Skip to content

fix(deps): npm audit fix — clear hono + js-yaml production advisories#128

Open
chitcommit wants to merge 2 commits into
mainfrom
claude/deps-audit-fix
Open

fix(deps): npm audit fix — clear hono + js-yaml production advisories#128
chitcommit wants to merge 2 commits into
mainfrom
claude/deps-audit-fix

Conversation

@chitcommit

Copy link
Copy Markdown
Contributor

What

npm audit fix to clear production-dependency advisories. package-lock.json only — package.json is unchanged.

Why

Newly-published advisories landed on production deps and are now failing both audit gates (both run production-scoped --omit=dev, so this is real shipped-code risk, not dev tooling):

Package Severity Advisories
hono ≤4.12.24 HIGH path traversal in serve-static (encoded %5C); CORS middleware reflects any Origin with credentials under wildcard; body-limit bypass on Lambda; Set-Cookie merging; repeated-header dropping
js-yaml ≤4.1.1 moderate quadratic-complexity DoS in merge-key handling

hono is the core framework shipped to the Worker, so the CORS-with-credentials and path-traversal items are directly relevant. This also incidentally clears the dev-tree esbuild/ws advisories.

This is the real remediation behind the gate scoping in #124 — and it confirms that gate is working: --omit=dev correctly surfaced a genuine production vuln.

Non-breaking by construction

npm audit fix (no --force) resolved everything within the existing semver ranges, so package.json did not change — only the lockfile. No major upgrades.

Verification

$ npm audit --audit-level=high            # full tree
found 0 vulnerabilities
$ npm audit --audit-level=high --omit=dev # production tree (both CI gates)
found 0 vulnerabilities
$ npm run typecheck                       # tsc --noEmit
exit 0

The full vitest suite runs in CI (its globalSetup applies migrations against a live DATABASE_URL), so it was not run in this sandbox.

Unblocks

This clears the build and gates / dependency-audit failures currently red on main and on the docs PR #127. Once this merges, #127 will be rebased to go green.

https://claude.ai/code/session_01886crB52Jw3LWiqPh33WUM


Generated by Claude Code

Newly-published advisories landed on production dependencies, failing both
the build-job audit and the reusable governance dependency-audit gate (both
run production-scoped --omit=dev):

- hono <=4.12.24 (HIGH): path traversal in serve-static via encoded backslash;
  CORS middleware reflecting any Origin with credentials under wildcard; body
  limit bypass on Lambda; Set-Cookie merging; repeated-header dropping.
- js-yaml <=4.1.1 (moderate): quadratic-complexity DoS in merge-key handling.

`npm audit fix` resolves all of them within the existing semver ranges, so
package.json is unchanged — this is a package-lock.json-only update (also
clears the dev-tree esbuild/ws advisories). Non-breaking by construction.

Verified: `npm audit --audit-level=high` (full + --omit=dev) => found 0
vulnerabilities; `npm run typecheck` passes. Full vitest suite runs in CI
(needs a live DATABASE_URL via globalSetup), not locally.
@github-actions

Copy link
Copy Markdown
  1. @coderabbitai review
  2. @copilot review
  3. @codex review
  4. @claude review
    Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 589ed1c4-bcf8-4f3e-8114-e07cd6b51509

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/deps-audit-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 28, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
chittycommand 8398a19 Jun 28 2026, 09:14 AM

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd15fa85e0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package-lock.json
…-22 bump

Review (Codex P2): the prior `npm audit fix` resolved wrangler 4.73.0 -> 4.105.0,
which declares `node >=22`, while CI provisions Node 20. There is no engine-strict
config so CI stayed green, but shipping a Node-22 wrangler requirement via a
security PR is unnecessary scope creep — wrangler is a dev dependency and is
already scoped out of both audit gates by `--omit=dev`.

Re-scope the lockfile to the production vulnerabilities only:
- hono 4.12.23 -> 4.12.27 (clears the HIGH serve-static / CORS advisories)
- js-yaml updated within range (clears the moderate DoS)
- wrangler stays 4.73.0 (node >=20), matching CI.

The dev-tree esbuild/ws advisories remain but never ship and are excluded by the
production-scoped gate. Verified: `npm ci` + `npm run typecheck` pass; `npm audit
--audit-level=high --omit=dev` => found 0 vulnerabilities; wrangler 4.73.0 runs.
package.json unchanged.
@github-actions

Copy link
Copy Markdown
  1. @coderabbitai review
  2. @copilot review
  3. @codex review
  4. @claude review
    Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants