Skip to content

Update node dependencies to resolve Dependabot alerts #3609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marksvc merged 2 commits into from
Dec 11, 2025
Merged

Update node dependencies to resolve Dependabot alerts #3609

marksvc merged 2 commits into from
Dec 11, 2025

Conversation

@pmachapman
Copy link
Collaborator

@pmachapman pmachapman commented Dec 8, 2025
edited by irahopkinson
Loading

This PR fixes the following issues raised via npm audit in the RealtimeServer:

# npm audit report

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml
node_modules/js-yaml

jws  <3.2.3
Severity: high
auth0/node-jws Improperly Verifies HMAC Signature - https://github.com/advisories/GHSA-869p-cjfg-cm3x
fix available via `npm audit fix`
node_modules/jws

2 vulnerabilities (1 moderate, 1 high)

And in ClientApp (by upgrading to the latest Angular 20.3.x):

# npm audit report

@angular/common  20.0.0-next.0 - 20.3.13
Severity: high
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client - https://github.com/advisories/GHSA-58c5-g7wp-6w37
fix available via `npm audit fix`
node_modules/@angular/common

@angular/compiler  20.0.0-next.0 - 20.3.14
Severity: high
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes - https://github.com/advisories/GHSA-v4hv-rgfq-gp49
fix available via `npm audit fix`
node_modules/@angular/compiler

@modelcontextprotocol/sdk  <1.24.0
Severity: high
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default - https://github.com/advisories/GHSA-w48q-cv73-mx4w
fix available via `npm audit fix`
node_modules/@modelcontextprotocol/sdk
  @angular/cli  20.1.0-next.0 - 20.3.12 || 21.0.0-next.0 - 21.0.1 || 21.1.0-next.0
  Depends on vulnerable versions of @modelcontextprotocol/sdk
  node_modules/@angular/cli

body-parser  2.2.0
Severity: moderate
body-parser is vulnerable to denial of service when url encoding is used - https://github.com/advisories/GHSA-wqch-xfxh-vrr4
fix available via `npm audit fix`
node_modules/body-parser

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml
node_modules/istanbul/node_modules/js-yaml
node_modules/js-yaml

node-forge  <=1.3.1
Severity: high
node-forge has ASN.1 Unbounded Recursion - https://github.com/advisories/GHSA-554w-wpv2-vw27     
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - https://github.com/advisories/GHSA-5gfm-wpxj-wjgq
node-forge is vulnerable to ASN.1 OID Integer Truncation - https://github.com/advisories/GHSA-65ch-62r8-g69g
fix available via `npm audit fix`
node_modules/node-forge

7 vulnerabilities (2 moderate, 5 high)

See:

This change is Reviewable

@pmachapman pmachapman added e2e Run e2e tests for this pull request testing not required labels Dec 8, 2025
@codecov
Copy link

codecov bot commented Dec 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.82%. Comparing base (b5126d9) to head (abc4fbb).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3609   +/-   ##
=======================================
  Coverage   82.82%   82.82%           
=======================================
  Files         610      610           
  Lines       37398    37398           
  Branches     6151     6127   -24     
=======================================
  Hits        30974    30974           
- Misses       5478     5491   +13     
+ Partials      946      933   -13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pmachapman pmachapman added e2e Run e2e tests for this pull request and removed e2e Run e2e tests for this pull request labels Dec 8, 2025
@marksvc marksvc self-assigned this Dec 11, 2025
marksvc
marksvc reviewed Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@marksvc marksvc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@marksvc marksvc enabled auto-merge (squash) December 11, 2025 23:24
@marksvc marksvc merged commit 9c1483e into master Dec 11, 2025
22 checks passed
@marksvc marksvc deleted the fix/dependabot-alerts branch December 11, 2025 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marksvc marksvc marksvc approved these changes

Assignees

@marksvc marksvc

Labels

e2e Run e2e tests for this pull request testing not required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pmachapman @marksvc