Skip to content

fix(deps): pin vulnerable dev transitives via yarn resolutions#1360

Open
DeepDiver1975 wants to merge 2 commits into
masterfrom
fix/dev-dependency-resolutions
Open

fix(deps): pin vulnerable dev transitives via yarn resolutions#1360
DeepDiver1975 wants to merge 2 commits into
masterfrom
fix/dev-dependency-resolutions

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

What

Two changes to bring calendar's Dependabot status to "only unfixable advisories remain":

  1. package.json + yarn.lock — add resolutions pinning patched versions
    of 10 build-time-only transitive dependencies that carry open advisories.
  2. SECURITY.md — document the advisories that cannot be fixed as accepted
    risks.

Why

The remaining alerts were all in the build/test toolchain (gulp, karma,
babel), not in shipped app code. Where a compatible fix exists, this pins it;
where none exists, it's documented.

Pinned via resolutions (all resolve within their current major)

lodash ^4.18.1, minimist ^1.2.8, form-data ^2.5.6, braces ^3.0.3,
json5 ^2.2.3, json-schema ^0.4.0, minimatch ^3.1.3, merge ^2.1.1,
qs ^6.15.3, postcss ^8.4.31 — covering critical/high prototype-pollution,
code/command-injection, ReDoS and related advisories.

Documented as accepted risk (no fix / would break build)

  • Shipped: EOL AngularJS (angular / angular-sanitize ≤ 1.8.3) — no patch
    will ever exist; migration is out of scope for oc11.
  • Build-only, not shipped: babel-traverse, lodash.template, request,
    and request's uuid / tough-cookie subtree (patched versions need major
    upgrades request can't take).

Verification

  • yarn install resolves cleanly with the resolutions.
  • The full gulp build (babel / uglify / jshint) completes successfully — the
    pinned versions do not break the toolchain.
  • Post-merge, the only open Dependabot alerts are the documented accepted-risk
    set above.

DeepDiver1975 and others added 2 commits July 7, 2026 09:43
Adds yarn resolutions forcing patched versions of build-time-only
transitive dependencies that carry open Dependabot advisories. These
packages live in the gulp/karma build toolchain and are never shipped in
the app tarball.

Pinned (all have an upstream fix and resolve within their current major):
- lodash ^4.18.1  (critical/high/medium: prototype pollution, code/command injection)
- minimist ^1.2.8 (critical: prototype pollution)
- form-data ^2.5.6 (critical/high: unsafe boundary / predictable value)
- braces ^3.0.3   (high: resource exhaustion)
- json5 ^2.2.3    (high: prototype pollution)
- json-schema ^0.4.0 (critical: prototype pollution)
- minimatch ^3.1.3 (high: ReDoS)
- merge ^2.1.1    (high: prototype pollution)
- qs ^6.15.3      (medium: prototype pollution)
- postcss ^8.4.31 (medium: line-return parsing)

Verified: `yarn install` resolves cleanly and the full gulp build
(babel/uglify/jshint) completes successfully with the pinned versions.

Advisories with no upstream fix (babel-traverse, lodash.template,
request and its uuid/tough-cookie subtree) and the shipped-but-EOL
AngularJS advisories are documented as accepted risks in SECURITY.md
rather than force-pinned, since bumping them breaks the build.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Records the Dependabot advisories that remain open because no upstream
fix exists (or applying one breaks the build):
- shipped: EOL AngularJS (angular / angular-sanitize <= 1.8.3), no patch
  will ever be released; migration is out of scope for oc11.
- build-only (not shipped): babel-traverse, lodash.template, request, and
  request's uuid/tough-cookie subtree.

Fixable build-time transitives are pinned via resolutions in the same
branch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 7, 2026 07:45

@dj4oC dj4oC left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pins several vulnerable transitive dev/build dependencies via yarn resolutions (lodash, minimist, form-data, braces, json5, json-schema, minimatch, merge, qs, postcss) and adds a SECURITY.md section documenting the remaining accepted-risk advisories (EOL AngularJS in shipped code, build-time-only toolchain deps with no upstream fix).

Findings

  • Security: no findings — this narrows the vulnerable surface; the accepted-risk writeup for AngularJS/build-tooling advisories that can't be fixed is honest and correctly scoped (verified angular/angular-sanitize are shipped runtime deps vs. gulp/karma/phantomjs transitives being build-only, matching the yarn.lock dependency tree in this diff).
  • Stability: no findings — pure resolutions pins to non-major-breaking patch versions of these transitives (e.g. postcss 7→8.5.16 is a resolutions-forced override on a ^7.0.16 range consumer; worth a sanity build/test run to confirm nothing in the CSS toolchain breaks on postcss 8, but CI is green).
  • Performance: no findings — dev/build dependency changes only, no runtime impact.
  • Test coverage: n/a — dependency manifest + docs only, no application code changed.
  • TODOs found: none.
  • Dependency touched: yes — confirmed in .github/dependabot.yml (npm ecosystem already covered).
  • CI status: all 10 checks green.
  • Stale review: no.

Verdict

Approved.

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants