fix(deps): patch 5 high-severity transitive vulnerabilities#583
fix(deps): patch 5 high-severity transitive vulnerabilities#583carlos-alm merged 7 commits intomainfrom
Conversation
npm audit fix resolves all 5 high-severity vulns (hono, @hono/node-server, express-rate-limit, minimatch, tar) and updates biome 2.4.8, vitest 4.1.1.
|
Claude finished @carlos-alm's task —— View job Security Dependency Review Complete ✅Root Cause AnalysisProblem Being Solved: 5 high-severity transitive vulnerabilities in web server components (hono, express-rate-limit) and file processing utilities (tar, minimatch) with documented CVEs including auth bypasses, file access vulnerabilities, and ReDoS attacks. Backlog Compliance
Review Summary✅ PASSED — Configuration & Test Integrity
✅ PASSED — Security VerificationVulnerabilities Properly Fixed:
Audit Trail: Comprehensive report in ✅ PASSED — Dependency Analysis
Minor Observations
Final Recommendation
Excellent work on security hygiene! This PR demonstrates proper vulnerability management with comprehensive audit trails. |
Greptile SummaryThis PR resolves all 5 high-severity (and 3 moderate-severity) transitive vulnerabilities via Key changes:
Confidence Score: 5/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["npm audit fix + npm update"] --> B["Vulnerability Fixes"]
A --> C["Patch Bumps"]
B --> D["@hono/node-server\n1.19.9 → 1.19.11\nvia @modelcontextprotocol/sdk"]
B --> E["hono\n4.12.0 → 4.12.9\nvia @modelcontextprotocol/sdk"]
B --> F["express-rate-limit\n8.2.1 → 8.3.1\nvia @modelcontextprotocol/sdk"]
B --> G["minimatch\n3.1.3 → 3.1.5\nvia commit-and-tag-version → dotgitignore"]
B --> H["tar\n7.5.9 → 7.5.13\nvia @huggingface/transformers → onnxruntime-node"]
C --> I["@biomejs/biome\n2.4.7 → 2.4.8"]
C --> J["vitest\n4.1.0 → 4.1.1"]
C --> K["@vitest/coverage-v8\n4.1.0 → 4.1.1"]
D & E & F --> L["5 HIGH + 3 MODERATE\nvulnerabilities resolved"]
G & H --> L
I & J & K --> M["3 aging deps resolved\nHealth: 39/100 → 95/100"]
L --> M
Reviews (6): Last reviewed commit: "fix: add CVSS scores and transitive path..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| | **Health score** | **47/100** | | ||
|
|
||
| ## Health Score Calculation | ||
|
|
||
| ``` | ||
| Start: 100 | ||
| - 5 high vulns × -10: -50 |
There was a problem hiding this comment.
The summary table shows "5 high" vulnerabilities (and the "Recommended Actions" section still says to "run npm audit fix"), but this document is committed as part of the PR that applies those fixes. A reader viewing this file in the future will see it documenting an already-resolved problem as if it were still open.
Consider either:
- Updating the report to reflect the post-fix state (0 high vulnerabilities, recalculated health score), or
- Naming/labelling the file to clearly signal it is a pre-fix snapshot (e.g.,
DEPS_AUDIT_2026-03-24_pre-fix.md) and adding a header note such as "Note: this report was captured before the fixes in this PR were applied."
As committed, the document is misleading about the current security posture of the repository.
There was a problem hiding this comment.
