Skip to content

fix(deps): npm audit fix — patch lodash, path-to-regexp, socket.io-parser #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atomantic merged 3 commits into from
Apr 7, 2026
Merged

fix(deps): npm audit fix — patch lodash, path-to-regexp, socket.io-parser #69

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
82cd5a4
fix(deps): resolve npm audit vulnerabilities
atomantic Apr 2, 2026
d3d0bfd
Merge remote-tracking branch 'origin/main' into cos/app-improve-2eeb4…
atomantic Apr 7, 2026
eb2df2c
fix(deps): rerun npm audit fix and clarify checklist note
atomantic Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion PLAN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -408,7 +408,7 @@ Summary: 105 findings across 60+ files. 1 shared utility to extract (SSE Manager

### Security & Secrets
- [x] ~~[CRITICAL] server/src/index.ts — Server binds to 0.0.0.0. Fix: bind to localhost, configurable via env.~~ (Fixed: defaults to localhost)
- [ ] **[CRITICAL]** `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix. (Medium)
- [x] ~~**[CRITICAL]** `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix.~~ (Fixed: npm audit fix resolved lodash, path-to-regexp, socket.io-parser; remaining pm2 ReDoS has no fix available)
Comment thread
atomantic marked this conversation as resolved.
Outdated
- [x] ~~[HIGH] server/src/routes/genealogy-provider.routes.ts — Predictable ID via Date.now(). Fix: use ULID/UUID.~~ (Fixed: crypto.randomUUID())
Comment thread
atomantic marked this conversation as resolved.
- [x] ~~[HIGH] server/src/middleware/errorHandler.ts — Stack traces leaked to logs. Fix: sanitize in production.~~ (Fixed: gated by NODE_ENV)
- [x] ~~[HIGH] server/src/routes/browser.routes.ts — FS auth token returned in JSON.~~ (Documented: acceptable for local-only tool with short-lived tokens)
Expand Down
18 changes: 9 additions & 9 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading