fix(security): override 5 transitive dep vulnerabilities from npm audit #100

Merged
maximus merged 1 commit from issue-95-99-deps-overrides into master 2026-07-01 00:33:14 +00:00
Owner

Resume

Batch fix pour 5 vulnerabilites deps trouvees par le meme scan Defenseur (2026-06-30). Toutes resolubles par overrides scopes dans le meme bloc package.json, aucun code applicatif touche.

Issue Package Fix Risque
#95 shell-quote (CRITICAL) react-devtools-core.shell-quote -> ^1.8.4 Nul (dev-only)
#96 undici (HIGH) @expo/cli.undici -> ^6.27.0 Nul (dev-only)
#97 ws (HIGH) 4 nouveaux scopes -> ^7.5.11 Medium -- seul cas touchant runtime dev (Fast Refresh, dev-middleware)
#98 js-yaml (MEDIUM) 2 scopes distincts (majors incompatibles) Nul (dev-only)
#99 tar (MEDIUM) @expo/cli.tar -> ^7.5.19 Nul (dev-only)

Note sur #97 : CVE differente de celle deja fixee en #92/#94 (override @expo/cli.ws existant intact). Aucun bump amont de react-native ne corrige ce probleme.

Verification

  • npm audit : 0 finding sur les 5 packages (seul @babel/core LOW subsiste, hors scope)
  • npm test (smoke) : vert
  • npx expo start : Metro Bundler boot propre, /status repond 200 -- valide que le bump ws (le seul a risque runtime) ne casse pas le dev server

Test plan

  • npm audit clean sur shell-quote, undici, ws, js-yaml, tar
  • npm test (smoke) vert
  • Metro Bundler boot + /status 200
  • Build EAS preview Android (sanity check final avant merge)
## Resume Batch fix pour 5 vulnerabilites deps trouvees par le meme scan Defenseur (2026-06-30). Toutes resolubles par overrides scopes dans le meme bloc package.json, aucun code applicatif touche. | Issue | Package | Fix | Risque | |---|---|---|---| | #95 | shell-quote (CRITICAL) | react-devtools-core.shell-quote -> ^1.8.4 | Nul (dev-only) | | #96 | undici (HIGH) | @expo/cli.undici -> ^6.27.0 | Nul (dev-only) | | #97 | ws (HIGH) | 4 nouveaux scopes -> ^7.5.11 | Medium -- seul cas touchant runtime dev (Fast Refresh, dev-middleware) | | #98 | js-yaml (MEDIUM) | 2 scopes distincts (majors incompatibles) | Nul (dev-only) | | #99 | tar (MEDIUM) | @expo/cli.tar -> ^7.5.19 | Nul (dev-only) | Note sur #97 : CVE differente de celle deja fixee en #92/#94 (override @expo/cli.ws existant intact). Aucun bump amont de react-native ne corrige ce probleme. ## Verification - npm audit : 0 finding sur les 5 packages (seul @babel/core LOW subsiste, hors scope) - npm test (smoke) : vert - npx expo start : Metro Bundler boot propre, /status repond 200 -- valide que le bump ws (le seul a risque runtime) ne casse pas le dev server ## Test plan - [x] npm audit clean sur shell-quote, undici, ws, js-yaml, tar - [x] npm test (smoke) vert - [x] Metro Bundler boot + /status 200 - [ ] Build EAS preview Android (sanity check final avant merge)
maximus added 1 commit 2026-07-01 00:21:19 +00:00
Adds scoped overrides for shell-quote (GHSA-w7jw-789q-3m8p, critical),
undici (4 CVEs, high), ws (GHSA-96hv-2xvq-fx4p, high — distinct from the
CVE already fixed in #92/#94), js-yaml (GHSA-h67p-54hq-rp68, moderate,
two incompatible majors need separate scopes), and tar
(GHSA-vmf3-w455-68vh, moderate). All 5 are dev-tooling-only (Expo CLI,
Metro, react-devtools-core) with no runtime app code path.

Verified: npm audit clean on all 5 packages, smoke test passes, Metro
Bundler boots and serves /status normally after the ws bump (the only
scope touching Fast Refresh/dev-middleware runtime).

Fixes #95, Fixes #96, Fixes #97, Fixes #98, Fixes #99

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
maximus added the
type:security
source:defenseur
labels 2026-07-01 00:21:37 +00:00
maximus merged commit 9ccc9f4a9d into master 2026-07-01 00:33:14 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: maximus/simpl-liste#100
No description provided.