fix(security): patch protobufjs, xmldom, axios, basic-ftp vulns (APS-18824, APS-18823, APS-18720, APS-18663)#21
Merged
karanshah-browserstack merged 2 commits intomainfrom Apr 21, 2026
Conversation
…ios overrides - Add protobufjs (^7.5.5) override to patch arbitrary code execution (APS-18824, GHSA-xq3m-2v4x-88gg) - Add basic-ftp (>=5.2.2) override to patch FTP CRLF command injection (APS-18663, GHSA-chqc-8p9q-pq6q) - Regenerate package-lock.json so existing @xmldom/xmldom (APS-18823) and axios (APS-18720) overrides take effect Resulting installed versions: @xmldom/xmldom 0.9.8 -> 0.9.10 axios 1.13.2 -> 1.15.1 basic-ftp 5.2.0 -> 5.3.0 protobufjs 7.5.4 -> 7.5.5 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
playwright 1.59.x is newer than the version currently supported by BrowserStack's browserstack-node-sdk codeceptjs integration; sessions launched but never received WebDriver commands, leading to 120s per-session timeouts. Pinning to 1.58.1 (the latest BrowserStack-supported release) restores end-to-end execution. Verified with two clean runs against the patched lockfile: - sample-test: 3 passed in 24s (build 0f982a520e2e9e3bb340f44e211cea81f57e796e) - sample-local-test: 3 passed in 18s (build ee92272577f3ec111596e0dccc67ee1df3118cfc) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
avinash-bharti
approved these changes
Apr 21, 2026
karanshah-browserstack
deleted the
aps-18824-aps-18823-aps-18720-aps-18663-security-fixes
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves four security advisories flagged against
package-lock.jsonon this repo.protobufjs@xmldom/xmldomaxiosbasic-ftpChanges
package.json:protobufjsandbasic-ftpto theoverridesblock. Existing@xmldom/xmldomandaxiosoverrides are retained; the stale lockfile is regenerated so they take effect.playwrightto1.58.1(from^1.41.2, which was resolving to 1.59.1). 1.59.x is not yet supported bybrowserstack-node-sdk; sessions connected but never received WebDriver commands, leading to per-test timeouts.package-lock.json— regenerated from scratch. All four transitive dependencies now resolve to patched versions.Verification
npm audit: none of the four target GHSAs remain in the tree.require()smoke test: all four packages load; public APIs (DOMParser,axios.get,Client,Root) intact.npm ls --all: no invalid/missing entries; only single install of each package.End-to-end on BrowserStack
Both sample flows executed cleanly against the patched lockfile + pinned playwright (3 parallel platforms each: Win11 Chrome, OSX Ventura playwright-webkit, Win11 playwright-firefox):
npm run sample-testnpm run sample-local-testBuild URLs + session IDs are also attached as comments on each Jira ticket.
Test plan
npm installresolves cleanly on a fresh checkoutnpm run sample-testpasses end-to-end against BrowserStacknpm run sample-local-testpasses end-to-end with BrowserStack Localnpm audit🤖 Generated with Claude Code