Skip to content

fix(website): resolve all 7 open Dependabot security alerts#224

Open
arnaudlh wants to merge 1 commit into
mainfrom
arnaudlh-dependabot-security-fixes
Open

fix(website): resolve all 7 open Dependabot security alerts#224
arnaudlh wants to merge 1 commit into
mainfrom
arnaudlh-dependabot-security-fixes

Conversation

@arnaudlh

@arnaudlh arnaudlh commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Remediates all 7 open Dependabot alerts for transitive npm dependencies in website/package-lock.json (Docusaurus site). After these changes, npm audit reports 0 vulnerabilities and npm run build succeeds.

Approach

  • Ran npm audit fix (non---force) for the semver-compatible patch bumps.
  • Added a targeted overrides block in website/package.json for the two packages that required a major version bump of the transitive dependency:
    • serialize-javascript^7.0.5 (parents declared ^6)
    • uuid^11.1.1, scoped to sockjs so mermaid keeps uuid 14.x

Alerts resolved

Alert Package Severity Before After
#33 http-proxy-middleware moderate 2.0.9 2.0.10
#30 webpack-dev-server moderate 5.2.4 5.2.5
#27 @babel/core low 7.29.0 7.29.7
#19 joi moderate 17.13.3 17.13.4
#15 uuid (via sockjs) moderate 8.3.2 11.1.1
#14 serialize-javascript moderate 6.0.2 7.0.7
#1 serialize-javascript high 6.0.2 7.0.7

Compatibility notes

  • serialize-javascript 6→7: consumed by copy-webpack-plugin / css-minimizer-webpack-plugin only for cache-key serialization; the serialize(obj, opts) API is unchanged.
  • uuid 8→11 for sockjs: sockjs uses require('uuid').v4(), which remains available in uuid 11's CJS build; the override is scoped so mermaid is unaffected.

Verification

  • npm auditfound 0 vulnerabilities
  • npm run buildGenerated static files in "build"

Notes

  • Only website/package.json and website/package-lock.json changed.
  • A transitive js-yaml@3.14.2 (pulled by gray-matter) was not part of the Dependabot alert set and is intentionally left untouched, since forcing it to 4.x would break gray-matter's safeLoad API.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Remediate all 7 open Dependabot alerts for transitive npm dependencies in
website/package-lock.json. Ran `npm audit fix` for the semver-compatible
patch bumps and added targeted `overrides` for the two that required a major
version bump of the transitive dependency.

Resolved advisories:
- http-proxy-middleware 2.0.9 -> 2.0.10 (#33, Host-header routing bypass)
- webpack-dev-server 5.2.4 -> 5.2.5 (#30, HMR WebSocket interception)
- @babel/core 7.29.0 -> 7.29.7 (#27, arbitrary file read via sourceMappingURL)
- joi 17.13.3 -> 17.13.4 (#19, RangeError DoS via recursive link schemas)
- uuid 8.3.2 -> 11.1.1 via sockjs override (#15, missing buffer bounds check)
- serialize-javascript 6.0.2 -> 7.0.7 via override (#14 CPU DoS, #1 RCE)

The uuid override is scoped to sockjs so mermaid keeps uuid 14.x. Verified
`npm audit` reports 0 vulnerabilities and `npm run build` succeeds.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant