fix: Patch CVEs and add supply-chain defences#260
Merged
Conversation
Patches 9 in-range CVEs via `npm audit fix` (no `--force`): ajv, brace-expansion, diff (jsdiff), flatted, js-yaml, minimatch, picomatch, ws, yaml. No package.json changes required; lockfile only. Defensive controls added: - `npm audit signatures` step in CI to detect tarball-swap attacks - `.npmrc` `min-release-age=3 days` to reject just-published versions (npm >= 11.10; CI runs Node 24 which has this; silently ignored on older local npm) - `.github/dependabot.yml` with `cooldown` block for npm + actions - `--provenance` on `npm publish` (OIDC already configured) Triage of recent major incidents (Shai-Hulud, TanStack Mini Shai-Hulud, chalk/debug Sept 2025): lockfile clean, no IOC strings present in tree. Remaining 4 low-severity advisories in the @tootallnate/once -> http-proxy-agent -> jsdom -> jest-environment-jsdom chain are deferred: test-only devDeps, fix requires a major jest-environment-jsdom bump (v29 -> v30), and code is not shipped in `dist/**/*`. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
egorpavlikhin
commented
May 19, 2026
| @@ -0,0 +1,16 @@ | |||
| version: 2 | |||
Contributor
Author
There was a problem hiding this comment.
Not sure if this is needed as I can't see repo settings and if dependabot is already enabled.
Contributor
There was a problem hiding this comment.
i don't believe it is, so let's run with it
npm's min-release-age config expects a plain integer (number of days), not a duration string. CI on npm 11.x rejected "3 days" with "Invalid time value". Co-Authored-By: Claude <noreply@anthropic.com>
APErebus
approved these changes
May 19, 2026
| @@ -0,0 +1,16 @@ | |||
| version: 2 | |||
Contributor
There was a problem hiding this comment.
i don't believe it is, so let's run with it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Routine npm supply-chain hardening pass.
CVE fixes (lockfile-only, 9 advisories resolved via
npm audit fix)No
package.jsonchanges — all in-range patch/minor bumps.npm auditcount: 13 -> 4.Defensive controls
npm audit signaturesstep intest.yml— catches tarball-swap / unsigned packages. Verified locally: all 553 packages have valid registry signatures, 4 have attestations..npmrcwithmin-release-age=3 days— blocks installing versions published <3 days ago. Requires npm >= 11.10 (CI runs Node 24, which ships with a sufficiently new npm; silently ignored on older local npm)..github/dependabot.ymlwithcooldown(3-day default, 7-day for semver-major) for both npm and github-actions.--provenanceonnpm publish— consumers can now verify our published tarballs against the GitHub Actions OIDC chain (id-token already configured).Exposure triage (Phase 1)
Searched the lockfile and full tree for recent major supply-chain incidents:
IOC string sweep (shai-hulud, webhook.site, getsession.org, router_init.js, trufflehog, npmjs.help, registry-npm.org, gh-token-monitor, processor.js): no hits anywhere in the tree, including
node_modules/.Conclusion: not exposed. No credential rotation required.
Deferred
4 low-severity advisories remain in the
@tootallnate/once -> http-proxy-agent -> jsdom -> jest-environment-jsdomchain. Fixing requires a major bump ofjest-environment-jsdom(v29 -> v30). All four are test-only devDeps, the chain isn't reachable from production code, anddist/**/*(the published artifact) doesn't include any of it. Better to defer to a separate PR than risk test-runtime breakage in a security fix.Test plan
npm audit— 13 -> 4 low (deferred jsdom chain)npm audit signatures— 553 packages verified, 4 attestationsnpm run build— passesnpm run lint— 46 errors / 43 warnings, all pre-existing onmain(confirmed bygit stash && npm run lint && git stash pop)npm test— 15 failures locally, all "The host is not specified" because integration tests requireOCTOPUS_TEST_URLfrom the CI service container. Should pass in CI.🤖 Generated with Claude Code