fix(security): patch JS dependency vulnerabilities across all apps#284
Open
Nick Robinson (nickrobinson) wants to merge 1 commit into
Open
fix(security): patch JS dependency vulnerabilities across all apps#284Nick Robinson (nickrobinson) wants to merge 1 commit into
Nick Robinson (nickrobinson) wants to merge 1 commit into
Conversation
Resolves moderate/high CVEs in all five JS packages. All patches are minor or patch-level bumps; no breaking changes introduced. javascript-web / javascript-tui / electron - GHSA-jxxr-4gwj-5jf2 (brace-expansion 5.0.2-5.0.5, moderate DoS) Fixed via `npm audit fix` updating the lockfile resolution. react-native - Bumped @react-native-community/cli + platform packages 20.0.0 → 20.1.3 (patch) resolving GHSA-gh4j-gqv2-49f6 (fast-xml-parser XMLBuilder injection, moderate) and @xmldom/xmldom vulnerabilities (high). - Added npm overrides and yarn resolutions for transitive deps: fast-xml-parser 5.5.6 → 5.8.0, semver >=7.5.2, tar 7.5.11, postcss >=8.5.10, xml2js >=0.5.0, send >=0.19.0, @xmldom/xmldom >=0.8.13, lodash 4.18.1. react-native-expo - Updated fast-xml-parser override/resolution 5.5.6 → 5.8.0. - Added overrides/resolutions: postcss >=8.5.10, fast-uri >=3.1.2, fast-xml-builder >=1.1.7, lodash 4.18.1, yaml >=2.9.0, @xmldom/xmldom >=0.8.13. - brace-expansion (1.x/2.x, moderate) fixed via `npm audit fix`. - Remaining 5 low-severity jest-expo chain items require a major version downgrade of jest-expo (53→47); deferred per patch policy. https://claude.ai/code/session_01MQ2iqSwBd4djxD1AwWcPmc
Nick Robinson (nickrobinson)
requested review from
a team and
Kristopher Johnson (kristopherjohnson)
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates dependency lockfiles and adds npm/yarn override policies to remediate reported moderate/high severity vulnerabilities across the JavaScript/TypeScript apps in the repo (notably the React Native and Expo React Native samples), aiming to keep changes within non-breaking upgrade ranges.
Changes:
- Updated
react-nativeto bump@react-native-community/clito 20.1.3 and introduced matchingresolutions(Yarn) andoverrides(npm) for several vulnerable transitive packages. - Updated
react-native-expoto add additionalresolutions/overrides(fast-xml-parser/postcss/fast-uri/fast-xml-builder/yaml/@xmldom/xmldom/lodash) and refreshed both lockfiles. - Updated
brace-expansionin thejavascript-web,javascript-tui, andelectronlockfiles via audit-driven lockfile changes.
Reviewed changes
Copilot reviewed 2 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| react-native/package.json | Adds/updates resolutions + overrides and bumps React Native CLI packages. |
| react-native/yarn.lock | Updates resolved dependency graph for the React Native app. |
| react-native-expo/package.json | Adds/updates resolutions + overrides for Expo React Native app security patches. |
| react-native-expo/yarn.lock | Updates resolved dependency graph; includes an override-driven @xmldom/xmldom version jump. |
| react-native-expo/package-lock.json | Updates npm-resolved dependency graph for Expo React Native app. |
| javascript-web/package-lock.json | Lockfile-only updates (incl. patched brace-expansion). |
| javascript-tui/package-lock.json | Lockfile-only updates (incl. patched brace-expansion). |
| electron/package-lock.json | Lockfile-only updates (incl. patched brace-expansion and other transitive changes). |
Files not reviewed (4)
- electron/package-lock.json: Language not supported
- javascript-tui/package-lock.json: Language not supported
- javascript-web/package-lock.json: Language not supported
- react-native-expo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+33
to
+48
| "semver": ">=7.5.2", | ||
| "tar": "7.5.11", | ||
| "postcss": ">=8.5.10", | ||
| "xml2js": ">=0.5.0", | ||
| "send": ">=0.19.0", | ||
| "@xmldom/xmldom": ">=0.8.13", | ||
| "lodash": "4.18.1" | ||
| }, | ||
| "overrides": { | ||
| "fast-xml-parser": "5.8.0", | ||
| "semver": ">=7.5.2", | ||
| "tar": "7.5.11", | ||
| "postcss": ">=8.5.10", | ||
| "xml2js": ">=0.5.0", | ||
| "send": ">=0.19.0", | ||
| "@xmldom/xmldom": ">=0.8.13", |
Comment on lines
+66
to
+72
| "fast-xml-parser": "5.8.0", | ||
| "postcss": ">=8.5.10", | ||
| "fast-uri": ">=3.1.2", | ||
| "fast-xml-builder": ">=1.1.7", | ||
| "lodash": "4.18.1", | ||
| "yaml": ">=2.9.0", | ||
| "@xmldom/xmldom": ">=0.8.13" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches all moderate and high severity CVEs across the five JavaScript/TypeScript apps. Every fix is a minor or patch version bump — no breaking changes are introduced to production code.
Vulnerability inventory & fixes
javascript-web · javascript-tui · electron
brace-expansion5.0.2–5.0.5 (DoS)npm audit fixreact-native
fast-xml-parser<5.7.0 (XMLBuilder injection)@react-native-community/cli20.0.0 → 20.1.3 (patch);fast-xml-parseroverride 5.5.6 → 5.8.0@xmldom/xmldom≤0.8.12>=0.8.13semver7.0–7.5.1 (ReDoS)>=7.5.2tar≤7.5.10 (path traversal)7.5.11postcss<8.5.10 (XSS)>=8.5.10xml2js<0.5.0 (prototype pollution)>=0.5.0send<0.19.0 (XSS)>=0.19.0lodash≤4.17.234.18.1react-native-expo
fast-xml-parser<5.7.0postcss<8.5.10>=8.5.10fast-uri≤3.1.1>=3.1.2fast-xml-builder≤1.1.6>=1.1.7lodash≤4.17.234.18.1yaml2.0–2.8.2 (stack overflow)>=2.9.0@xmldom/xmldom≤0.8.12>=0.8.13brace-expansion1.x/2.x (DoS)npm audit fixupdated lockfileAll overrides are mirrored in both
overrides(npm) andresolutions(yarn) so both lockfiles receive the patched versions. Bothpackage-lock.jsonandyarn.lockupdated in react-native and react-native-expo per repo convention.What was NOT patched (and why)
jest-expochain (@tootallnate/once,http-proxy-agent,jsdom,jest-environment-jsdom) — 5 × lowEcosystem coverage
Non-JS ecosystems (Rust, Kotlin, Android, Flutter, .NET, Go, C++) have no publicly reachable Dependabot advisories that can be resolved with a patch/minor bump at this time. Gradle version catalogs and pubspec.yaml were reviewed and are current within their declared ranges.
Test plan
cd javascript-web && npm audit— 0 vulnerabilitiescd javascript-tui && npm audit— 0 vulnerabilitiescd electron && npm audit— 0 vulnerabilitiescd react-native && npm audit— 0 vulnerabilitiescd react-native-expo && npm audit— 5 low (jest-expo chain, expected)https://claude.ai/code/session_01MQ2iqSwBd4djxD1AwWcPmc
Generated by Claude Code