration (5 services)

Affected: apps-service, feedback-service, lighthouse-service, search-service, user-group-service

Good: Deprecated connection options were removed correctly.

Missing:

• Test updates for MongoDB driver 4.x / Mongoose 6 API changes

• Example failure in apps-service:

  await mongoose.connection.db.collection('projects').insert({...})
  // TS2554: Expected 3 arguments, but got 1

  Should use insertOne() / insertMany().

• No documented smoke-test plan for production DB paths (CRUD, indexing, LDAP-adjacent flows in user-group-service)

Risk: Mongoose 6 has additional behavioral changes (e.g. strictQuery defaults) that may affect runtime behavior beyond compile-time fixes.

---

B. Node 16 engine incompatibility

Root package.json specifies:

"engines": { "node": "^16.18.0", "npm": "^8.1.0" }

Several upgrades appear to require Node 18+:

Package	Change	Issue
home-spa	Jest 27 → 30	Uses os.availableParallelism() (Node 18.14+) — confirmed CI failure
Root	Cypress 6 → 15	Likely requires Node 18+; no CI validation visible for e2e
api-catalog-spa	happy-dom 6 → 20	Major jump; may require Node 18+

Recommendation: Either revert these to Node-16-compatible versions or bump repo engines + CI Node version in the same PR.

---

C. TypeScript / @types/node mismatch

api-catalog-spa and feedback-spa fail with parse errors in @types/node — newer type definitions use syntax (e.g. using, advanced type expressions) that TypeScript 4.x cannot parse.

Recommendation: Pin @types/node to a version compatible with each package’s TypeScript version (e.g. @types/node@16 for TS 4.4–4.6), rather than accepting whatever the lockfile resolves to.

Anti-pattern found: user-group-service/tsconfig.json adds "skipLibCheck": true — this suppresses the symptom instead of fixing the root cause.

---

D. Peer dependency conflicts (fragile lockfiles)

lighthouse-spa, search-spa, and user-group-service fail on fresh npm ci with ERESOLVE. Passing packages may only succeed because committed lockfiles paper over conflicts.

Risk: Any lockfile regeneration or CI change that drops --legacy-peer-deps will break builds.

Recommendation: Resolve peer conflicts explicitly (upgrade conflicting packages, add overrides, or align eslint/angular/apollo versions) rather than relying on lockfile pinning alone.

---

E. Type definition changes in apps-service

New fields added to ambient types:

• ApplicationDrawerEntry: path, icon, createdOn, createdBy
• Project: tags, lighthouse

These may reflect real schema fields, but they were not paired with test updates or runtime validation changes. Please confirm these match actual Mongoose schemas and aren’t compile-time band-aids.

---

F. MSW worker regeneration (user-group-spa)

public/mockServiceWorker.js updated from MSW 0.36.8 → 0.44.2. Verify the msw devDependency version matches; worker/library version skew causes subtle test failures.

---

G. Other notable dependency changes

Change	Concern
Root cypress 6.5.0 → 15.16.0	Major version; may need config migration
feedback-service nodemailer 6.7.0 → ^8.0.10	Major version; verify email sending still works
feedback-service lodash 4.17.21 → ^4.18.1	Unusual — lodash 4.17.x is the stable line; confirm 4.18.x exists and is intended
api-catalog-spa @one-platform/opc-feedback prerelease → alpha	Verify API compatibility with consuming code

---

Recommendations

Must fix before merge

1. Resolve all 8 CI failures
2. Revert or align Jest 30 / Cypress 15 / happy-dom 20 with Node 16, or bump engines to Node 18+ with CI workflow updates
3. Update Mongoose 6 tests (insertOne/insertMany, review query patterns)
4. Pin @types/node to TS-4.x-compatible versions; remove skipLibCheck workaround
5. Fix peer dependency conflicts in Angular, Apollo, and ESLint stacks

Should fix / document

6. Update PR title and description to reflect remaining critical counts honestly
7. Correct the “all lockfiles migrated to v2” claim
8. Add a manual test plan for Mongoose 6 services (CRUD, search indexing, feedback queues, user-group LDAP)
9. Address or document remaining critical vulns in api-gateway-service (11) and SPAs

Consider for follow-up PRs

10. Split into smaller PRs: (a) lockfile-only patch bumps, (b) Mongoose 6 per-service, (c) major dev-tool upgrades with Node bump

---

Checklist Assessment

Item	Status	Notes
All files related to one feature	✅	Cohesive audit remediation
Unit tests	⚠️	Existing tests broken in apps-service; no new tests added
Tests pass	❌	8/19 CI jobs failing
Documentation updated	❌	Claims inaccurate (lockfiles, “all” criticals)
Breaking change assessment	⚠️	“Might be needs testing” — underspecified for Mongoose 6 + major tool bumps

---

Final Verdict

Request changes. The vulnerability reduction effort is valuable, but the PR is not ready to merge due to widespread CI failures, remaining critical vulnerabilities in several packages, Node 16 incompatibilities, and incomplete Mongoose 6 migration. Recommend fixing blockers or splitting into smaller, reviewable PRs.

---

Generated by Auto (Cursor agent router), powered by Composer. Assisted-by: Composer

[deshmukhmayur]

See my previous AI review comment^