Skip to content

Commit 82cd5a4

Browse files
atomanticatomantic
committed
fix(deps): resolve npm audit vulnerabilities
Run npm audit fix to address lodash code injection/prototype pollution, path-to-regexp ReDoS, and socket.io-parser unbounded attachments. Remaining pm2 ReDoS has no fix available upstream.
1 parent ad012e5 commit 82cd5a4

2 files changed

Lines changed: 10 additions & 10 deletions

File tree

PLAN.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -408,7 +408,7 @@ Summary: 105 findings across 60+ files. 1 shared utility to extract (SSE Manager
408408

409409
### Security & Secrets
410410
- [x] ~~[CRITICAL] server/src/index.ts — Server binds to 0.0.0.0. Fix: bind to localhost, configurable via env.~~ (Fixed: defaults to localhost)
411-
- [ ] **[CRITICAL]** `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix. (Medium)
411+
- [x] ~~**[CRITICAL]** `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix.~~ (Fixed: npm audit fix resolved lodash, path-to-regexp, socket.io-parser; remaining pm2 ReDoS has no fix available)
412412
- [x] ~~[HIGH] server/src/routes/genealogy-provider.routes.ts — Predictable ID via Date.now(). Fix: use ULID/UUID.~~ (Fixed: crypto.randomUUID())
413413
- [x] ~~[HIGH] server/src/middleware/errorHandler.ts — Stack traces leaked to logs. Fix: sanitize in production.~~ (Fixed: gated by NODE_ENV)
414414
- [x] ~~[HIGH] server/src/routes/browser.routes.ts — FS auth token returned in JSON.~~ (Documented: acceptable for local-only tool with short-lived tokens)

package-lock.json

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)