fix(security): audit follow-up — advisory ignores, client dep patches, cleanup#513
Merged
Conversation
The advisory requires a custom log::Log implementation that calls rand::thread_rng() during logging. Kaiku uses tracing/tracing-subscriber, not the log facade, so this configuration does not exist in our codebase. Bumping direct deps to rand 0.9 would not remove the transitive 0.8.5 (many upstreams still pin 0.8: fred, jsonwebtoken, openidconnect, webrtc, sqlx-postgres, vodozemac, etc.) and would require breaking API changes. Documented in deny.toml with full justification. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dompurify 3.x ships its own TypeScript types, so @types/dompurify is redundant. The types package additionally pulls in an older dompurify@3.3.1 as a dependency, which still has the runtime XSS advisories that we already fixed by bumping the direct dompurify to 3.3.3. Removes 4 of 21 audit findings (the runtime-critical dompurify cluster): - mutation-XSS via Re-Contextualization (GHSA-h8r8-wccr-v5f2) - XSS via Re-Contextualization (GHSA-v2wj-7wpq-c8vv) - ADD_ATTR predicate skips URI validation (GHSA-cjmm-f4jc-qw8r) Remaining 17 audit findings are devtime/build-tool transitives (vite dev-server fs.deny bypass, picomatch ReDoS, rollup path traversal) that don't affect production. They should be addressed in a follow-up PR after updating vitest+vite-plugin-solid in lockstep. 577/577 client tests passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two files were accidentally committed in #405 "clean up untracked files": - client/os (3.7 MB ImageMagick PostScript dump, 47,910 lines) - client/voicechat-client-0.1.0.tgz (44 MB npm pack tarball) Adds *.tgz, *.tar.gz, client/os to .gitignore to prevent recurrence. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Explain why we're pinned to Detair/scap fork: upstream scap 0.1.0-beta.1 has a Frame enum restructure that broke the Linux pipewire backend. Our fork adapts the Linux backend + a Windows fix. Upstream PR CapSoftware/scap#178 would fix this but has been open since 2025-10-26. Once merged and released, drop the git dep and pin to the next scap release. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Detair
force-pushed
the
fix/security-audit-followup
branch
from
55cb01f to
dae01fb
Compare
Detair
added a commit
that referenced
this pull request
Apr 11, 2026
Four independent sub-projects from the post-#512 audit: 1. Devtime advisories — retry overrides on a regular branch (was bun worktree bug in #513), fall back to lockstep dep updates 2. osv-scanner CI job — independent advisory source via OSV database, scheduled weekly + on PRs/main 3. scap fork cleanup — re-test upstream main HEAD; if Linux now builds, drop the Detair fork; otherwise open a narrow upstream PR 4. CI #900/900 flake — root caused to CleanupGuard's no-timeout join in Drop. Stopgap (bounded join) + proper fix (#[must_use] type-state + explicit cleanup().await migration). Each topic gets its own implementation plan and PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Detair
added a commit
that referenced
this pull request
Apr 11, 2026
One plan per spec topic, all independent and shippable separately. Recommended implementation order (per spec): Topic 4 → 1 → 2 → 3. - 2026-04-11-cleanup-guard-test-flake.md (Topic 4, 14 tasks) — fix the CleanupGuard CI flake. Layer 1 stopgap (bounded join), Layer 2 explicit cleanup() method + ~136 test-site migration across 16 files, Layer 3 panic activation deferred to follow-up issue. - 2026-04-11-client-devtime-advisories.md (Topic 1, 5 tasks) — apply package.json overrides on a regular branch (not worktree, to avoid PR #513's bun bug). Plan A overrides + Plan B lockstep dep updates fallback + mermaid lazy-load investigation. - 2026-04-11-osv-scanner-ci.md (Topic 2, 2 tasks) — add osv-scanner job to existing security.yml. Pinned to v2.3.5 (no v2 floating tag exists upstream). HIGH+ severity gate. SARIF upload to Security tab. - 2026-04-11-scap-fork-cleanup.md (Topic 3, 3 tasks) — test if upstream CapSoftware/scap main HEAD now builds vc-client on Linux. If yes, drop Detair fork (Task 2). If no, open narrow upstream PR (Task 3, requires user authorization). All 4 plans peer-reviewed and approved by spec-document-reviewer. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Detair
added a commit
that referenced
this pull request
Apr 11, 2026
