Skip to content

fix: resolve npm audit vulnerabilities in express and vite#38

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/explain-codebase-structure
Draft

fix: resolve npm audit vulnerabilities in express and vite#38
Copilot wants to merge 2 commits into
mainfrom
copilot/explain-codebase-structure

Conversation

Copilot AI commented Apr 16, 2026

Copy link
Copy Markdown

npm audit flagged 5 vulnerabilities across backend and frontend.

Backend — express 5.0.0 → 5.2.1

  • qs ≤6.14.1 (moderate): arrayLimit bypass enables DoS via memory exhaustion
  • cookie <0.7.0 (low): accepts name/path/domain with out-of-bounds characters

Both are transitive through express. Bumping to 5.2.1 (semver-minor, non-breaking) resolves both.

Frontend — vite ^5.4.8 → ^6.4.2

  • esbuild ≤0.24.2 (moderate): dev server allows cross-origin request forgery

All Vite 5.x versions pin vulnerable esbuild; Vite 6.x is required. @vitejs/plugin-react updated to 5.2.0 (supports Vite 4–8) and moved from dependencies to devDependencies where it belongs.

Verification

  • npm audit: 0 vulnerabilities in both packages
  • Backend: 13 suites, 140 tests passing
  • Frontend: production build succeeds with Vite 6

…audit vulnerabilities

Agent-Logs-Url: https://github.com/OlympusLedgerOrg/TiM/sessions/a1ecb47c-37c4-4419-a398-0618c5dd109e

Co-authored-by: OlympusLedgerOrg <240737312+OlympusLedgerOrg@users.noreply.github.com>
@OlympusLedgerOrg

Copy link
Copy Markdown
Owner

@copilot resolve the merge conflicts in this pull request

…ck.json

Co-authored-by: OlympusLedgerOrg <240737312+OlympusLedgerOrg@users.noreply.github.com>

Copilot AI commented Apr 16, 2026

Copy link
Copy Markdown
Author

@copilot resolve the merge conflicts in this pull request

Resolved in 8d80944. Conflicts were in frontend/package.json and frontend/package-lock.json — main added html5-qrcode and several other deps (react-router-dom, recharts, vite-plugin-pwa, workbox). Merged keeping @vitejs/plugin-react in devDependencies only (per this PR) and accepting all new deps from main. Frontend build and backend tests (178 passing) verified post-merge.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint.prisma.io
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/TiM/TiM/backend/node_modules/prisma/build/child {&#34;product&#34;:&#34;prisma&#34;,&#34;version&#34;:&#34;6.19.3&#34;,&#34;cli_install_type&#34;:&#34;local&#34;,&#34;information&#34;:&#34;&#34;,&#34;local_timestamp&#34;:&#34;2026-04-16T21:03:15Z&#34;,&#34;project_hash&#34;:&#34;9cb7fcbb&#34;,&#34;cli_path&#34;:&#34;/home/REDACTED/work/TiM/TiM/backend/node_modules/.bin/prisma&#34;,&#34;cli_path_hash&#34;:&#34;59e0e217&#34;,&#34;endpo (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants