security: upgrade madge + @capacitor/cli to clear critical/high advisories #192
Labels
No labels
bug
documentation
duplicate
e-copy
e-features
e-mobile
enhancement
f-coverage
f-forensic
f-perf
f-privacy
forensic
good first issue
help wanted
infra
invalid
phase-a
phase-b
phase-c
phase-d
phase-e
phase-f
phase-g
phase-h
priority-1
priority-2
priority-3
privacy
question
v5
v6
video-hardening
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo_admin/exifcleaner-web#192
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
yarn audit(run 2026-05-22) reports 42 vulnerabilities in devDependencies:minimist < 1.2.6— Prototype Pollutionansi-regex < 5.0.1— ReDoSbrace-expansion— DoS range bypassAffected dependency chains:
madge > dependency-tree > precinct > [detective-vue2 >] minimist(2 paths, critical)@capacitor/cli > @ionic/utils-terminal > strip-ansi > ansi-regex(3 paths, high)madge > dependency-tree > precinct > detective-vue2 > @typescript-eslint/typescript-estree > minimatch > brace-expansion(moderate)None of these ship to the production browser bundle. However:
minimistprototype pollution runs in the same Node.js process asyarn check:deps(CI and local builds)ansi-regexReDoS affects@capacitor/clioutput parsingIdentified in the 2026-05-22 security audit. Remediation plan item #3.
Steps
yarn upgrade madge— check if latest pulls inminimist ≥ 1.2.6yarn upgrade @capacitor/cli— check if latest pulls inansi-regex ≥ 5.0.1yarn audit --level highand confirm zero high/critical findingsyarn lint && yarn typecheck && yarn test && yarn check:deps) to confirm nothing brokeAcceptance criteria
yarn audit --level highexits 0 after the upgrade.