Addressed in 5350633. Added a pre-fix snapshot callout at the top of the report and restructured the summary as a pre-fix/post-fix comparison table.
| - 1 stale dep (TS 6.x) × -5: -5 | ||
| (moderate vulns are sub-advisories of hono, counted separately) | ||
| Subtotal: 100 - 50 - 9 + 6 = 47 | ||
| (adjusted: hono has 5 advisories but is 1 package — counting 1 high + 2 moderate for hono) | ||
| ``` | ||
|
|
||
| **Adjusted calculation (per-package, not per-advisory):** | ||
| - 100 base | ||
| - 5 packages with high vulns × -10 = -50 | ||
| - 1 stale dep × -5 = -5 | ||
| - 2 aging deps × -2 = -4 | ||
| - **Score: 41/100** | ||
|
|
||
| ## Security Vulnerabilities | ||
|
|
||
| All 5 are **high** severity and all have fixes available via `npm audit fix`. | ||
|
|
||
| ### 1. `@hono/node-server` < 1.19.10 — HIGH |
There was a problem hiding this comment.
The summary table on line 20 states a health score of 47/100, but the detailed recalculation block on line 39 concludes 41/100 using a different (per-package) methodology. Both numbers are derived from the same data, yet neither is clearly labelled as the "official" score, and the two calculations contradict each other within the same section.
Pick one approach and remove or clearly demote the other (e.g., "Adjusted score: 41/100 — see calculation below") to avoid ambiguity.
There was a problem hiding this comment.
Addressed in 5350633. Removed the conflicting 47/100 calculation. The report now uses a single methodology (per-package) with one score: 41/100 pre-fix, 95/100 post-fix.
|
Addressed Greptile's feedback in 5350633:
|
| **Post-fix:** All 5 high-severity vulnerabilities and aging patch deps resolved. Only the stale TypeScript major version remains. | ||
| - 100 base | ||
| - 1 stale dep × -5 = -5 | ||
| - 2 aging deps resolved (biome, vitest patched) = 0 | ||
| - **Score: 91/100** (estimated; TypeScript 6.0 evaluation deferred) |
There was a problem hiding this comment.
The post-fix calculation shown here is:
- 100 base
- 1 stale dep × −5 = −5
- 2 aging deps resolved = 0
That yields 95/100, but both this line and the summary table on line 16 report 91/100. There are 4 unaccounted points with no stated deduction. Either the formula is missing a penalty (e.g. a moderate-vulnerability deduction), or the score should be updated to 95/100.
| **Post-fix:** All 5 high-severity vulnerabilities and aging patch deps resolved. Only the stale TypeScript major version remains. | |
| - 100 base | |
| - 1 stale dep × -5 = -5 | |
| - 2 aging deps resolved (biome, vitest patched) = 0 | |
| - **Score: 91/100** (estimated; TypeScript 6.0 evaluation deferred) | |
| - **Score: 95/100** (estimated; TypeScript 6.0 evaluation deferred) |
There was a problem hiding this comment.
Fixed in 04d3762. The post-fix health score is now correctly calculated as 95/100 (100 - 5 for the stale TypeScript dep). The summary table and calculation block are consistent.
| | Total dependencies (transitive) | ~850 | ~850 | | ||
| | Security vulnerabilities | 5 high, 3 moderate | 0 high, 0 moderate | |
There was a problem hiding this comment.
The summary table records "5 high, 3 moderate" pre-fix and "0 high, 0 moderate" post-fix, but the Security Vulnerabilities section below only details the 5 high-severity advisories. The 3 moderate-severity packages are never named, linked to advisories, or explained.
Consider adding a brief "Moderate Vulnerabilities" subsection (even just package names, advisory IDs, and fix paths) so the report is self-contained and auditable without having to re-run npm audit.
There was a problem hiding this comment.
Fixed in 04d3762. Added a dedicated "Moderate Severity" subsection documenting all 3 moderate advisories in hono (cookie injection GHSA-5pq2-9x2x-5p6w, SSE injection GHSA-p6xx-57qc-3wxr, prototype pollution GHSA-v8w9-8mx6-g223) with CVSS scores, advisory links, and fix path. They were previously listed inline under the hono high-severity entry but are now separated for clarity.
| | Outdated packages | 1 stale (major), 3 aging (patch) | 1 stale (major), 0 aging | | ||
| | Unused dependencies | 0 | 0 | | ||
| | License risks | 0 | 0 | | ||
| | Duplicates | 0 actionable | 0 actionable | | ||
| | **Health score** | **41/100** | **95/100** | | ||
|
|
||
| ## Health Score Calculation | ||
|
|
||
| **Pre-fix (per-package):** | ||
| - 100 base | ||
| - 5 packages with high vulns × -10 = -50 | ||
| - 1 stale dep × -5 = -5 | ||
| - 2 aging deps × -2 = -4 | ||
| - **Score: 41/100** |
There was a problem hiding this comment.
