security: remediate remaining 2 YAML-DoS Dependabot alerts (dismiss vs override)

[williamzujkowski]

Context

After merging #190 + #192, open Dependabot alerts dropped 16 → 9. Triage of the remaining 9 against this project's real surface (Astro SSG / static web app, Linux CI/prod, Node 24):

ACTION-NEEDED (runtime, real)

• astro 6.3.1 → 6.4.6 — closes 3 alerts at once (HIGH Host-header SSRF fix: @types/node v25 mismatches Node 22 LTS — use @types/node@22 #26, HIGH Reflected-XSS-via-slot-name bug: Path traversal risk in pipeline orchestrate.ts #25, MED unescaped-spread-attr-names bug: Annotator timestamp uses locale string parsing — produces wrong/NaN dates #27). All three are largely theoretical for a pure SSG deploy with no SSR server, but the bump is in-range under the existing "astro": "^6.3.1" in apps/web/package.json, so do it anyway: pnpm update astro --filter @civic-source/web.

LOW-RISK (dev-only / Windows-only — defer or override)

All of the following are dev-tooling and/or Windows-only; prod is Linux static output, so real exposure is low:

• vite server.fs.deny bypass bug: Annotation output path/format wrong — should be /annotations/*.yaml not *.annotations.json #24 (labeled HIGH but Windows + dev-server only) → override vite >=7.3.5 <8
• vite launch-editor NTLM disclosure bug: Hardcoded UTC-4 offset in markdown-generator — wrong during EST #28 (Windows + dev) → same override
• esbuild arbitrary file read chore: DRY timezone constant — 4 packages each declare TIMEZONE #22 (Windows dev server, transitive) → override esbuild >=0.28.1 (may dedupe after vite/astro bump)
• js-yaml quadratic DoS fix: Add missing tsconfig strict options per coding standards #29 (dev tooling) → override js-yaml >=4.2.0
• yaml stack-overflow Epic 4: Bulk conversion + Git automation pipeline #1 (pulled only by yaml-language-server behind astro check) → root already has a yaml override; needs lockfile refresh / widened range to cover the language-server path

Plan

1. Bump astro to 6.4.6 (closes all runtime alerts). ← priority
2. pnpm install to re-apply the existing yaml override and let esbuild/vite dedupe.
3. Optional: add pnpm.overrides for vite/esbuild/js-yaml to clear the noisy dev/Windows alerts.

After steps 1–2, all runtime alerts are resolved; only genuinely-low-risk Linux-irrelevant dev alerts would remain.

[williamzujkowski]

Update: after the astro 6.4.8 bump (#197) and the devalue cascade, this is down from 9 to 5 open alerts — all dev/Windows-only (esbuild, js-yaml, vite, yaml) with no real exposure on this Linux/SSG project. Remaining decision is unchanged: dismiss-with-reason vs. override. No runtime alerts remain.

[williamzujkowski]

Update — the Astro 7 upgrade (#218) cleared 3 of the 5 remaining alerts as a side effect: vite→8.1.0 (closes the two dev/Windows-only vite alerts #24/#28) and esbuild→0.28.1 (closes #22), all now outside their vulnerable ranges.

Down to 2, both YAML-parsing DoS:

• js-yaml (medium, dev scope) — quadratic-complexity DoS in merge-key handling. Dev tooling only (lint/config); never ships.
• yaml (medium, runtime scope) — stack overflow via deeply nested YAML. Note: the root already has yaml@>=2.0.0 <2.8.3 → >=2.8.3 but this advisory's range may differ / the override may not cover the resolved path — worth re-checking after this merge's Dependabot rescan (the chore(deps): upgrade to Astro 7 (+ Svelte 9 integration, Vite 8) #218 lockfile change may shift it).

Neither parses attacker-controlled YAML in this project (config + the project's own annotation output), so real exposure is low. Decision unchanged: dismiss-with-reason vs. override (js-yaml >=4.2.0; widen/verify the yaml override). No further runtime web-framework alerts remain.

[williamzujkowski]

Investigation note on the remaining yaml alert: the vulnerable yaml@2.7.1 is pulled solely by yaml-language-server@1.20.0 (a transitive dep of @astrojs/check, used only by astro check). The existing root override yaml@>=2.0.0 <2.8.3 → >=2.8.3 does not catch this path — I empirically confirmed even a clean single-comparator override (yaml@<2.8.3) leaves yaml@2.7.1 in the lockfile (pnpm doesn't re-resolve that sticky subtree on an override-only change; it'd need --force/dedupe, and yaml-language-server may pin it tightly).

Real exposure is nil: it's dev-only and parses the developer's own YAML during type-checking, never attacker input. Recommendation for this one: dismiss as "vulnerable code not in a reachable/exploitable path" rather than fight pnpm to force a dev transitive — forcing it risks breaking astro check for no security gain. (js-yaml is similarly dev-only — same disposition.)