Skip to content

fix(deps): resolve Dependabot security alerts via overrides#1894

Open
subodhr258 wants to merge 2 commits into
developfrom
fix/dependabot-vulns
Open

fix(deps): resolve Dependabot security alerts via overrides#1894
subodhr258 wants to merge 2 commits into
developfrom
fix/dependabot-vulns

Conversation

@subodhr258
Copy link
Copy Markdown
Collaborator

@subodhr258 subodhr258 commented May 26, 2026
edited
Loading

Summary

Resolves the open Dependabot security alerts on the repository. All fixes are scoped to package.json overrides (and direct deps where applicable) — no source code or build artifacts changed.

Resolved alerts

Package Patched version Type Severity
axios 1.16.1 direct high
uuid 11.1.1 direct medium
postcss 8.5.15 direct (override) medium
qs 6.15.2 override medium
protobufjs 7.5.8 override (bumped from 7.5.5) high
@protobufjs/utf8 1.1.1 override medium
ws 8.20.1 override medium
webpack-dev-server 5.2.4 override (bumped from 5.2.1) medium
@babel/plugin-transform-modules-systemjs 7.29.4 override high
fast-uri 3.1.2 override high
simple-git 3.36.0 override high
ip-address 10.1.1 override medium
dompurify 3.4.5 override (top-level, replaces monaco-only pin at 3.3.2) medium
follow-redirects 1.16.0 override medium

Not fixed

  • showdown (transitive via @wordpress/blocks) — upstream has not published a patched release for GHSA-rmmh-p597-ppvv. fixed_in is null in the Dependabot alert. This one will remain open until WordPress drops showdown or upstream publishes a fix.

Approach

Most flagged packages are transitive deps locked behind WordPress / @wordpress/scripts major versions. Rather than force-bumping multiple WP packages to majors, the patched versions are pinned via overrides in package.json. Existing override entries for protobufjs, webpack-dev-server, and monaco-editor.dompurify were bumped to current patched versions; the redundant monaco-scoped dompurify override was replaced by a top-level one that also covers isomorphic-dompurify.

npm audit after the change confirms each of the Dependabot-flagged packages now resolves to its patched version in package-lock.json.

Risk surface — where each bump can break things

Bumped package Where it's used in this codebase What to watch for
axios (+ follow-redirects, qs, ip-address, fast-uri) pages/tools/components/tabs/RetranscodeTab.jsx, pages/tools/components/tabs/Migration/{VimeoVideoMigration,CoreVideoMigration,MigrationTab}.jsx, pages/analytics/Analytics.js Re-transcode requests, Vimeo/Core video migration requests, Analytics dashboard data fetches. The axios 1.7 → 1.16 jump tightens header / prototype handling — any custom interceptor or non-standard request shape can regress
uuid pages/video-editor/components/SidebarLayers.js, pages/video-editor/components/chapters/Chapters.js, pages/video-editor/components/layers/HotspotLayer.js Adding new layers (hotspot/CTA/poll/form/ad), adding new chapters, drag-and-drop reorder of layers in the video editor sidebar — verify generated IDs don't collide and existing saved layers still load
dompurify (top-level, used via isomorphic-dompurify and inside monaco-editor) Player runtime: assets/src/js/godam-gallery.js, assets/src/js/godam-player/managers/{playerManager,shareManager}.js, assets/src/js/godam-player/masterSettings.js. Integrations: assets/src/js/gravity-form/gf-godam-recorder-editor.js, assets/src/js/lifterlms/{block,embed}.js. Admin: assets/src/js/media-library/views/attachment-detail-two-column.js HTML CTA layer rendering, share-link tooltip, gallery thumbnail labels, Gravity Forms recorder, LifterLMS embed, media library attachment detail panel — 3.3 → 3.4 added stricter FORBID_TAGS / SAFE_FOR_TEMPLATES handling, so any HTML that previously slipped through (custom tags, namespaced attrs) may now be stripped
monaco-editor (via dompurify 3.4.5) pages/godam/components/tabs/VideoPlayer/CustomVideoPlayerCSS.jsx, pages/video-editor/components/layers/FormLayer.js, pages/video-editor/components/layers/PollLayer.js, pages/video-editor/components/cta/HtmlCTA.js Custom Player CSS editor in Settings, Form layer HTML, Poll layer markup, HTML CTA editor — verify syntax highlighting, paste, and save round-trip
protobufjs, @protobufjs/utf8 Transitive via posthog-js / @opentelemetry/* — pulled in by every page that imports pages/utils/posthog.js (dashboard, godam, media-library, tools, video-editor, help, whats-new) PostHog event delivery on every admin page load — confirm events still flow (check PostHog session replay or the network tab for /i/ capture calls)
postcss (8.4 → 8.5) Build pipeline only — feeds Tailwind + wp-scripts CSS processing All admin styles + block styles. Diff a few built .css files between develop and this branch to spot any unexpected output change
@babel/plugin-transform-modules-systemjs Build pipeline — wp-scripts Babel preset All compiled JS bundles. The build already passed locally; CI confirms wider matrix
ws, webpack-dev-server, simple-git Dev-only — npm start / HMR / lint-staged Local dev experience. Doesn't ship to the WP plugin zip

