security: upgrade madge + @capacitor/cli to clear critical/high advisories #192

Closed
opened 2026-05-22 17:54:04 +00:00 by forgejo_admin · 0 comments

Problem

yarn audit (run 2026-05-22) reports 42 vulnerabilities in devDependencies:

Severity Count Key package Advisory
Critical 2 minimist < 1.2.6 — Prototype Pollution npm/1097678
High 21 ansi-regex < 5.0.1 — ReDoS npm/1094092
Moderate 19 brace-expansion — DoS range bypass npm/1119088

Affected dependency chains:

  • madge > dependency-tree > precinct > [detective-vue2 >] minimist (2 paths, critical)
  • @capacitor/cli > @ionic/utils-terminal > strip-ansi > ansi-regex (3 paths, high)
  • madge > dependency-tree > precinct > detective-vue2 > @typescript-eslint/typescript-estree > minimatch > brace-expansion (moderate)

None of these ship to the production browser bundle. However:

  • The minimist prototype pollution runs in the same Node.js process as yarn check:deps (CI and local builds)
  • The ansi-regex ReDoS affects @capacitor/cli output parsing

Identified in the 2026-05-22 security audit. Remediation plan item #3.

Steps

  1. yarn upgrade madge — check if latest pulls in minimist ≥ 1.2.6
  2. yarn upgrade @capacitor/cli — check if latest pulls in ansi-regex ≥ 5.0.1
  3. Re-run yarn audit --level high and confirm zero high/critical findings
  4. Run full CI (yarn lint && yarn typecheck && yarn test && yarn check:deps) to confirm nothing broke

Acceptance criteria

yarn audit --level high exits 0 after the upgrade.

## Problem `yarn audit` (run 2026-05-22) reports **42 vulnerabilities** in devDependencies: | Severity | Count | Key package | Advisory | |---|---|---|---| | Critical | 2 | `minimist < 1.2.6` — Prototype Pollution | npm/1097678 | | High | 21 | `ansi-regex < 5.0.1` — ReDoS | npm/1094092 | | Moderate | 19 | `brace-expansion` — DoS range bypass | npm/1119088 | **Affected dependency chains:** - `madge > dependency-tree > precinct > [detective-vue2 >] minimist` (2 paths, critical) - `@capacitor/cli > @ionic/utils-terminal > strip-ansi > ansi-regex` (3 paths, high) - `madge > dependency-tree > precinct > detective-vue2 > @typescript-eslint/typescript-estree > minimatch > brace-expansion` (moderate) **None of these ship to the production browser bundle.** However: - The `minimist` prototype pollution runs in the same Node.js process as `yarn check:deps` (CI and local builds) - The `ansi-regex` ReDoS affects `@capacitor/cli` output parsing Identified in the 2026-05-22 security audit. Remediation plan item #3. ## Steps 1. `yarn upgrade madge` — check if latest pulls in `minimist ≥ 1.2.6` 2. `yarn upgrade @capacitor/cli` — check if latest pulls in `ansi-regex ≥ 5.0.1` 3. Re-run `yarn audit --level high` and confirm zero high/critical findings 4. Run full CI (`yarn lint && yarn typecheck && yarn test && yarn check:deps`) to confirm nothing broke ## Acceptance criteria `yarn audit --level high` exits 0 after the upgrade.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo_admin/exifcleaner-web#192
No description provided.