Skip to content

Fixing almost all security depenency issues #1842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
titanism merged 10 commits into from
Jan 6, 2026
Merged

Fixing almost all security depenency issues #1842

titanism merged 10 commits into from
Jan 6, 2026

Conversation

@hlovdal
Copy link
Contributor

@hlovdal hlovdal commented Jan 4, 2026

Checklist

  • I have ensured my pull request is not behind the main or master branch of the original repository.
  • I have rebased all commits where necessary so that reviewing this pull request can be done without having to merge it first.
  • I have written a commit message that passes commitlint linting.
  • I have ensured that my code changes pass linting tests.
  • I have ensured that my code changes pass unit tests.
  • I have described my pull request and the reasons for code changes along with context if necessary.

All commits pass test and lint with git test.

When starting, there were close to 70 issues (including several critical), the only three remaining are low priority and related to eslint and I think resolving those will require updating from eslint 8 to 9, so that's where I stopped.

All commits should be orthogonal and this PR can be split up in smaller ones if wanted.

hlovdal added 10 commits January 4, 2026 03:36
@hlovdal
chore(deps): npm audit fix
b4b2275 
Automatically fixes one one low priority.
@hlovdal
chore(deps): update body-parser package
e07aaaa 
Release notes: https://github.com/expressjs/body-parser/releases/tag/1.20.4
@hlovdal
chore(deps): remove zuul
7d8618b 
The project has been unmaintained for almost a decade and has dozens of
security issues.

https://github.com/defunctzombie/zuul/
@hlovdal
chore(deps): update qs package
81719c9 
Fixes security issue, https://github.com/expressjs/body-parser/releases/tag/1.20.4.
@hlovdal
chore(deps): update mocha package
608b4ef 
Fixes several transitive security issues.
@hlovdal
chore(deps): update rimraf package
7cda38c
@hlovdal
chore(deps): update xo package
5677b73 
Fixes some security dependencies.
@hlovdal
chore(deps): update tinify package
a9a48a3 
Fixes some security dependencies, although there is still an unresolved
upstream security dependency issue, browserify/tinyify#45.
Adding a temporary override to avoid vulnerable terser version.

No significant changes in tinyify, https://github.com/browserify/tinyify/blob/default/CHANGELOG.md.

https://github.com/terser/terser/blob/master/CHANGELOG.md mentions
breaking change on variables property in 4.0.0. Relevant?
@hlovdal
chore(deps): update eslint-plugin-compat package
3ce73dd 
Fixes some security dependencies.

No significant changes, https://github.com/amilajack/eslint-plugin-compat/releases
@hlovdal
chore: remove end-of-life nodejs versions and add active lts
170ef07
@socket-security
Copy link

socket-security bot commented Jan 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedmulter@​1.4.5-lts.1996010050100
Updatedmethods@​0.1.0 ⏵ 1.1.210010082 +2275100
Updatedmime@​1.2.11 ⏵ 2.6.0100100 +1699 +1181100
Updatedeslint-plugin-compat@​4.0.2 ⏵ 6.0.299 +110010082100
Updatedexpress-session@​1.18.1 ⏵ 1.18.299 +110010083100
Addednyc@​15.1.09710010083100
Updateddebug@​4.4.1 ⏵ 4.4.310010010083100
Updatedbody-parser@​1.12.4 ⏵ 1.20.499100 +16100 +188 -1100
Addedmarked@​4.3.01001001009380
Addedlint-staged@​15.5.29910010091100
Updatedexpress@​4.21.2 ⏵ 4.22.197 +110010091100
Addedmocha@​11.7.5971009596100

View full report

@titanism titanism merged commit 68308c8 into forwardemail:master Jan 6, 2026
2 checks passed
@titanism
Copy link
Collaborator

titanism commented Jan 6, 2026

Can't use tinyify 4.0.0 due to browserify/tinyify#26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hlovdal @titanism