Skip to content

fix(deps): npm audit fix package-lock deps, bump @sasjs- adapter 4.16.6, core 4.64.0, utils 3.5.6 and /cli 4.16.0#421

Closed
tmoody wants to merge 5 commits into
mainfrom
fix_deps_20260429
Closed

fix(deps): npm audit fix package-lock deps, bump @sasjs- adapter 4.16.6, core 4.64.0, utils 3.5.6 and /cli 4.16.0#421
tmoody wants to merge 5 commits into
mainfrom
fix_deps_20260429

Conversation

@tmoody
Copy link
Copy Markdown
Member

@tmoody tmoody commented Apr 29, 2026

Issue

  • (1) CVEs causing npm audit --omit=dev to return non-zero.
$ npm audit --omit=dev
# npm audit report

@remix-run/router  <=1.23.1
Severity: high
React Router vulnerable to XSS via Open Redirects - https://github.com/advisories/GHSA-2w69-qvjg-hvjx
fix available via `npm audit fix`
node_modules/@remix-run/router
  react-router  6.0.0 - 6.30.2
  Depends on vulnerable versions of @remix-run/router
  node_modules/react-router
    react-router-dom  6.0.0-alpha.0 - 6.30.2
    Depends on vulnerable versions of @remix-run/router
    Depends on vulnerable versions of react-router
    node_modules/react-router-dom

axios  1.0.0 - 1.14.0
Severity: high
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix`
node_modules/axios
  @sasjs/adapter  4.11.3 - 4.16.2
  Depends on vulnerable versions of axios
  node_modules/@sasjs/adapter

follow-redirects  <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - https://github.com/advisories/GHSA-r4q5-vmmm-2653
fix available via `npm audit fix`
node_modules/follow-redirects


yaml  1.0.0 - 1.10.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/yaml

7 vulnerabilities (2 moderate, 5 high)

To address all issues, run:
  npm audit fix
  • (2) Several @sasjs/* packages needed bumping

Implementation

  • (1) npm audit fix
  • (2a) package.json dependencies updated for:
@sasjs/adapter
@sasjs/utils
@sasjs/core
  • (2b) package.json dev-dependency updated for:
@sasjs/cli

Checks

$ npm audit --omit=dev
found 0 vulnerabilities

@tmoody
fix(deps): npm audit fix package-lock deps, bump @sasjs- adapter 4.16…
6d53e57 
….6, core 4.64.0, utils 3.5.6 and /cli 4.16.0
@tmoody tmoody self-assigned this Apr 29, 2026
@tmoody tmoody closed this Apr 29, 2026
@tmoody
Copy link
Copy Markdown
Member Author

tmoody commented Apr 29, 2026

Closed without merge. Did not gracefully include PR420 and raised persistent merge conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@allanbowe allanbowe Awaiting requested review from allanbowe

@mulahasanovic mulahasanovic Awaiting requested review from mulahasanovic

Assignees

@tmoody tmoody

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tmoody