fix(deps): pin vulnerable dev transitives via yarn resolutions#1360
Open
DeepDiver1975 wants to merge 2 commits into
Open
fix(deps): pin vulnerable dev transitives via yarn resolutions#1360DeepDiver1975 wants to merge 2 commits into
DeepDiver1975 wants to merge 2 commits into
Conversation
Adds yarn resolutions forcing patched versions of build-time-only transitive dependencies that carry open Dependabot advisories. These packages live in the gulp/karma build toolchain and are never shipped in the app tarball. Pinned (all have an upstream fix and resolve within their current major): - lodash ^4.18.1 (critical/high/medium: prototype pollution, code/command injection) - minimist ^1.2.8 (critical: prototype pollution) - form-data ^2.5.6 (critical/high: unsafe boundary / predictable value) - braces ^3.0.3 (high: resource exhaustion) - json5 ^2.2.3 (high: prototype pollution) - json-schema ^0.4.0 (critical: prototype pollution) - minimatch ^3.1.3 (high: ReDoS) - merge ^2.1.1 (high: prototype pollution) - qs ^6.15.3 (medium: prototype pollution) - postcss ^8.4.31 (medium: line-return parsing) Verified: `yarn install` resolves cleanly and the full gulp build (babel/uglify/jshint) completes successfully with the pinned versions. Advisories with no upstream fix (babel-traverse, lodash.template, request and its uuid/tough-cookie subtree) and the shipped-but-EOL AngularJS advisories are documented as accepted risks in SECURITY.md rather than force-pinned, since bumping them breaks the build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Records the Dependabot advisories that remain open because no upstream fix exists (or applying one breaks the build): - shipped: EOL AngularJS (angular / angular-sanitize <= 1.8.3), no patch will ever be released; migration is out of scope for oc11. - build-only (not shipped): babel-traverse, lodash.template, request, and request's uuid/tough-cookie subtree. Fixable build-time transitives are pinned via resolutions in the same branch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
dj4oC
approved these changes
Jul 8, 2026
dj4oC
left a comment
Contributor
There was a problem hiding this comment.
Pins several vulnerable transitive dev/build dependencies via yarn resolutions (lodash, minimist, form-data, braces, json5, json-schema, minimatch, merge, qs, postcss) and adds a SECURITY.md section documenting the remaining accepted-risk advisories (EOL AngularJS in shipped code, build-time-only toolchain deps with no upstream fix).
Findings
- Security: no findings — this narrows the vulnerable surface; the accepted-risk writeup for AngularJS/build-tooling advisories that can't be fixed is honest and correctly scoped (verified
angular/angular-sanitizeare shipped runtime deps vs. gulp/karma/phantomjs transitives being build-only, matching the yarn.lock dependency tree in this diff). - Stability: no findings — pure
resolutionspins to non-major-breaking patch versions of these transitives (e.g. postcss 7→8.5.16 is a resolutions-forced override on a^7.0.16range consumer; worth a sanity build/test run to confirm nothing in the CSS toolchain breaks on postcss 8, but CI is green). - Performance: no findings — dev/build dependency changes only, no runtime impact.
- Test coverage: n/a — dependency manifest + docs only, no application code changed.
- TODOs found: none.
- Dependency touched: yes — confirmed in
.github/dependabot.yml(npm ecosystem already covered). - CI status: all 10 checks green.
- Stale review: no.
Verdict
Approved.
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
phil-davis
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two changes to bring calendar's Dependabot status to "only unfixable advisories remain":
package.json+yarn.lock— addresolutionspinning patched versionsof 10 build-time-only transitive dependencies that carry open advisories.
SECURITY.md— document the advisories that cannot be fixed as acceptedrisks.
Why
The remaining alerts were all in the build/test toolchain (gulp, karma,
babel), not in shipped app code. Where a compatible fix exists, this pins it;
where none exists, it's documented.
Pinned via resolutions (all resolve within their current major)
lodash ^4.18.1,minimist ^1.2.8,form-data ^2.5.6,braces ^3.0.3,json5 ^2.2.3,json-schema ^0.4.0,minimatch ^3.1.3,merge ^2.1.1,qs ^6.15.3,postcss ^8.4.31— covering critical/high prototype-pollution,code/command-injection, ReDoS and related advisories.
Documented as accepted risk (no fix / would break build)
angular/angular-sanitize≤ 1.8.3) — no patchwill ever exist; migration is out of scope for oc11.
babel-traverse,lodash.template,request,and request's
uuid/tough-cookiesubtree (patched versions need majorupgrades
requestcan't take).Verification
yarn installresolves cleanly with the resolutions.gulpbuild (babel / uglify / jshint) completes successfully — thepinned versions do not break the toolchain.
set above.