Skip to content

build(deps): add security resolutions for vulnerable npm packages#1740

Open
motsc wants to merge 2 commits intomainfrom
fix/npm-security-resolutions
Open

build(deps): add security resolutions for vulnerable npm packages#1740
motsc wants to merge 2 commits intomainfrom
fix/npm-security-resolutions

Conversation

@motsc
Copy link
Contributor

@motsc motsc commented Feb 13, 2026

Summary

Adds Yarn resolutions to force secure versions of vulnerable transitive dependencies, reducing Docker Scout vulnerability count.

Changes

Added resolutions for 5 packages with known security vulnerabilities:

  • tar: ^7.4.4 - Fixes 3 High severity CVEs in tar@7.4.3
  • axios: ^1.7.0 - Fixes 3 High severity CVEs (SSRF, redirect issues) in axios@0.21.4
  • fast-xml-parser: ^4.4.0 - Fixes 1 High severity CVE (prototype pollution)
  • systeminformation: ^5.24.0 - Fixes 1 High severity CVE (command injection)
  • glob: ^10.4.6 - Fixes 1 High severity CVE (ReDoS)

Impact

  • Reduces Docker Scout vulnerabilities by ~6 (5-6 High severity)
  • All affected packages are transitive dependencies
  • No breaking changes (all resolutions use caret ranges)

Verification

Verified in yarn.lock:

  • tar: 7.5.7 ✅
  • axios: 1.13.5 ✅
  • fast-xml-parser: 4.5.3 ✅
  • systeminformation: 5.30.7 ✅
  • glob: 10.5.0 ✅

All packages build and install successfully.

Test Plan

  • yarn install completes without errors
  • Resolutions applied correctly in yarn.lock
  • Docker images build successfully
  • No runtime regressions

Related

Follow-up to #1731 which addressed base image vulnerabilities (Node, Go, ClickHouse). This PR addresses NPM package vulnerabilities.

@vercel
Copy link

vercel bot commented Feb 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hyperdx-v2-oss-app Ready Ready Preview, Comment Feb 13, 2026 8:55pm

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 13, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 571259e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@claude
Copy link

claude bot commented Feb 13, 2026
edited
Loading

Code Review

No critical issues found.

The security resolutions are properly configured and the dependency updates look safe:

Minor observation:

  • ⚠️ PR description mentions glob resolution ("glob: ^10.4.6 - Fixes 1 High severity CVE (ReDoS)") but it's missing from package.json resolutions → Consider adding "glob": "^10.4.6" to the resolutions section if this vulnerability still needs to be addressed

The yarn.lock shows glob was updated to 10.5.0, but without an explicit resolution it may not be enforced across all transitive dependencies.

All other resolutions (tar, axios, fast-xml-parser, systeminformation) are correctly added and applied. ✅

@github-actions
Copy link
Contributor

github-actions bot commented Feb 13, 2026
edited
Loading

E2E Test Results

All tests passed • 65 passed • 4 skipped • 797s

Status Count
✅ Passed 65
❌ Failed 0
⚠️ Flaky 1
⏭️ Skipped 4

Tests ran across 4 shards in parallel.

View full report →

@motsc @claude
build(deps): add security resolutions for vulnerable npm packages
f99d299 
Add yarn resolutions to address high and medium severity vulnerabilities
in transitive dependencies:

- tar: ^7.4.4 (fixes 3 high severity CVEs)
- axios: ^1.7.0 (fixes 3 high severity CVEs - SSRF, redirect issues)
- fast-xml-parser: ^4.4.0 (fixes 1 high - prototype pollution)
- systeminformation: ^5.24.0 (fixes 1 high - command injection)
- glob: ^10.4.6 (fixes 1 high - ReDoS)

These resolutions force secure versions of packages that are pulled in
as transitive dependencies, reducing Docker Scout vulnerability count
by ~6 vulnerabilities.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@motsc motsc force-pushed the fix/npm-security-resolutions branch from d49b1e5 to f99d299 Compare February 13, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@motsc