No reviewers
Labels
No labels
bug
documentation
duplicate
e-copy
e-features
e-mobile
enhancement
f-coverage
f-forensic
f-perf
f-privacy
forensic
good first issue
help wanted
infra
invalid
phase-a
phase-b
phase-c
phase-d
phase-e
phase-f
phase-g
phase-h
priority-1
priority-2
priority-3
privacy
question
v5
v6
video-hardening
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo_admin/exifcleaner-web#196
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/192-audit-deps"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
@capacitor/clito^7.6.5andviteto^7.3.3(direct dep bumps)resolutionsblock to force patched transitive versions forminimist,ansi-regex,rollup,picomatch,postcss,brace-expansionyarn audit --level highinto the CItestjob so future CVE regressions fail the buildBefore: 42 vulnerabilities (2 critical, 21 high, 19 moderate)
After: 0 vulnerabilities —
yarn audit --level highexits 0Why resolutions instead of upgrading every transitive package directly
gonzales-pe@4.3.0(pulled bymadge > dependency-tree > precinct) is the only published version and pinsminimist: ^1.2.5, which yarn resolves to the vulnerable1.2.5. Theresolutionsfield forces the lockfile to use1.2.8.vitest@3.2.4is pinned (no patch release after 3.2.4) and bundles its own nestedvite@7.3.1,rollup@4.57.1, andpicomatch@4.0.3. Resolutions promote those to patched versions without changing vitest's own version.ansi-regexresolution is capped at^5.0.1(not>=5.0.1) because v6 is ESM-only and breaksora's CJSstrip-ansi— confirmed by a runtime crash inyarn check:depsduring iteration.None of these packages ship to the production browser bundle
All affected packages are devDependencies (build tooling, test runner, Capacitor CLI). Production deps (
react,pdf-lib,jszip,@ffmpeg/core,@uswriting/exiftool) have zero audit findings.Test plan
yarn audit --level highexits 0 locallyyarn lintpassesyarn typecheckpassesyarn testpasses (568 tests)yarn check:depspasses (no circular deps)yarn build:webcompletes successfullyCloses #191
Closes #192
🤖 Generated with Claude Code