security: clear 59 CVEs (incl. 2 CRITICAL: next, form-data)#3
Merged
Conversation
59 vulns (2 CRIT, 23 HIGH, 35 MOD, 5 LOW) -> 0 after this PR. Top fixes: - next 15.3.5 -> 16.2.6 (10 vulns incl. CRITICAL GHSA-9qr9-h5gf-34mp) - axios 1.10 -> 1.16.1 (6 HIGH) - form-data fix via npm overrides (CRITICAL GHSA-fjxv-7rqg-78g4) - express 4.18 -> 5.2.1 (server; removes vulnerable path-to-regexp 0.1.x) - contentful-management 11.54 -> 12.5 - React/types/typescript/nodemon/etc bumped via ncu - Removed yarn.lock (stale; project uses npm now per actual install path) - Pinned client deps to explicit versions (was 'latest' which is bad practice) Overrides for transitive vulns: postcss ^8.5.15, js-yaml ^4.1.1, picomatch ^4.0.4. Note: client/.next/ build artifacts are committed to the repo (.gitignore lacks a .next/ entry). Not addressed in this PR — separate cleanup recommended. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
There was a problem hiding this comment.
Pull request overview
This PR aims to eliminate reported dependency vulnerabilities across the repo by upgrading major framework/library versions and applying transitive dependency overrides, while also adjusting lockfiles/package manager artifacts.
Changes:
- Upgrade core dependencies (notably Next.js, Express, Contentful SDKs, Axios, React/TypeScript-related tooling) to versions that resolve known CVEs.
- Add npm lockfiles for
client/andserver/and introduce npmoverridesfor vulnerable transitives. - Remove the root
yarn.lock(while retaining/altering Yarn lockfiles under subprojects).
Reviewed changes
Copilot reviewed 3 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Removes the root Yarn lockfile. |
| package.json | Bumps concurrently; root scripts still run subprojects via Yarn. |
| server/package.json | Upgrades server dependencies (incl. Express 5) and adds npm overrides. |
| server/package-lock.json | Adds npm lockfile capturing updated server dependency tree. |
| client/package.json | Pins client deps to explicit ranges, adds npm overrides. |
| client/package-lock.json | Adds npm lockfile capturing updated client dependency tree. |
| client/yarn.lock | Updates Yarn lockfile for new client dependency versions. |
Files not reviewed (2)
- client/package-lock.json: Language not supported
- server/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+21
to
+24
| "scripts": { | ||
| "test": "jest", | ||
| "dev": "concurrently \"yarn --cwd client dev\" \"yarn --cwd server dev\"" | ||
| }, |
Comment on lines
+32
to
36
| "overrides": { | ||
| "postcss": "^8.5.15", | ||
| "js-yaml": "^4.1.1", | ||
| "picomatch": "^4.0.4" | ||
| } |
Comment on lines
+10
to
+13
| "dependencies": { | ||
| "next": "^16.2.6", | ||
| "react": "^19.2.6", | ||
| "react-dom": "^19.2.6" |
Comment on lines
+18
to
+22
| "overrides": { | ||
| "postcss": "^8.5.15", | ||
| "js-yaml": "^4.1.1", | ||
| "picomatch": "^4.0.4" | ||
| } |
Comment on lines
+23
to
+26
| "dev": "concurrently \"yarn --cwd client dev\" \"yarn --cwd server dev\"" | ||
| }, | ||
| "dependencies": { | ||
| "concurrently": "^9.2.1" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
59 vulns (2 CRIT, 23 HIGH, 35 MOD, 5 LOW) → 0.
Key fixes
next15.3.5 → 16.2.6 (10 vulns incl. CRITICAL GHSA-9qr9-h5gf-34mp)form-dataCRITICAL GHSA-fjxv-7rqg-78g4 via npm overridesaxios1.10 → 1.16.1 (6 HIGH)express4.18 → 5.2.1 in server (removes vulnerable path-to-regexp 0.1.x and 5 other HIGH transitives)contentful-management11.54 → 12.5"latest"which is bad practice — it's what gave us the vulnerable 15.3.5 in the first place)yarn.lock— stale artifact; project uses npm now per actual install path. Was the source of phantom lodash 4.17.21 reports.Overrides for transitive vulns
postcss^8.5.15 ·js-yaml^4.1.1 ·picomatch^4.0.4Test plan
npm installon client + server succeedsosv-scannerreports 0 vulns (was 59)client/.next/build artifacts (including binary.pack.gzcache files) are committed to the repo..gitignorelacks a.next/entry. Separate cleanup recommended.🤖 Generated with Claude Code