The summary table on line 12 explicitly records "1 stale (major), 3 aging (patch)" pre-fix, but the health-score block on line 24 deducts for only 2 aging deps × −2 = −4, not 3. The three patch-behind packages listed in the outdated-packages section are @biomejs/biome, vitest, and @vitest/coverage-v8.
If vitest and @vitest/coverage-v8 are intentionally counted as one logical unit (they're released together from the same mono-repo), that reasoning isn't stated anywhere, and the summary table still lists three aging packages. The discrepancy makes the formula hard to follow.
Either:
- Update line 24 to
3 aging deps × -2 = -6→ pre-fix score becomes 39/100, or - Add a parenthetical explaining the grouping:
2 aging deps (vitest + @vitest/coverage-v8 counted together) × -2 = -4
The same clarification would apply to line 30's post-fix note.
There was a problem hiding this comment.
Fixed in 083e7f7. Updated the formula to count all 3 aging packages individually (@biomejs/biome, vitest, @vitest/coverage-v8), changing the deduction from 2 × -2 = -4 to 3 × -2 = -6 and the pre-fix score from 41/100 to 39/100. The summary table, formula, and post-fix note are now consistent.
The summary table listed 3 aging packages but the health score formula only deducted for 2. Updated to count all 3 (biome, vitest, @vitest/coverage-v8) individually, changing pre-fix score from 41 to 39.
|
|
||
| ## Recommended Actions | ||
|
|
||
| **Resolved in this PR:** |
There was a problem hiding this comment.
~5.9 pin recommendation is unnecessary
package.json already declares "typescript": "^5.9.3", which resolves to >=5.9.3 <6.0.0. TypeScript 6.x cannot be pulled in automatically under that constraint, so the recommendation to "pin ~5.9" adds no additional protection. The tilde notation would only further restrict minor-version bumps (e.g. a hypothetical 5.10.x), which is overly conservative for a dev-only type-checker.
Consider updating the note to reflect that the existing ^5.9.3 constraint is already sufficient to block the TypeScript 6.0 upgrade.
There was a problem hiding this comment.
Fixed in 4054d65. Updated the recommendation to note that the existing \ constraint in \ already blocks TypeScript 6.x (), so no additional pinning is needed. Removed the \ suggestion.
There was a problem hiding this comment.
Fixed in 4054d65. Updated the recommendation to note that the existing ^5.9.3 constraint in package.json already blocks TypeScript 6.x (>=5.9.3 <6.0.0), so no additional pinning is needed. Removed the ~5.9 suggestion.
The report recommended pinning ~5.9 but package.json already uses ^5.9.3 which blocks TypeScript 6.x. Updated the note to reflect the existing constraint is sufficient.
| #### 5. `tar` <= 7.5.10 — HIGH (2 advisories) | ||
| - [GHSA-qffp-2rhf-9h96](https://github.com/advisories/GHSA-qffp-2rhf-9h96) — Hardlink path traversal via drive-relative linkpath | ||
| - [GHSA-9ppj-qmqm-q256](https://github.com/advisories/GHSA-9ppj-qmqm-q256) — Symlink path traversal via drive-relative linkpath | ||
| - **Path:** transitive | ||
| - **Fix:** Update to > 7.5.10 |
There was a problem hiding this comment.
tar section missing CVSS scores
Every other high-severity entry in this section documents CVSS scores explicitly (e.g. @hono/node-server CVSS 7.5, express-rate-limit CVSS 7.5, hono advisories CVSS 8.2 / 7.5, minimatch CVSS 7.5). The tar block lists both advisories without CVSS values, making it harder to compare severity at a glance.
