chore(deps): bump brace-expansion + ws overrides to clear audit (#190)
## Summary Clears the two moderate GHSA advisories that started failing `ci:audit`: - **`brace-expansion`** `>=5.0.0 <5.0.6` — DoS via large numeric range that bypasses the documented `max` protection ([GHSA-jxxr-4gwj-5jf2](https://github.com/advisories/GHSA-jxxr-4gwj-5jf2)). The existing override floor was at `5.0.5`; bumped one patch to `5.0.6`. - **`ws`** `>=8.0.0 <8.20.1` — uninitialized memory disclosure ([GHSA-58qx-3vcg-4xpx](https://github.com/advisories/GHSA-58qx-3vcg-4xpx)). No prior override; added one scoped to the 8.x advisory window only. Both are reached transitively through Nx; nothing in this repo's own dependency surface is vulnerable directly. ## What lands `package.json` (`pnpm.overrides` block): ```diff - "brace-expansion@<5.0.5": ">=5.0.5", + "brace-expansion@<5.0.6": ">=5.0.6", + "ws@>=8.0.0 <8.20.1": ">=8.20.1", ``` `pnpm-lock.yaml` reconciled with `pnpm install`. ## Notes for the reviewer - **Why the `ws` override is range-scoped, not a blanket `ws@<8.20.1`.** Lighthouse pulls `ws@7.5.10` via its own tree; the 7.x line sits entirely outside the advisory window (`>=8.0.0 <8.20.1`). A blanket `<8.20.1` override would force-bump that transitive across a major version boundary and risk Lighthouse breakage with no security gain. The range form `>=8.0.0 <8.20.1 → >=8.20.1` patches exactly the vulnerable consumers (`@module-federation/dts-plugin`, etc.) and leaves Lighthouse's pin untouched. - **Why an override and not waiting for Nx to bump.** Nx 22.7.2 is already on `main` (commits `bd94bb4` / `6b20c34`) but its sub-chain still resolves `ws@8.18.0` and `brace-expansion@5.0.5`. Upstream pickup will land eventually via Renovate; in the meantime the audit gate blocks CI on every PR. Overrides are the standard pnpm escape hatch for this exact situation. The pattern is already used in this file (`axios`, `ajv`, `esbuild`, `follow-redirects`, `ip-address`, `protobufjs`, `tmp`, `yaml`). - **Pruning policy.** Once Nx ships a release whose `pnpm-lock.yaml` resolves both packages at or above the patched versions on its own, both override entries can be removed. The convention in this file's existing entries is to leave overrides in place even when redundant (cheap insurance against silent regressions); pruning is a separate sweep, not part of this fix. - **No application code touched.** Both packages live deep in the Nx/Module Federation build tooling — `brace-expansion` inside `minimatch`'s glob expansion, `ws` inside Module Federation's HMR dev socket. Neither surfaces in the BFF or SPA runtime bundles. Build + test + lint were re-run across `portal-shell`, `portal-admin`, `portal-bff`, `shared-charts`, `shared-ui` as a sanity check; all green. ## Test plan - [x] `pnpm install` — lockfile reconciled, no extraneous package churn. - [x] `pnpm audit --audit-level=moderate` — "No known vulnerabilities found" (replaces the two-row failure that started this PR). - [x] `pnpm nx run-many -t build test lint -p portal-shell,portal-admin,portal-bff,shared-charts,shared-ui` — all green. Module Federation's HMR socket (the surface that *uses* `ws`) is exercised implicitly by every Angular build via `@nx/angular`'s webpack pipeline. - [ ] **Manual smoke** — `pnpm nx serve portal-shell` + `pnpm nx serve portal-admin`: dev servers come up, HMR reloads on a trivial edit, no warnings or stack traces about `ws` or `brace-expansion` resolution. ## What's next - Renovate will eventually pick up an Nx release whose own sub-chain ships `ws@>=8.20.1` and `brace-expansion@>=5.0.6` natively. At that point, the two override entries here are dead weight and can be pruned as a follow-up sweep alongside any other stale overrides. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #190
This commit was merged in pull request #190.
