Skip to content

Reduce npm audit vulnerabilities via transitive overrides#4

Open
DRK28122006 wants to merge 1 commit into
Flow-Research:mainfrom
DRK28122006:chore/npm-audit-overrides
Open

Reduce npm audit vulnerabilities via transitive overrides#4
DRK28122006 wants to merge 1 commit into
Flow-Research:mainfrom
DRK28122006:chore/npm-audit-overrides

Conversation

@DRK28122006

@DRK28122006 DRK28122006 commented Jun 26, 2026

Copy link
Copy Markdown

Summary

Pin two vulnerable transitive dependencies of @docusaurus/core to patched versions, eliminating all critical and high severity
advisories reported by npm audit.

Why

A fresh npm install in website/ reports 36 vulnerabilities (1 critical, 2 high, 32 moderate, 1 low). The critical and high
issues all originate from sockjs → uuid and copy-webpack-plugin → serialize-javascript, both pulled in transitively by
Docusaurus's pinned dependency tree.

Changes

Added to website/package.json:

  • overrides.uuid: ^11.0.0
  • overrides.serialize-javascript: ^7.0.6

No direct dependency versions change.

Verification

  • npm audit reduced from 36 → 23 vulnerabilities (0 critical, 0 high, 23 moderate)
  • The 23 remaining are all the same js-yaml DoS reachable through Docusaurus's front-matter parser; a proper fix is being tracked
    upstream in Update js-yaml dependency from ^3.13.1 to ^4.x (security: GHSA-h67p-54hq-rp68) facebook/docusaurus#12174 and merged via PR #12181 but not yet released
  • npm run build completes successfully (Client + Server both compiled)
  • .github/workflows/deploy.yml uses npm ci, which will exercise the same install path in CI

Summary by CodeRabbit

  • Chores
    • Updated dependency settings to lock in newer versions of two transitive packages, helping improve stability and reduce risk from outdated dependencies.

…ides

Add overrides for uuid and serialize-javascript to address critical/high
severity advisories that originate from Docusaurus's pinned transitive
dependencies (sockjs -> uuid, copy-webpack-plugin -> serialize-javascript).

Reduces 'npm audit' from 36 vulnerabilities (1 critical, 2 high, 32 moderate,
1 low) down to 23 moderate vulnerabilities, all of which are the same
js-yaml quadratic-complexity DoS reachable through Docusaurus's front-matter
parser and require either a Docusaurus major version bump or an upstream fix
to resolve without breaking the build.

Verified: 'npm run build' still completes successfully.
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

website/package.json adds a top-level overrides section that pins transitive versions of uuid and serialize-javascript.

Changes

Dependency pinning

Layer / File(s) Summary
Add overrides
website/package.json
The package manifest defines top-level overrides for uuid and serialize-javascript.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops with version glee,
Two little pins in harmony.
uuid snug, serialize tight,
Safe little burrows, neat and bright.
Thump! The manifest sings اليوم 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: using transitive overrides to reduce npm audit vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/package.json`:
- Around line 51-52: The uuid override in website/package.json is forcing an
unverified major version that conflicts with sockjs’s declared uuid@^8.3.2
dependency. Update the override used in the package.json overrides block to keep
uuid on a compatible 8.x range, or remove the override if not needed; if you
keep any newer override, verify the Docusaurus dev server path by running npm
start so SockJS/HMR still works. Use the overrides entry and the sockjs-related
dependency context to locate the change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6a301887-1d97-4f0a-b216-525c23763698

📥 Commits

Reviewing files that changed from the base of the PR and between 33a9187 and 3794e6d.

⛔ Files ignored due to path filters (1)
  • website/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • website/package.json

Comment thread website/package.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant