Skip to content

docs: update accepted security risks #438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
itsmiso-ai merged 2 commits into from
Jun 18, 2026
Merged

docs: update accepted security risks #438

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e3e87a8
docs: update accepted security risks
joryirving Jun 18, 2026
175dd80
Merge branch 'main' into docs/update-accepted-security-risks
itsmiso-ai Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 11 additions & 19 deletions SECURITY-ACCEPTED-RISKS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,23 @@
# Accepted Security Risks

The following moderate-severity advisories are accepted as low-risk for the dispatch project.
Fixing them would require major version downgrades that break functionality.
**Last updated: 2026-06-17**

## 1. `next` → bundled `postcss` (XSS via unescaped `</style>` — GHSA-qx2v-qp2m-jg93)
There are currently no accepted npm runtime advisories.

- **Affected:** `next@16.2.7` bundles `postcss@8.4.31` (< 8.5.10)
- **Impact:** Moderate (CVSS 6.1) — XSS requires user interaction (UI:R in CVSS)
- **Why not fix:** Latest stable Next.js (16.2.7) still bundles vulnerable postcss.
Upgrading to a patched version would require a major downgrade to `next@9.3.3`,
which is not viable. The attack surface requires user-supplied CSS with crafted
`</style>` tags — unlikely in our self-hosted deployment model.
`npm audit --omit=dev` reports **0 vulnerabilities** across 227 production dependencies.

## 2. `prisma` → `@prisma/dev` → `@hono/node-server` (Middleware bypass — GHSA-92pp-h63x-v22m)
## Retired Risks

- **Affected:** `prisma@7.8.0` depends on `@prisma/dev` ≤ 0.24.8, which depends
on `@hono/node-server` < 1.19.13 (middleware bypass via repeated slashes in serveStatic)
- **Impact:** Moderate (CVSS 5.3) — path traversal in static file serving
- **Why not fix:** The only fix available is downgrading to `prisma@6.19.3` (major downgrade).
Our deployment does not use `serveStatic` with user-controlled paths, and Prisma's
dev tools are not exposed in production builds.
The following previously accepted risks have been retired:

## Resolution
| Advisory | Resolved | Notes |
|---|---|---|
| `next` → bundled `postcss` XSS (GHSA-qx2v-qp2m-jg93) | Patched upstream | postcss vulnerability no longer surfaces in Next.js 16.2.x |
| `prisma` → `@hono/node-server` middleware bypass (GHSA-92pp-h63x-v22m) | Patched upstream | Fixed in Prisma dependency chain |

## Previous Resolution History

| Advisory | Status | Action |
|---|---|---|
| Trivy action pinned to SHA | ✅ Resolved | `aquasecurity/trivy-action@ed142fd` (v0.36.0) |
| `.npmrc` invalid omit config | ✅ Resolved | Fixed `omit=` → `omit=dev` |
| next/postcss XSS | 🟡 Accepted risk | Monitor for Next.js patch; no viable upgrade path |
| prisma/@hono/node-server bypass | 🟡 Accepted risk | Monitor for Prisma patch; no viable upgrade path |