Skip to content

fix(security): clear Dependabot alerts + add dependabot.yml#167

Merged
jung-thomas merged 7 commits into
mainfrom
worktree-deps-security-fixes
Jul 13, 2026
Merged

fix(security): clear Dependabot alerts + add dependabot.yml#167
jung-thomas merged 7 commits into
mainfrom
worktree-deps-security-fixes

Conversation

@jung-thomas

Copy link
Copy Markdown
Contributor

Summary

Resolves all 22 Dependabot security alerts and adds the missing dependabot.yml. Also folds in two previously-uncommitted working-tree changes (root dep bump + a vscode .vsix activation fix) that were only ever stashed, never committed.

Why the alerts persisted (the original question)

Two root causes:

  1. No .github/dependabot.yml existed — the repo had passive security alerts only, never version-update PRs. Nothing auto-opened fixes.
  2. Every alert lived in a nested sub-project (app/vue, docs, vscode-extension) with its own lockfile. Root-level dependency updates never touched them, and the sub-project lockfiles were stale vs. their own package.json (e.g. app/vue was already on vite 8 in package.json but the committed lock still had vite 5). Regenerating each sub-project lock was the actual fix.

Changes (7 commits)

Commit What
chore(deps) Root hdb 2.27.1→2.29.5, sap-hdb-promisfied 2.202604.1→2.202606.2 (was stashed, never committed)
fix(vscode) .vsix Bundle @sap/textbundle + stub terminal-kit so the packaged extension activates (was stashed)
fix(app/vue) 15 dompurify + 2 xlsx alerts → dompurify override ^3.4.11 (3.4.12); xlsx repointed to SheetJS CDN 0.20.3 (npm's latest is the vulnerable 0.18.5)
fix(vscode) deps serialize-javascript + diff overrides (dev-only, transitive via mocha)
fix(docs) vite + esbuild overrides (dev-server only; verified vitepress build succeeds with vite 6 forced under vitepress 1.6.4)
ci dependabot.yml for /, /app/vue, /docs, /mcp-server, /vscode-extension + github-actions
fix(mcp-server) 7 additional advisories (hono, fast-uri, path-to-regexp, qs, ip-address) via npm audit fix — build passes

Result: npm audit = 0 vulnerabilities in app/vue, docs, vscode-extension, and mcp-server.

Known remaining (not fixable here)

  • Root serialize-javascript (high RCE) + diff — these live inside sap-hdb-promisfied's own shipped npm-shrinkwrap.json (hasShrinkwrap: true), which npm treats as sealed; downstream overrides cannot penetrate it. Requires an upstream fix in sap-hdb-promisfied (remove mocha from runtime deps / refresh its shrinkwrap). Flagging for a follow-up.
  • Root exceljsuuid (moderate) — fix requires an exceljs major bump (breaking); deferred by decision.

Verification

  • app/vue: build deps regenerated, npm audit 0 vulns
  • vscode-extension: tsc compile passes, npm audit 0 vulns
  • docs: full vitepress build succeeds (all pages render), npm audit 0 vulns
  • mcp-server: tsc build passes, npm audit 0 vulns

…1->2.202606.2

Root runtime dependency refresh (regenerated npm-shrinkwrap.json).
createRequire()-based require of @sap/textbundle was emitted as a runtime
require that threw MODULE_NOT_FOUND in the node_modules-free .vsix, and the
static terminal-kit import (unbundleable) failed the same way — both blocked
activate(). Rewrite the textbundle require to a static ESM import so esbuild
bundles it, and resolve terminal-kit to a no-op stub (extension never needs
terminal output; routes return JSON).
- Repoint xlsx to SheetJS CDN 0.20.3 (fixes GHSA-5pgg-2g8v-p4x9 prototype
  pollution + GHSA-4r6h-8v6p-xvw6 ReDoS; SheetJS no longer publishes to npm,
  where the latest is stuck at the vulnerable 0.18.5)
- Add overrides.dompurify ^3.4.11 to force 3.4.12 (monaco-editor pins the
  vulnerable 3.2.7 transitively; clears 15 dompurify advisories)
- Regenerate lockfile, which was stale vs package.json (already on vite 8)

npm audit: 0 vulnerabilities.
…ries

Both are dev-only transitive deps of mocha (the test runner). Latest mocha
(11.7.6) still declares serialize-javascript ^6.0.2 and an old diff, so npm
audit fix can't resolve them without a mocha major bump. Pin via overrides:
- serialize-javascript ^7.0.5 -> 7.0.7 (GHSA-5c6j-r48x-rmvq RCE, GHSA-qj8w-gfj5-8c6v DoS)
- diff ^8.0.3 -> 8.0.4 (GHSA-73rr-hh4g-fpgx DoS; surfaced on lockfile regen)

These affect only mocha's internal test reporting, not the shipped bundle.
tsc compile passes; npm audit: 0 vulnerabilities.
vitepress 1.6.4 pins vite ^5.4.14, but the vite advisories (GHSA-v6wh-96g9-6wx3
launch-editor NTLM disclosure, GHSA-fx2h-pf6j-xcff server.fs.deny bypass) have
no 5.x backport — only 6.4.3+. esbuild <=0.24.2 (GHSA-67mh-4wv8-2f99) likewise
needs 0.25.0. Force both via overrides:
- vite ^6.4.3 -> 6.4.3
- esbuild ^0.25.0 -> 0.25.12

All are dev/build-toolchain only (not present in the static GitHub Pages
output). Verified: full `vitepress build` succeeds on 1.6.4 with vite 6 forced
(no issues, all pages render). npm audit: 0 vulnerabilities.
No dependabot config existed, so the repo only had passive security alerts and
never opened fix PRs. Nested sub-projects (app/vue, docs, vscode-extension)
silently accumulated vulnerabilities that root-level updates never reached.
Configure weekly npm updates for /, /app/vue, /docs, /mcp-server,
/vscode-extension plus github-actions, with minor+patch grouped to cut noise.
npm audit fix bumps in-range transitive deps under @modelcontextprotocol/sdk
and the express chain (all non-breaking):
- hono 4.12.29, fast-uri 3.1.3, path-to-regexp 8.4.2, qs 6.15.3, ip-address 10.2.0
- clears @hono/node-server, fast-uri, hono (multiple), path-to-regexp DoS,
  ip-address XSS advisories

tsc build passes; npm audit: 0 vulnerabilities.
@jung-thomas
jung-thomas merged commit d6b384a into main Jul 13, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant