[fix] Resolved vulnerabilities via selective resolutions

[prathmeshkulkarni-coder]

Performs a security audit and hardening of the dependency tree.

Resolved 58 issues through selective resolutions of:

• serialize-javascript (upgraded to ^7.0.3 to fix RCE)
• form-data (upgraded to ^2.5.4)
• tough-cookie (upgraded to ^4.1.3)
• qs (upgraded to ^6.14.1)
• minimatch (upgraded to ^3.0.5)

The remaining moderate issue in 'request' is documented as unpatchable due to library deprecation.

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #514 .

Description of Changes

This PR implements selective resolutions in package.json to mitigate 59 out of 60 identified vulnerabilities, effectively removing all Critical and High-severity risks.

Key Technical Updates:

Critical RCE Fix: Upgraded serialize-javascript to ^7.0.3 to patch a high-severity Remote Code Execution (RCE) vulnerability.

Dependency Hardening: Forced secure versions for the following sub-dependencies:

form-data (>=2.5.4)

tough-cookie (>=4.1.3)

qs (>=6.14.1)

minimatch (>=3.0.5)

Accepted Risk: One moderate vulnerability remains in the request package. This is a known legacy issue as the library is deprecated and no upstream patch is available.

Screenshot

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 772d4cc4-e1b2-4f36-a37e-6636967081c6

📥 Commits

Reviewing files that changed from the base of the PR and between 0f3f8cb and 6b69987.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,ts,css,scss,json}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using openwisp-qa-format command with Python virtualenv enabled and yarn lint:fix (runs eslint --fix and prettier via lint-staged)

Files:

• package.json

🧠 Learnings (4)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/netjsongraph.js PR: 0
File: :0-0
Timestamp: 2026-02-06T16:33:48.468Z
Learning: In the openwisp/netjsongraph.js project, prioritize pragmatic reviews that focus on critical matters with real user impact (functionality, performance, security, maintainability) over minor code quality details that require significant effort for no noticeable benefit. Avoid perfectionist suggestions when tests pass and functionality is correct.

📚 Learning: 2026-01-20T16:51:06.213Z

Learnt from: codesankalp
Repo: openwisp/netjsongraph.js PR: 425
File: src/js/netjsongraph.render.js:1-26
Timestamp: 2026-01-20T16:51:06.213Z
Learning: In the netjsongraph.js project, imports from `echarts/lib/chart/*/install`, `echarts/lib/component/*/install`, and `echarts/lib/renderer/install*` paths produce better tree-shaking results than the public entry points (`echarts/charts`, `echarts/components`, `echarts/renderers`) in their webpack configuration. The project maintainer has tested both approaches and confirmed the `/lib/*/install` pattern yields smaller bundles.

Applied to files:

• package.json

📚 Learning: 2026-01-22T22:37:11.271Z

Learnt from: CR
Repo: openwisp/netjsongraph.js PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-22T22:37:11.271Z
Learning: Applies to test/netjsongraph.browser.test.js : Write browser tests in test/netjsongraph.browser.test.js using Chrome/ChromeDriver and run with `yarn test test/netjsongraph.browser.test.js`

Applied to files:

• package.json

📚 Learning: 2026-01-22T22:37:11.271Z

Learnt from: CR
Repo: openwisp/netjsongraph.js PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-22T22:37:11.271Z
Learning: Applies to **/*.test.{js,ts} : Write unit tests using Jest with jsdom and run with `yarn test`

Applied to files:

• package.json

🔇 Additional comments (2)

package.json (2)

4-4: The repository's git history is insufficient to verify the core claim: that a hashed packageManager value was previously present and was removed in this commit. The current state shows "packageManager": "yarn@1.22.22" without a hash, but since no parent commit is available for comparison, the premise that a hash existed and was intentionally removed cannot be confirmed.

The review comment itself acknowledges this uncertainty ("If the previous packageManager value really included..."). Without access to prior commits, this verification claim cannot be resolved. Additionally, the serialize-javascript@7.0.3 dependency requires Node >=20.0.0; ensure the project's supported Node version is >=20.

---

14-14: No action required—Node.js version compatibility is already satisfied.

The repo's .nvmrc specifies lts/krypton (Node.js 24.x), which exceeds serialize-javascript v7's Node.js ≥20 requirement. The yarn.lock correctly resolves the ^7.0.3 override to v7.0.4.

---

📝 Walkthrough

Walkthrough

Added a top-level packageManager property set to yarn@1.22.22, introduced a top-level resolutions object pinning transitive dependencies (serialize-javascript: ^7.0.3, tough-cookie: ^4.1.3, form-data: ^2.5.4, qs: ^6.14.1, minimatch: ^3.0.5), and removed a duplicate trailing root-level packageManager entry. No other files or runtime code were changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[fix] Resolved vulnerabilities via selective resolutions' directly summarizes the main change—addressing security vulnerabilities through selective package.json resolutions.
Description check	✅ Passed	The description includes all required template sections: completed checklist, reference to issue #514, detailed technical changes, and a screenshot of audit results.
Linked Issues check	✅ Passed	The PR successfully resolves linked issue #514 by implementing selective resolutions to eliminate Critical and High-severity vulnerabilities, upgrading serialize-javascript (RCE fix), form-data, tough-cookie, qs, and minimatch.
Out of Scope Changes check	✅ Passed	All changes are in-scope—package.json modifications add packageManager specification and selective resolutions to address security vulnerabilities as required by issue #514.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nemesifier]

The packageManager var here is not being added as in openwisp/openwisp-wifi-login-pages@6fbdc13, why?

[prathmeshkulkarni-coder]

@nemesifier ,
I didn't want to touch the packageManager field lightly since it already had a secure SHA512 hash. However, for the sake of consistency with openwisp-wifi-login-pages, I have now simplified it to "packageManager": "yarn@1.22.22" and moved it to the top of the file so it's clearly visible. This aligns this repo with the organization's standard.

[nemesifier]

Looks good, will do a round of testing asap to confirm and eventually merge, thanks! 🙏

[prathmeshkulkarni-coder]

Hi @nemesifier , I found 70 more vulnerabilities it's about package named picomatch . I solved them but i am not sure about committing them into this PR