Reduce npm audit vulnerabilities via transitive overrides#4
Open
DRK28122006 wants to merge 1 commit into
Open
Conversation
…ides Add overrides for uuid and serialize-javascript to address critical/high severity advisories that originate from Docusaurus's pinned transitive dependencies (sockjs -> uuid, copy-webpack-plugin -> serialize-javascript). Reduces 'npm audit' from 36 vulnerabilities (1 critical, 2 high, 32 moderate, 1 low) down to 23 moderate vulnerabilities, all of which are the same js-yaml quadratic-complexity DoS reachable through Docusaurus's front-matter parser and require either a Docusaurus major version bump or an upstream fix to resolve without breaking the build. Verified: 'npm run build' still completes successfully.
📝 WalkthroughWalkthrough
ChangesDependency pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@website/package.json`:
- Around line 51-52: The uuid override in website/package.json is forcing an
unverified major version that conflicts with sockjs’s declared uuid@^8.3.2
dependency. Update the override used in the package.json overrides block to keep
uuid on a compatible 8.x range, or remove the override if not needed; if you
keep any newer override, verify the Docusaurus dev server path by running npm
start so SockJS/HMR still works. Use the overrides entry and the sockjs-related
dependency context to locate the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 6a301887-1d97-4f0a-b216-525c23763698
⛔ Files ignored due to path filters (1)
website/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
website/package.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin two vulnerable transitive dependencies of
@docusaurus/coreto patched versions, eliminating all critical and high severityadvisories reported by
npm audit.Why
A fresh
npm installinwebsite/reports 36 vulnerabilities (1 critical, 2 high, 32 moderate, 1 low). The critical and highissues all originate from
sockjs → uuidandcopy-webpack-plugin → serialize-javascript, both pulled in transitively byDocusaurus's pinned dependency tree.
Changes
Added to
website/package.json:overrides.uuid: ^11.0.0overrides.serialize-javascript: ^7.0.6No direct dependency versions change.
Verification
npm auditreduced from 36 → 23 vulnerabilities (0 critical, 0 high, 23 moderate)js-yamlDoS reachable through Docusaurus's front-matter parser; a proper fix is being trackedupstream in Update js-yaml dependency from ^3.13.1 to ^4.x (security: GHSA-h67p-54hq-rp68) facebook/docusaurus#12174 and merged via PR #12181 but not yet released
npm run buildcompletes successfully (Client + Server both compiled).github/workflows/deploy.ymlusesnpm ci, which will exercise the same install path in CISummary by CodeRabbit