This commit is contained in:
+2
-1
@@ -38,13 +38,14 @@
|
||||
"overrides": {
|
||||
"axios@<1.15.2": ">=1.15.2",
|
||||
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
|
||||
"brace-expansion@<5.0.5": ">=5.0.5",
|
||||
"brace-expansion@<5.0.6": ">=5.0.6",
|
||||
"esbuild@<0.25.0": ">=0.25.0",
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
"protobufjs@<8.0.2": ">=8.0.2",
|
||||
"tmp@<0.2.4": ">=0.2.4",
|
||||
"vitepress>vite": ">=6.4.2 <7",
|
||||
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
|
||||
"yaml@<2.8.3": ">=2.8.3",
|
||||
"@types/express": "^5.0.6"
|
||||
}
|
||||
|
||||
Generated
+8
-29
@@ -7,13 +7,14 @@ settings:
|
||||
overrides:
|
||||
axios@<1.15.2: '>=1.15.2'
|
||||
'@angular-devkit/core>ajv@<8.18.0': '>=8.18.0'
|
||||
brace-expansion@<5.0.5: '>=5.0.5'
|
||||
brace-expansion@<5.0.6: '>=5.0.6'
|
||||
esbuild@<0.25.0: '>=0.25.0'
|
||||
follow-redirects@<1.16.0: '>=1.16.0'
|
||||
ip-address@<10.1.1: '>=10.1.1'
|
||||
protobufjs@<8.0.2: '>=8.0.2'
|
||||
tmp@<0.2.4: '>=0.2.4'
|
||||
vitepress>vite: '>=6.4.2 <7'
|
||||
ws@>=8.0.0 <8.20.1: '>=8.20.1'
|
||||
yaml@<2.8.3: '>=2.8.3'
|
||||
'@types/express': ^5.0.6
|
||||
|
||||
@@ -5768,10 +5769,6 @@ packages:
|
||||
boolbase@1.0.0:
|
||||
resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
|
||||
|
||||
brace-expansion@5.0.5:
|
||||
resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
|
||||
engines: {node: 18 || 20 || >=22}
|
||||
|
||||
brace-expansion@5.0.6:
|
||||
resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==}
|
||||
engines: {node: 18 || 20 || >=22}
|
||||
@@ -7762,7 +7759,7 @@ packages:
|
||||
isomorphic-ws@5.0.0:
|
||||
resolution: {integrity: sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==}
|
||||
peerDependencies:
|
||||
ws: '*'
|
||||
ws: '>=8.20.1'
|
||||
|
||||
istanbul-lib-coverage@3.2.2:
|
||||
resolution: {integrity: sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==}
|
||||
@@ -11166,18 +11163,6 @@ packages:
|
||||
utf-8-validate:
|
||||
optional: true
|
||||
|
||||
ws@8.18.0:
|
||||
resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==}
|
||||
engines: {node: '>=10.0.0'}
|
||||
peerDependencies:
|
||||
bufferutil: ^4.0.1
|
||||
utf-8-validate: '>=5.0.2'
|
||||
peerDependenciesMeta:
|
||||
bufferutil:
|
||||
optional: true
|
||||
utf-8-validate:
|
||||
optional: true
|
||||
|
||||
ws@8.20.1:
|
||||
resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
|
||||
engines: {node: '>=10.0.0'}
|
||||
@@ -13785,11 +13770,11 @@ snapshots:
|
||||
'@module-federation/third-party-dts-extractor': 2.4.0
|
||||
adm-zip: 0.5.10
|
||||
ansi-colors: 4.1.3
|
||||
isomorphic-ws: 5.0.0(ws@8.18.0)
|
||||
isomorphic-ws: 5.0.0(ws@8.20.1)
|
||||
node-schedule: 2.1.1
|
||||
typescript: 5.9.3
|
||||
undici: 7.24.7
|
||||
ws: 8.18.0
|
||||
ws: 8.20.1
|
||||
transitivePeerDependencies:
|
||||
- bufferutil
|
||||
- node-fetch
|
||||
@@ -17479,10 +17464,6 @@ snapshots:
|
||||
|
||||
boolbase@1.0.0: {}
|
||||
|
||||
brace-expansion@5.0.5:
|
||||
dependencies:
|
||||
balanced-match: 4.0.3
|
||||
|
||||
brace-expansion@5.0.6:
|
||||
dependencies:
|
||||
balanced-match: 4.0.4
|
||||
@@ -19606,9 +19587,9 @@ snapshots:
|
||||
transitivePeerDependencies:
|
||||
- encoding
|
||||
|
||||
isomorphic-ws@5.0.0(ws@8.18.0):
|
||||
isomorphic-ws@5.0.0(ws@8.20.1):
|
||||
dependencies:
|
||||
ws: 8.18.0
|
||||
ws: 8.20.1
|
||||
|
||||
istanbul-lib-coverage@3.2.2: {}
|
||||
|
||||
@@ -20869,7 +20850,7 @@ snapshots:
|
||||
balanced-match: 4.0.3
|
||||
base64-js: 1.5.1
|
||||
bl: 4.1.0
|
||||
brace-expansion: 5.0.5
|
||||
brace-expansion: 5.0.6
|
||||
buffer: 5.7.1
|
||||
call-bind-apply-helpers: 1.0.2
|
||||
chalk: 4.1.2
|
||||
@@ -23533,8 +23514,6 @@ snapshots:
|
||||
|
||||
ws@7.5.10: {}
|
||||
|
||||
ws@8.18.0: {}
|
||||
|
||||
ws@8.20.1: {}
|
||||
|
||||
wsl-utils@0.1.0:
|
||||
|
||||
Reference in New Issue
Block a user