Test plan

Automated

  • npm install resolves cleanly with the new overrides
  • npm run build:prod compiles all entrypoints (webpack 5.105.4, all bundles emitted)
  • Patched versions are pinned in package-lock.json (axios 1.16.1, uuid 11.1.1, postcss 8.5.15, qs 6.15.2, protobufjs 7.5.8, @protobufjs/utf8 1.1.1, ws 8.20.1, webpack-dev-server 5.2.4, @babel/plugin-transform-modules-systemjs 7.29.4, fast-uri 3.1.2, simple-git 3.36.0, ip-address 10.1.1, dompurify 3.4.5, follow-redirects 1.16.0)
  • CI green (lint, jest, phpunit, build artifact)
  • npm start boots webpack-dev-server 5.2.4 without HMR regression

Manual smoke — admin / WP wp-admin

  • Settings → Video Player → Custom CSS: Monaco editor opens, syntax highlights, persists CSS, and the CSS actually applies on a video block on the frontend
  • Video editor → Layers: Add a Hotspot, CTA (HTML), Poll, Form, and Ad layer one after another; reorder via drag; save; reload — all generated UUIDs stable, all layers re-render correctly
  • Video editor → Chapters: Add 2–3 chapters, reorder, save, reload — chapter IDs persist
  • Video editor → HTML CTA: Paste HTML containing inline <style>, custom attributes, and a <script> (should be stripped) — verify dompurify 3.4 sanitization output matches expectations
  • Tools → Re-transcode: Run a re-transcode on a single attachment, watch the request in DevTools, confirm success status returns and UI updates
  • Tools → Migration → Vimeo / Core Video: Trigger a migration job, verify the axios request reaches the backend and the progress UI advances
  • Analytics dashboard: Open the analytics page, confirm charts populate (this exercises axios + protobufjs/posthog)
  • Media library: Open the attachment detail two-column view for a video — confirm dompurify-sanitized fields render
  • GoDAM gallery block on frontend: Render a gallery, hover/click a video, verify share tooltip and player overlays render without sanitized text dropping
  • PostHog telemetry: With the browser network tab open on a few admin pages (dashboard, godam, video-editor), confirm /i/v0/e/ or equivalent capture calls succeed (200) — no protobuf serialization errors in console

Integrations

  • Gravity Forms: Edit a form that includes the GoDAM recorder field; the recorder editor still renders and saves
  • LifterLMS: Insert the GoDAM video block in a lesson; frontend embed renders sanitized content correctly
  • WooCommerce (if godam-for-woo is active in the test env): Smoke a product video — no regression from the dompurify bump

Rollback

  • Revert by reverting this single commit and running npm install — no migrations, no schema changes, no PHP side effects.

🤖 Generated with Claude Code — Opus 4.7

@subodhr258 @claude
fix(deps): resolve Dependabot security alerts via overrides
fd0a1c9 
Bumps direct deps and pins transitive vulnerable packages to their patched
versions to address open Dependabot alerts on the repository:

- axios 1.7.x → 1.16.1 (CRLF/SSRF/prototype-pollution suite)
- uuid 11.0.5 → 11.1.1 (missing buffer bounds check)
- postcss 8.4.x → 8.5.15 (CSS stringify XSS)
- qs → 6.15.2 (DoS in qs.stringify)
- protobufjs → 7.5.8 (RCE/DoS/prototype-pollution)
- @protobufjs/utf8 → 1.1.1 (overlong UTF-8 decoding)
- ws → 8.20.1 (uninitialized memory disclosure)
- webpack-dev-server → 5.2.4 (cross-origin source exposure)
- @babel/plugin-transform-modules-systemjs → 7.29.4 (arbitrary code generation)
- fast-uri → 3.1.2 (host confusion + path traversal)
- simple-git → 3.36.0 (RCE)
- ip-address → 10.1.1 (Address6 XSS)
- dompurify → 3.4.5 (SAFE_FOR_TEMPLATES/FORBID_TAGS bypass)
- follow-redirects → 1.16.0 (auth-header leak on cross-domain redirect)

