Skip to content

fix: patch security vulnerabilities in dependencies#905

Merged
gibiw merged 1 commit intomainfrom
fix/security-vulnerability-overrides
Mar 4, 2026
Merged

fix: patch security vulnerabilities in dependencies#905
gibiw merged 1 commit intomainfrom
fix/security-vulnerability-overrides

Conversation

@gibiw
Copy link
Contributor

@gibiw gibiw commented Mar 4, 2026
edited
Loading

Summary

  • Add npm overrides for rollup (→ 4.59.0) and lodash (→ 4.17.23) to fix known CVEs
  • Update cypress to ^15.11.0 in examples (fixes systeminformation command injection)
  • Update mocha to ^11.7.5 in examples and qase-cypress devDependencies
  • Update testcafe to ^3.7.4 and newman to ^6.2.2 in examples
  • Regenerate package-lock.json

Resolved vulnerabilities

Package Severity CVE/Advisory
ajv moderate GHSA-2g4f-4pwh-qvx6
rollup high GHSA-mw96-cpmx-2vgc
lodash moderate GHSA-xxjr-mmjv-4gpg
systeminformation high GHSA-wphj-fx3q-84ch
minimatch 5.x high GHSA-3ppc-4f35-3m26
diff 4.x/5.x high GHSA-73rr-hh4g-fpgx

No user impact

All changes are in devDependencies, npm overrides (root is private: true), and examples — none of the published packages' dependencies or peerDependencies were modified.

Remaining (unfixable without upstream releases)

  • diff 7.x / serialize-javascript — waiting for mocha fix
  • jose, node-forge, qs — waiting for newman fix
  • underscore — testcafe-hammerhead / newman transitive dep
  • tar-fs, ws, tmp, minimatch 3.x — requires @wdio 9.x upgrade

Test plan

  • All core package tests pass (npm test --workspaces)
  • Build succeeds (npm run build --workspaces)
  • Verify Dependabot alerts are reduced on GitHub

@gibiw
fix: patch security vulnerabilities in dependencies
872d342 
- Add npm overrides for rollup (4.59.0) and lodash (4.17.23)
- Update cypress to ^15.11.0 in examples (fixes systeminformation CVE)
- Update mocha to ^11.7.5 in examples and qase-cypress devDeps
- Update testcafe to ^3.7.4 in examples
- Update newman to ^6.2.2 in examples
- Regenerate package-lock.json

Resolves: ajv ReDoS, rollup path traversal, lodash prototype pollution,
systeminformation command injection, minimatch 5.x ReDoS, diff 4.x/5.x DoS.
@gibiw gibiw changed the base branch from master to main March 4, 2026 16:26
@gibiw gibiw merged commit 863f8a5 into main Mar 4, 2026
25 checks passed
@gibiw gibiw deleted the fix/security-vulnerability-overrides branch March 4, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gibiw