Skip to content

APPSEC-449: bump npm deps to fixed versions — closes 7 CVE tickets#18

Open
amitsi-bs wants to merge 1 commit into
mainfrom
sec/LTS-2594-wdio-npm-cve-bumps
Open

APPSEC-449: bump npm deps to fixed versions — closes 7 CVE tickets#18
amitsi-bs wants to merge 1 commit into
mainfrom
sec/LTS-2594-wdio-npm-cve-bumps

Conversation

@amitsi-bs

@amitsi-bs amitsi-bs commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

APPSEC-449 — WebdriverIO sample dependency-CVE bumps

Transitive (package-lock.json) deps bumped to fixed versions via the overrides block in package.json. Verified with npm audit (27 → 6 advisories; the 6 remaining are non-ticketed deps). All chosen versions — including transitives — satisfy the repo's .npmrc min-release-age=7 (≥7 days old).

Ticket Package Change Advisory
LTS-2594 minimatch readdir-glob→^5.1.8 now applied (5.1.6 → 5.1.9) ReDoS (5.0.0–5.1.7)
LTS-2753 basic-ftp ^5.2.0^5.3.1 (5.3.1) GHSA-rpmf/rp42/chqc/6v7q (CRLF/FTP cmd inj + DoS, ≤5.3.0)
LTS-3158 fast-uri add ^3.1.3 GHSA-q3j6/v39h (path traversal + host confusion, ≤3.1.1)
LTS-3159 fast-xml-builder add 1.2.1 attribute-quote bypass (≤1.1.6)
LTS-3411 tmp add 0.2.7 GHSA-7c78-jf6q-g5cm (path traversal, 0.2.6)
LTS-3907 esbuild add ^0.28.1 dev-server arbitrary file read (0.27.3–0.28.0)
LTS-4206 undici webdriver→^6.27.0, cheerio→^7.28.0 TLS-cert bypass / header injection / DoS / cache poisoning

Notes

  • min-release-age: the newest fast-xml-builder (1.3.0) pulls path-expression-matcher@1.6.2 (published <7 days ago → blocked by min-release-age=7). So fast-xml-builder is pinned to 1.2.1 and path-expression-matcher to 1.6.1 to keep the whole subtree ≥7 days old.
  • undici / tmp: npm audit fix would only resolve these via a semver-major downgrade of browserstack-node-sdk; the scoped overrides fix them while keeping the SDK at 1.61.0.
  • package-lock.json was regenerated (npm 11) — expect a large reformatting diff; net package count is essentially unchanged (~854).

✅ LTS-2754 (lodash) — ALREADY SOLVED, no change in this PR

Reviewer note: lodash does not need a fix here — it was already remediated by an earlier PR. lodash resolves to 4.18.1 (≥ the fixed 4.18.0) and npm audit does not flag it.

  • Fixed by LTS-3295: add supply-chain hardened .npmrc #15 (LTS-3295: add supply-chain hardened .npmrc), commit b12f55b, merged 2026-07-07 — the SDK bump in that PR regenerated package-lock.json and floated lodash 4.17.21 → 4.18.1 (side effect).
  • The LTS-2754 ticket predates that fix (scan-time lag), so it reads as open but the code is already patched. Mark LTS-2754 as already-solved / resolved — nothing to review here.

…ns (overrides)

Security dependency-CVE bumps (APPSEC-449) via package.json `overrides`. All are
transitive (package-lock) deps; verified with npm audit. Versions chosen to satisfy
the repo's .npmrc min-release-age=7 (all >=7 days old, incl. transitives):

- basic-ftp ^5.2.0 -> ^5.3.1 (5.3.1): CRLF/FTP cmd injection + DoS. LTS-2753
- fast-uri +^3.1.3 (3.1.3): path traversal + host confusion. LTS-3158
- fast-xml-builder +1.2.1: attribute-quote bypass (<=1.1.6). LTS-3159
  (+ pinned path-expression-matcher 1.6.1 to keep its transitive min-release-age-safe;
   1.6.2 is <7 days old)
- tmp +0.2.7: path traversal via non-string template (0.2.6). LTS-3411
- esbuild +^0.28.1: dev-server arbitrary file read (0.27.3-0.28.0). LTS-3907
- undici webdriver ^6.24.0 -> ^6.27.0 (6.27.0) + cheerio ^7.24.0 -> ^7.28.0 (7.28.0):
  TLS-cert bypass / header injection / DoS / cache poisoning. LTS-4206
- minimatch (readdir-glob path) 5.1.6 -> 5.1.9 via existing ^5.1.8 override, now
  applied by regenerated lockfile: ReDoS (5.0.0-5.1.7). LTS-2594

Verified: npm audit no longer flags any of the above (27 -> 6 advisories; the 6
remaining are non-ticketed deps). lodash (LTS-2754) already resolves safe - no change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@amitsi-bs amitsi-bs requested a review from a team as a code owner July 12, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant