Skip to content

Update dependencies to fix npm vulnerability warnings#168

Open
danleh wants to merge 1 commit intoGoogleChromeLabs:mainfrom
danleh:main
Open

Update dependencies to fix npm vulnerability warnings#168
danleh wants to merge 1 commit intoGoogleChromeLabs:mainfrom
danleh:main

Conversation

@danleh
Copy link
Copy Markdown

@danleh danleh commented Jan 14, 2026

...by running npm audit fix --force which bumped several major versions.

Before we got several warnings:

~/jsvu$ npm audit
# npm audit report

cross-spawn  <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install update-notifier@7.3.1, which is a breaking change
node_modules/term-size/node_modules/cross-spawn
  execa  0.5.0 - 0.9.0
  Depends on vulnerable versions of cross-spawn
  node_modules/term-size/node_modules/execa
    term-size  1.0.0 - 1.2.0
    Depends on vulnerable versions of execa
    node_modules/term-size
      boxen  1.2.0 - 3.2.0
      Depends on vulnerable versions of term-size
      node_modules/boxen
        update-notifier  0.2.0 - 5.1.0
        Depends on vulnerable versions of boxen
        Depends on vulnerable versions of latest-version
        node_modules/update-notifier

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install got@14.6.6, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install tar@7.5.2, which is a breaking change
node_modules/tar

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install inquirer@13.2.0, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/inquirer

12 vulnerabilities (3 low, 4 moderate, 5 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

@danleh
Update dependencies to fix npm vulnerability warnings
0f434a2 
...by running `npm audit fix --force` which bumped several major versions.
@danleh
Copy link
Copy Markdown
Author

danleh commented Jan 14, 2026

@mathiasbynens This came up in the context of JetStream 3 (which uses jsvu for running in shells on CI), where I stumbled upon these warnings in jsvu.

danleh added a commit to danleh/JetStream that referenced this pull request Jan 14, 2026
@danleh
Update dependencies to fix some npm audit warnings
ceec463 
There are 13 remaining because of jsvu, see upstream change GoogleChromeLabs/jsvu#168. Once that lands, we can bump jsvu here as well.
@danleh danleh mentioned this pull request Jan 14, 2026
Merged
@danleh
Copy link
Copy Markdown
Author

danleh commented Jan 19, 2026

Alternatively, @LeszekSwirski could you take a brief look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danleh