Consider adding the CVSS scores inline, e.g.:
| #### 5. `tar` <= 7.5.10 — HIGH (2 advisories) | |
| - [GHSA-qffp-2rhf-9h96](https://github.com/advisories/GHSA-qffp-2rhf-9h96) — Hardlink path traversal via drive-relative linkpath | |
| - [GHSA-9ppj-qmqm-q256](https://github.com/advisories/GHSA-9ppj-qmqm-q256) — Symlink path traversal via drive-relative linkpath | |
| - **Path:** transitive | |
| - **Fix:** Update to > 7.5.10 | |
| #### 5. `tar` <= 7.5.10 — HIGH (2 advisories) | |
| - [GHSA-qffp-2rhf-9h96](https://github.com/advisories/GHSA-qffp-2rhf-9h96) — Hardlink path traversal via drive-relative linkpath (CVSS 7.5) | |
| - [GHSA-9ppj-qmqm-q256](https://github.com/advisories/GHSA-9ppj-qmqm-q256) — Symlink path traversal via drive-relative linkpath (CVSS 7.5) | |
| - **Path:** transitive | |
| - **Fix:** Update to > 7.5.10 |
There was a problem hiding this comment.
Fixed in 4713fca. Added CVSS 7.5 scores to both tar advisories (GHSA-qffp-2rhf-9h96 and GHSA-9ppj-qmqm-q256), matching the format used by all other high-severity entries in the report.
| - **Path:** transitive | ||
| - **Fix:** Update to >= 3.1.4 | ||
|
|
||
| #### 5. `tar` <= 7.5.10 — HIGH (2 advisories) | ||
| - [GHSA-qffp-2rhf-9h96](https://github.com/advisories/GHSA-qffp-2rhf-9h96) — Hardlink path traversal via drive-relative linkpath | ||
| - [GHSA-9ppj-qmqm-q256](https://github.com/advisories/GHSA-9ppj-qmqm-q256) — Symlink path traversal via drive-relative linkpath | ||
| - **Path:** transitive |
There was a problem hiding this comment.
minimatch and tar
@hono/node-server, express-rate-limit, and hono all identify their pull-through path (via @modelcontextprotocol/sdk), but minimatch (line 63) and tar (line 69) only say transitive. For a self-contained audit report, it is useful to know which direct dependency brings each vulnerable package in, so future readers can target the right upgrade path.
If the path is known (e.g. tar is likely pulled by a build tool, and minimatch by glob/node-glob), documenting it here would make the report fully auditable without needing to re-run npm ls.
There was a problem hiding this comment.
Fixed in 4713fca. Traced both transitive paths via npm ls on the lockfile:
minimatch: viacommit-and-tag-version->dotgitignoretar: via@huggingface/transformers->onnxruntime-node
Both entries now document the full pull-through path, consistent with the other high-severity entries.
1 participant
Summary
npm audit fixto resolve all 5 high-severity transitive vulnerabilities (hono, @hono/node-server, express-rate-limit, minimatch, tar)@biomejs/biome2.4.7 → 2.4.8,vitest+@vitest/coverage-v84.1.0 → 4.1.1generated/deps-audit/DEPS_AUDIT_2026-03-24.md)Vulnerabilities fixed
hono≤4.12.6@hono/node-server<1.19.10express-rate-limit8.2.0–8.2.1minimatch<3.1.4tar≤7.5.10All are transitive dependencies (3 via
@modelcontextprotocol/sdk). No breaking changes.Test plan
npm auditreports 0 vulnerabilities after fixnpm testpasses (2033 passed, 16 skipped, 2 pre-existing EPERM failures unrelated)