Skip to content

Remove dependency audit advisories#116

Merged
simongonzalezdc merged 1 commit into
mainfrom
dependency-audit-remediation-20260514
May 14, 2026
Merged

Remove dependency audit advisories#116
simongonzalezdc merged 1 commit into
mainfrom
dependency-audit-remediation-20260514

Conversation

@simongonzalezdc
Copy link
Copy Markdown
Member

@simongonzalezdc simongonzalezdc commented May 14, 2026
edited by blacksmith-sh Bot
Loading

Pull Request

Empower Orchestrator checklist

  • I checked whether this PR reveals a repeatable task or recurring agent failure.
  • If it does, I either shipped the smallest durable improvement or documented why not.
  • Any automation or durable system change included the scale/severity/reversibility/predictability blast-radius check.
  • Workers/subagents stayed inside their assigned scope and verification evidence is included before completion claims.

Summary

  • Add npm overrides for the vulnerable transitive packages currently pulled by Expo and Prisma.
  • Refresh the lockfile narrowly so npm audit no longer reports GHSA-92pp-h63x-v22m or the PostCSS advisory.
  • Avoid npm audit fix --force because it proposes a Prisma major-line downgrade.

Verification

  • npm ci
  • npm audit --audit-level=moderate
  • npm audit --audit-level=high
  • npm run typecheck --workspaces --if-present
  • npm run lint --workspaces --if-present
  • npm run build --workspace=packages/shared
  • DATABASE_URL=postgresql://test:test@localhost:55432/innerscape_test JWT_SECRET=ci-test-secret-do-not-use-in-production npx prisma generate
  • DATABASE_URL=postgresql://test:test@localhost:55432/innerscape_test JWT_SECRET=ci-test-secret-do-not-use-in-production npx prisma db push
  • DATABASE_URL=postgresql://test:test@localhost:55432/innerscape_test JWT_SECRET=ci-test-secret-do-not-use-in-production npm test --workspace=apps/backend

Notes

  • apps/mobile still has a test script that invokes jest without declaring jest; CI only runs mobile typecheck, so mobile jest was not used as a completion gate.

View in Codesmith
Need help on this PR? Tag @codesmith with what you need.

  • Let Codesmith autofix CI failures and bot reviews

@simongonzalezdc
Remove public audit advisories without dependency downgrades
7d3b99d 
Pin the vulnerable transitive packages through npm overrides because current Expo and Prisma releases still resolve advisory-affected versions while npm audit's suggested Prisma fix crosses major-version boundaries backward.\n\nConstraint: Expo 55 and Prisma 7 remain the active release lines in this repo.\nRejected: npm audit fix --force | would replace Prisma 7 with a semver-major downgrade suggestion.\nConfidence: high\nScope-risk: narrow\nDirective: Remove these overrides when upstream Expo and Prisma publish fixed dependency graphs.\nTested: npm ci; npm audit --audit-level=moderate; npm audit --audit-level=high; npm run typecheck --workspaces --if-present; npm run lint --workspaces --if-present; npm run build --workspace=packages/shared; backend prisma generate/db push and 131 integration tests against local Postgres 16.\nNot-tested: mobile jest script because apps/mobile does not declare jest and CI only runs mobile typecheck.
@simongonzalezdc simongonzalezdc merged commit 30f9fcd into main May 14, 2026
3 checks passed
@simongonzalezdc simongonzalezdc deleted the dependency-audit-remediation-20260514 branch May 14, 2026 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simongonzalezdc