chore(client): clear 11 devtime advisories via transitive overrides#517
Merged
Conversation
Adds package.json overrides for picomatch, rollup, flatted,
brace-expansion, lodash-es, and defu to resolve 11 of 17 devtime
advisories reported by bun audit.
vite is NOT overridden. vitest@4.1.0 bundles a nested vite@7.3.1 via
@vitest/mocker, and overriding vite to any version (8.0.0 through
8.0.8) causes vite-plugin-solid JSX regressions ("Failed to parse
source for import analysis" on Toast.tsx) because @vitest/mocker's
internal vite API is incompatible with vite 8.x when used as the
nested dependency. Downgrading direct vite to 7.3.2 would touch a
direct dep (forbidden by spec). Bun 1.3.9 does not honor nested
overrides syntax, so a scoped vitest>vite override is not available.
The 3 remaining vite advisories (GHSA-4w7w-66w2-5vf9,
GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583) all affect the vite dev
server's fs.deny handling, .map path traversal, and WebSocket file
read. They are accepted as documented dev-only exceptions: they
only matter when a developer runs `bun run dev` and visits a
malicious URL in their browser. Not applicable to production builds
(bun run build is unaffected, rolldown-vite handles production).
Mermaid is lazy-loaded via dynamic import in MarkdownPreview.tsx, so
the lodash-es runtime exposure (via mermaid > dagre-d3-es) is
minimal even without the lodash-es override — but we apply it anyway
for defense in depth.
Direct dependencies are unchanged. 577/577 client tests pass and
bun run build succeeds.
Refs docs/superpowers/specs/2026-04-11-security-audit-followups-design.md (Topic 1)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
Detair
added a commit
that referenced
this pull request
Apr 11, 2026
The first-run osv-scan (after flag fix) found 34 vulnerabilities — most are already accepted via deny.toml / rust-audit ignores or via PR #517 (vite dev-server exceptions nested through vitest). osv-scanner is stricter than cargo-audit: it flags "unmaintained" crates as errors where cargo-audit treats them as warnings. Create .osv-scanner.toml at repo root with an explicit ignore list: - 3 entries already in deny.toml (rsa Marvin, rand 0.8.5, lru) - 11 entries for the gtk-rs 0.18 family (Linux-only Tauri deps, blocked on Tauri's gtk-rs pin) - 11 entries for unmaintained-crate advisories (proc-macro-error, paste, instant, derivative, fxhash, unic-*, bincode) - 3 entries for the vite CVEs already documented in PR #517 as accepted dev-only exceptions Also pass --config to scan-args so the scanner picks up the file. Local verification: osv-scanner --config=.osv-scanner.toml --recursive ./ now reports "No issues found" with 36 filtered vulnerabilities. When NEW advisories appear, osv-scanner will fail the build and we investigate, then either fix the dep or add a new entry here. Refs: first-run findings at https://github.com/Detair/kaiku/actions/runs/24293038310
Detair
added a commit
that referenced
this pull request
Apr 11, 2026
* fix(ci): remove invalid osv-scanner flags (--skip-git, --severity) The osv-scan job failed on first-run with "Incorrect Usage: flag provided but not defined: -skip-git". Both --skip-git and --severity were incorrect guesses — osv-scanner v2.3.5 does not accept them. Strip to minimal known-good flags: --recursive --format=sarif --output=... ./. The scanner now gates on ANY vulnerability via its default exit code. SARIF upload still publishes to Code Scanning for tracking. If the scan is too noisy post-merge, severity filtering can be applied via GitHub's Security tab or by post-processing the SARIF. Refs: first-run failure at https://github.com/Detair/kaiku/actions/runs/24292956710 * ci(security): add .osv-scanner.toml ignore config, pass --config flag The first-run osv-scan (after flag fix) found 34 vulnerabilities — most are already accepted via deny.toml / rust-audit ignores or via PR #517 (vite dev-server exceptions nested through vitest). osv-scanner is stricter than cargo-audit: it flags "unmaintained" crates as errors where cargo-audit treats them as warnings. Create .osv-scanner.toml at repo root with an explicit ignore list: - 3 entries already in deny.toml (rsa Marvin, rand 0.8.5, lru) - 11 entries for the gtk-rs 0.18 family (Linux-only Tauri deps, blocked on Tauri's gtk-rs pin) - 11 entries for unmaintained-crate advisories (proc-macro-error, paste, instant, derivative, fxhash, unic-*, bincode) - 3 entries for the vite CVEs already documented in PR #517 as accepted dev-only exceptions Also pass --config to scan-args so the scanner picks up the file. Local verification: osv-scanner --config=.osv-scanner.toml --recursive ./ now reports "No issues found" with 36 filtered vulnerabilities. When NEW advisories appear, osv-scanner will fail the build and we investigate, then either fix the dep or add a new entry here. Refs: first-run findings at https://github.com/Detair/kaiku/actions/runs/24293038310
7 tasks
Detair
added a commit
that referenced
this pull request
May 8, 2026
#550) Phase 2 of the dep-update sweep. Adds transitive overrides for postcss, uuid, and dompurify. The vite override planned in the spec is dropped: forcing nested vite to 8.x breaks vitest 4.1.0's @vitest/mocker (the known issue from PR #517). The 6 vite advisories that remain are already accepted dev-only exceptions in .osv-scanner.toml; they unblock in Phase 6c (vitest test-infra majors). bun audit: 8 → 6 advisories; the 6 remaining are vite/vitest dev-server paths, all behind .osv-scanner.toml exceptions. Direct-dep bumps the spec planned for this phase (dompurify 3.3.3 → 3.4.2, @sentry/browser 10.44.0 → 10.52.0, @vitejs/plugin-basic-ssl 2.2.0 → 2.3.0) already landed in Phase 1 via targeted bun update; this PR only adds the overrides + CHANGELOG. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reduces client
bun auditfrom 17 advisories (10 high, 7 moderate) to 6 (3 unique CVEs, all dev-server only) by addingpackage.jsonoverrides for transitive devtime dependencies.11 of 17 advisories cleared. The remaining 3 unique CVEs are all in
vite@7.3.1(nested viavitest@4.1.0 > @vitest/mocker > vite), affect only the dev server, and are documented as accepted exceptions below.Overrides applied
Each clears one or more advisories. Notably,
rollupis NOT a no-op — even though this project uses rolldown-vite,@rollup/plugin-commonjsstill has a nested rollup that's patched by the override.Why no vite override
Tested
vite: 8.0.0throughvite: 8.0.8— all fail tests with"Failed to parse source for import analysis"onToast.tsx. Root cause:vitest@4.1.0bundles a nestedvite@7.3.1via@vitest/mocker. When bun applies a vite override globally, both the direct vite and the nested one resolve to the same version — and@vitest/mocker@4.1.0's internal API is incompatible with vite 8.x in the nested slot.Bun 1.3.9 does not support scoped overrides (
"vitest>vite": "..."), so we cannot patch only one.Accepted exceptions (3 unique CVEs, 6 raw reports)
All three are in nested
vite@7.3.1viavitest > @vitest/mocker > vite. All three require a developer to runbun run devAND visit a malicious URL in their browser. None affect production builds (bun run builduses rolldown-vite's build path, not the dev server)..maphandlingserver.fs.denybypassed with queriesExploitation path: dev-server only. Developer runs
bun run dev, malicious URL is visited in the dev server's browser tab, attacker gets file read / path traversal. Production is unaffected.Developer detection: CI
bun auditstill reports these (we don't suppress them). A future vitest bump that drops the nested vite pin will auto-clear them.Why not fix now: would require bumping vitest + vite-plugin-solid in lockstep, which is Plan B scope and out of this PR's scope.
Mermaid load mode
Confirmed lazy-loaded:
client/src/components/pages/MarkdownPreview.tsx:21usesawait import("mermaid")insideloadMermaid(). The lodash-es runtime exposure (via mermaid > dagre-d3-es) only triggers when a user views a markdown block that renders a mermaid diagram. Thelodash-es ^4.17.24override still applies for defense in depth.Test plan
bun install— 504 packages, cleanbun audit— 6 (was 17), all 3 unique CVEs documented abovebun run test:run— 577/577 passingbun run build— succeedsRefs
git worktree add, to avoid that bug)🤖 Generated with Claude Code