fix(security): clear Dependabot alerts + add dependabot.yml#167
Merged
Conversation
…1->2.202606.2 Root runtime dependency refresh (regenerated npm-shrinkwrap.json).
createRequire()-based require of @sap/textbundle was emitted as a runtime require that threw MODULE_NOT_FOUND in the node_modules-free .vsix, and the static terminal-kit import (unbundleable) failed the same way — both blocked activate(). Rewrite the textbundle require to a static ESM import so esbuild bundles it, and resolve terminal-kit to a no-op stub (extension never needs terminal output; routes return JSON).
- Repoint xlsx to SheetJS CDN 0.20.3 (fixes GHSA-5pgg-2g8v-p4x9 prototype pollution + GHSA-4r6h-8v6p-xvw6 ReDoS; SheetJS no longer publishes to npm, where the latest is stuck at the vulnerable 0.18.5) - Add overrides.dompurify ^3.4.11 to force 3.4.12 (monaco-editor pins the vulnerable 3.2.7 transitively; clears 15 dompurify advisories) - Regenerate lockfile, which was stale vs package.json (already on vite 8) npm audit: 0 vulnerabilities.
…ries Both are dev-only transitive deps of mocha (the test runner). Latest mocha (11.7.6) still declares serialize-javascript ^6.0.2 and an old diff, so npm audit fix can't resolve them without a mocha major bump. Pin via overrides: - serialize-javascript ^7.0.5 -> 7.0.7 (GHSA-5c6j-r48x-rmvq RCE, GHSA-qj8w-gfj5-8c6v DoS) - diff ^8.0.3 -> 8.0.4 (GHSA-73rr-hh4g-fpgx DoS; surfaced on lockfile regen) These affect only mocha's internal test reporting, not the shipped bundle. tsc compile passes; npm audit: 0 vulnerabilities.
vitepress 1.6.4 pins vite ^5.4.14, but the vite advisories (GHSA-v6wh-96g9-6wx3 launch-editor NTLM disclosure, GHSA-fx2h-pf6j-xcff server.fs.deny bypass) have no 5.x backport — only 6.4.3+. esbuild <=0.24.2 (GHSA-67mh-4wv8-2f99) likewise needs 0.25.0. Force both via overrides: - vite ^6.4.3 -> 6.4.3 - esbuild ^0.25.0 -> 0.25.12 All are dev/build-toolchain only (not present in the static GitHub Pages output). Verified: full `vitepress build` succeeds on 1.6.4 with vite 6 forced (no issues, all pages render). npm audit: 0 vulnerabilities.
No dependabot config existed, so the repo only had passive security alerts and never opened fix PRs. Nested sub-projects (app/vue, docs, vscode-extension) silently accumulated vulnerabilities that root-level updates never reached. Configure weekly npm updates for /, /app/vue, /docs, /mcp-server, /vscode-extension plus github-actions, with minor+patch grouped to cut noise.
npm audit fix bumps in-range transitive deps under @modelcontextprotocol/sdk and the express chain (all non-breaking): - hono 4.12.29, fast-uri 3.1.3, path-to-regexp 8.4.2, qs 6.15.3, ip-address 10.2.0 - clears @hono/node-server, fast-uri, hono (multiple), path-to-regexp DoS, ip-address XSS advisories tsc build passes; npm audit: 0 vulnerabilities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 22 Dependabot security alerts and adds the missing
dependabot.yml. Also folds in two previously-uncommitted working-tree changes (root dep bump + a vscode.vsixactivation fix) that were only ever stashed, never committed.Why the alerts persisted (the original question)
Two root causes:
.github/dependabot.ymlexisted — the repo had passive security alerts only, never version-update PRs. Nothing auto-opened fixes.app/vue,docs,vscode-extension) with its own lockfile. Root-level dependency updates never touched them, and the sub-project lockfiles were stale vs. their ownpackage.json(e.g.app/vuewas already on vite 8 inpackage.jsonbut the committed lock still had vite 5). Regenerating each sub-project lock was the actual fix.Changes (7 commits)
chore(deps)hdb2.27.1→2.29.5,sap-hdb-promisfied2.202604.1→2.202606.2 (was stashed, never committed)fix(vscode).vsix@sap/textbundle+ stubterminal-kitso the packaged extension activates (was stashed)fix(app/vue)^3.4.11(3.4.12); xlsx repointed to SheetJS CDN 0.20.3 (npm's latest is the vulnerable 0.18.5)fix(vscode)depsfix(docs)vitepress buildsucceeds with vite 6 forced under vitepress 1.6.4)cidependabot.ymlfor/,/app/vue,/docs,/mcp-server,/vscode-extension+ github-actionsfix(mcp-server)npm audit fix— build passesResult:
npm audit= 0 vulnerabilities inapp/vue,docs,vscode-extension, andmcp-server.Known remaining (not fixable here)
serialize-javascript(high RCE) +diff— these live insidesap-hdb-promisfied's own shippednpm-shrinkwrap.json(hasShrinkwrap: true), which npm treats as sealed; downstreamoverridescannot penetrate it. Requires an upstream fix insap-hdb-promisfied(removemochafrom runtime deps / refresh its shrinkwrap). Flagging for a follow-up.exceljs→uuid(moderate) — fix requires an exceljs major bump (breaking); deferred by decision.Verification
app/vue: build deps regenerated,npm audit0 vulnsvscode-extension:tsccompile passes,npm audit0 vulnsdocs: fullvitepress buildsucceeds (all pages render),npm audit0 vulnsmcp-server:tscbuild passes,npm audit0 vulns