…ans (#514) * docs(infra): add security audit follow-ups design Four independent sub-projects from the post-#512 audit: 1. Devtime advisories — retry overrides on a regular branch (was bun worktree bug in #513), fall back to lockstep dep updates 2. osv-scanner CI job — independent advisory source via OSV database, scheduled weekly + on PRs/main 3. scap fork cleanup — re-test upstream main HEAD; if Linux now builds, drop the Detair fork; otherwise open a narrow upstream PR 4. CI #900/900 flake — root caused to CleanupGuard's no-timeout join in Drop. Stopgap (bounded join) + proper fix (#[must_use] type-state + explicit cleanup().await migration). Each topic gets its own implementation plan and PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(infra): add 4 implementation plans for security audit follow-ups One plan per spec topic, all independent and shippable separately. Recommended implementation order (per spec): Topic 4 → 1 → 2 → 3. - 2026-04-11-cleanup-guard-test-flake.md (Topic 4, 14 tasks) — fix the CleanupGuard CI flake. Layer 1 stopgap (bounded join), Layer 2 explicit cleanup() method + ~136 test-site migration across 16 files, Layer 3 panic activation deferred to follow-up issue. - 2026-04-11-client-devtime-advisories.md (Topic 1, 5 tasks) — apply package.json overrides on a regular branch (not worktree, to avoid PR #513's bun bug). Plan A overrides + Plan B lockstep dep updates fallback + mermaid lazy-load investigation. - 2026-04-11-osv-scanner-ci.md (Topic 2, 2 tasks) — add osv-scanner job to existing security.yml. Pinned to v2.3.5 (no v2 floating tag exists upstream). HIGH+ severity gate. SARIF upload to Security tab. - 2026-04-11-scap-fork-cleanup.md (Topic 3, 3 tasks) — test if upstream CapSoftware/scap main HEAD now builds vc-client on Linux. If yes, drop Detair fork (Task 2). If no, open narrow upstream PR (Task 3, requires user authorization). All 4 plans peer-reviewed and approved by spec-document-reviewer. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to the security audit after the codebase consistency refactor (#512). Addresses 3 of 4 action items from the audit findings; the 4th was reduced in scope after hitting bun worktree resolution issues.
4 commits:
fix(infra): ignore RUSTSEC-2026-0097—rand 0.8.5unsoundness advisory. Not exploitable in Kaiku (we usetracing, not thelogfacade). Documented with full justification indeny.toml. Unblockscargo deny check advisoriesin CI.chore(client): remove @types/dompurify— fixes 4 of 21 audit findings (the runtime-critical dompurify XSS cluster). The @types package was redundant (dompurify 3.x ships its own types) and pulled in an olderdompurify@3.3.1with the XSS advisories. Removing it routes everything through the directdompurify@3.3.3which we already had.chore: remove committed build cruft— Removes two large files accidentally committed in chore: clean up untracked files #405:client/os(3.7 MB ImageMagick PostScript dump)client/voicechat-client-0.1.0.tgz(44 MB npm pack tarball)*.tgz,*.tar.gz,client/osto.gitignoredocs(client): document scap git dependency origin— Documents why we're pinned to the Detair/scap fork (upstream Frame enum restructure broke Linux pipewire). Notes that upstream PR fix/feat: SystemTime instead of timestamp CapSoftware/scap#178 would fix this if it gets merged.Remaining audit findings (deferred to follow-up)
The 17 remaining
bun auditadvisories are all devtime/build-tool transitives (vite dev-server fs.deny bypass, picomatch ReDoS, rollup path traversal, lodash-es proto-pollution via mermaid, defu prototype pollution via unocss, etc.). They don't affect production builds.Attempted to fix them with package.json overrides for
picomatch,rollup,flatted,brace-expansion,lodash-es,defu, andvite 8.0.5. The overrides caused bun to produce a different node_modules in this worktree vs main — missingesbuild,@ampproject/remapping, and 38 other modules — which broke vite-plugin-solid's JSX transformation in 4 test files. Reverted that approach. These should be addressed in a follow-up PR after either:vitest,vite, andvite-plugin-solidtogether to versions where the transitives are fixed upstream.The runtime-critical XSS issue (dompurify) is fixed by commit 2.
Test plan
cargo deny check advisories→advisories okSQLX_OFFLINE=true cargo clippy -p vc-server --lib -- -D warnings→ cleancd client && bun run test:run→ 577/577 passingcd client && bun audit→ 17 (devtime only, was 21)🤖 Generated with Claude Code