Showdown remains pinned at 2.1.0 since upstream has not published a
patched release for the ReDoS advisory (GHSA-rmmh-p597-ppvv).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 26, 2026 06:48
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026
edited
Loading

🔍 WordPress Plugin Check Report

❌ Status: Failed

📊 Report

🎯 Total Issues ❌ Errors ⚠️ Warnings
17 3 14

❌ Errors (3)

📁 readme.txt (1 error)
📍 Line 🔖 Check 💬 Message
0 outdated_tested_upto_header Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
📁 lib/class-godam-frappe-dispatch-installer.php (2 errors)
📍 Line 🔖 Check 💬 Message
302 PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_PLUGIN_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
347 PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite Plugin folders are deleted when upgraded. Do not save data to the plugin folder using copy_dir(). Detected usage of constant WP_PLUGIN_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.

⚠️ Warnings (14)

📁 readme.txt (2 warnings)
📍 Line 🔖 Check 💬 Message
0 mismatched_plugin_name Plugin name "GoDAM - Organize WordPress Media Library & File Manager with Unlimited Folders for Images, Videos & more" is different from the name declared in plugin header "GoDAM".
0 trademarked_term The plugin name includes a restricted term. Your chosen plugin name - "GoDAM - Organize WordPress Media Library & File Manager with Unlimited Folders for Images, Videos & more" - contains the restricted term "wordpress" which cannot be used at all in your plugin name.
📁 composer.json (1 warning)
📍 Line 🔖 Check 💬 Message
0 missing_composer_json_file The "/vendor" directory using composer exists, but "composer.json" file is missing.
📁 assets/build/css/main.css (1 warning)
📍 Line 🔖 Check 💬 Message
0 EnqueuedStylesScope This style is being loaded in all contexts.
📁 assets/src/libs/analytics.min.js (5 warnings)
📍 Line 🔖 Check 💬 Message
0 EnqueuedScriptsScope This script is being loaded in all frontend contexts.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880 (with handle analytics-library) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/2026/05/26/demo-post-post/ (with handle analytics-library) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/demo-page-post/ (with handle analytics-library) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/demo-attachment-post/ (with handle analytics-library) is loaded in the footer. Consider a defer or async script loading strategy instead.
📁 assets/build/js/main.min.js (5 warnings)
📍 Line 🔖 Check 💬 Message
0 EnqueuedScriptsScope This script is being loaded in all frontend contexts.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880 (with handle rtgodam-script) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/2026/05/26/demo-post-post/ (with handle rtgodam-script) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/demo-page-post/ (with handle rtgodam-script) is loaded in the footer. Consider a defer or async script loading strategy instead.
0 NonBlockingScripts.NoStrategy This script on http://localhost:8880/demo-attachment-post/ (with handle rtgodam-script) is loaded in the footer. Consider a defer or async script loading strategy instead.

🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check

Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to resolve the repository’s Dependabot security alerts by pinning patched dependency versions—primarily via package.json overrides (plus a few direct dependency bumps)—and updating package-lock.json accordingly.

Changes:

  • Bump direct dependencies to patched versions (axios, uuid, postcss).
  • Add/expand overrides pins for multiple vulnerable transitive packages (e.g., protobufjs, qs, ws, webpack-dev-server, dompurify, etc.).
  • Refresh package-lock.json to reflect the new dependency graph and patched resolutions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Pins patched direct deps and adds/updates overrides entries to force secure transitive versions.
package-lock.json Updates the resolved dependency tree to incorporate the new pins/overrides and patched packages.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
Comment thread package.json Outdated
@subodhr258 @claude
fix(deps): scope uuid + ws overrides to vulnerable ranges only
7fb7e45 
Addresses Copilot review feedback on #1894.

The unscoped overrides "uuid": "11.1.1" and "ws": "8.20.1" were
force-downgrading consumers that legitimately depend on newer non-vulnerable
majors:

- Four @wordpress/* subtrees declare uuid: ^14.0.0; the unscoped override
  was pulling them down to 11.1.1, which risks API mismatch since uuid v13+
  became ESM-only with restructured exports.
- puppeteer-core (via lighthouse) pulls ws 8.21.0, which is already past
  the vulnerable range (>= 8.0.0, < 8.20.1); the unscoped pin was an
  unnecessary downgrade.

Switching to range-scoped overrides:

  "uuid@<11.1.1": "11.1.1"
  "ws@<8.20.1":   "8.20.1"

After re-resolve:
- uuid: 11.1.1 (top-level) + 14.0.0 (newer WP subtrees) — both patched
- ws:   8.20.1 (top-level) + 8.21.0 (puppeteer-core)   — both patched

`npm run build:prod` still compiles all entrypoints cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subodhr258