Skip to content

chore: fix npm audit vulnerabilities#92

Merged
nmccready merged 2 commits intomasterfrom
chore/npm-audit-fix
Feb 18, 2026
Merged

chore: fix npm audit vulnerabilities#92
nmccready merged 2 commits intomasterfrom
chore/npm-audit-fix

Conversation

@nmccready-tars
Copy link
Copy Markdown

@nmccready-tars nmccready-tars commented Feb 18, 2026

npm audit fix

What changed

Audit summary

  • Before: 29 vulnerabilities (7 moderate, 22 high)
  • After: 29 vulnerabilities (7 moderate, 22 high)

The root ajv was updated, but the vulnerability count remains the same because the remaining 29 vulnerabilities are all in nested/transitive dependencies that cannot be resolved without breaking changes:

  • ajv (moderate): Still vulnerable in nested copies under eslint and serve — fix requires major version bumps (eslint@4→10, serve@6→14)
  • fast-xml-parser (high, 22 vulns): Transitive dep of @aws-sdk/* packages and commit-and-tag-version — requires upstream AWS SDK update
  • commit-and-tag-version: Depends on vulnerable fast-xml-parser

--force was NOT used

Running npm audit fix --force was tested but increased vulnerabilities from 29 to 40 by downgrading packages (eslint@4.1.1, serve@6.5.8) which introduced additional critical/high vulns (handlebars, cross-spawn, minimist, ip, send, tmp). Reverted.

Tests

All 197 tests passing ✅

@nmccready nmccready merged commit 9905e38 into master Feb 18, 2026
5 checks passed
@nmccready nmccready mentioned this pull request Feb 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nmccready nmccready nmccready approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nmccready-tars @nmccready