Skip to content

Dependency & Actions audit - 2026-07-06 #91

Description

@krakenhavoc

GitHub Actions Deprecation

NONE — all pinned actions (actions/checkout@v6, actions/setup-node@v6 with node-version: 24, actions/upload-artifact@v6, docker/login-action@v4, docker/setup-buildx-action@v4, docker/metadata-action@v6, docker/build-push-action@v7, peter-evans/repository-dispatch@v4) already run on the Node24 runtime, ahead of GitHub's Node20 phase-out (default Node24 since June 2, 2026, full removal September 16, 2026). Minor housekeeping note: actions/checkout@v6 and actions/upload-artifact@v6 are one major behind the newest v7, but neither is urgent since both already run Node24.

npm Dependencies

npm audit against the committed lockfiles in backend/, frontend/, and shared/ found real, currently-installed advisories on direct dependencies:

backend/package.json

  • nodemailer@^8.0.1 (locked at 8.0.1) — high-severity SSRF/arbitrary-file-read via the raw message option (GHSA-p6gq-j5cr-w38f), plus SMTP/CRLF injection issues. Fix requires a major bump to 9.0.3+ (the fix is outside the current ^8.0.1 range).
  • typeorm@^0.3.28 (locked at 0.3.28, the top of the vulnerable range) — SQL injection in UpdateQueryBuilder/SoftDeleteQueryBuilder.orderBy() on MySQL/MariaDB (GHSA-9ggv-8w38-r7pm). Fix: bump to 0.3.29/0.3.30.
  • @nestjs/core locked at 11.1.14 (vulnerable range ≤11.1.17) — moderate injection issue; a lockfile refresh to 11.1.27+ resolves it without a major bump.
  • Several transitive advisories (handlebars — critical AST-type-confusion JS injection, plus node-forge, multer, fast-xml-parser, lodash) also clear once the lockfile is refreshed.

frontend/package.json

  • react-router-dom@^7.13.1 (locked at 7.13.1) — GHSA-49rj-9fvp-4h2h, unauthenticated RCE via turbo-stream deserialization, plus XSS/CSRF/open-redirect advisories, all fixed at 7.15.1+. Fix: bump to 7.18.1.
  • axios@^1.13.6 (locked at 1.13.6) — prototype-pollution → credential/response hijacking, NO_PROXY SSRF bypass, and ReDoS advisories, fixed at 1.16.0+. Fix: bump to 1.18.1.
  • vitest/@vitest/ui@4.0.18 — critical: arbitrary file read/execute while the Vitest UI server is listening. Fix: bump to 4.1.9.
  • vite@7.3.1 (transitive via vitest) — dev-server file-read / server.fs.deny bypass, fixed at 7.3.4+.

2+ major versions behind latest (registry check):

Package Location Pinned Latest
jsdom frontend (devDep) ^25.0.1 29.1.1
@types/node backend (devDep) ^22.10.7 26.1.0
@types/node frontend (devDep) ^24.10.1 26.1.0
stripe backend ^20.4.1 22.3.0

Recommend prioritizing nodemailer, typeorm, react-router-dom, axios, and vitest/@vitest/ui first since they're direct production/test-runtime dependencies with confirmed advisories; most of the rest clears with a lockfile refresh alone.

Go Module CVEs

NONE — no go.mod in this repo (Node/TypeScript monorepo).

Terraform Providers

NONE — no *.tf files in this repo (infra is delegated to infra-int via repository_dispatch).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions