chore(deps): bump brace-expansion + ws overrides to clear audit #190

Merged
julien merged 1 commits from chore/audit-bump-brace-expansion-ws into main 2026-05-19 12:28:14 +02:00
Owner

Summary

Clears the two moderate GHSA advisories that started failing ci:audit:

  • brace-expansion >=5.0.0 <5.0.6 — DoS via large numeric range that bypasses the documented max protection (GHSA-jxxr-4gwj-5jf2). The existing override floor was at 5.0.5; bumped one patch to 5.0.6.
  • ws >=8.0.0 <8.20.1 — uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx). No prior override; added one scoped to the 8.x advisory window only.

Both are reached transitively through Nx; nothing in this repo's own dependency surface is vulnerable directly.

What lands

package.json (pnpm.overrides block):

- "brace-expansion@<5.0.5": ">=5.0.5",
+ "brace-expansion@<5.0.6": ">=5.0.6",

+ "ws@>=8.0.0 <8.20.1": ">=8.20.1",

pnpm-lock.yaml reconciled with pnpm install.

Notes for the reviewer

  • Why the ws override is range-scoped, not a blanket ws@<8.20.1. Lighthouse pulls ws@7.5.10 via its own tree; the 7.x line sits entirely outside the advisory window (>=8.0.0 <8.20.1). A blanket <8.20.1 override would force-bump that transitive across a major version boundary and risk Lighthouse breakage with no security gain. The range form >=8.0.0 <8.20.1 → >=8.20.1 patches exactly the vulnerable consumers (@module-federation/dts-plugin, etc.) and leaves Lighthouse's pin untouched.
  • Why an override and not waiting for Nx to bump. Nx 22.7.2 is already on main (commits bd94bb4 / 6b20c34) but its sub-chain still resolves ws@8.18.0 and brace-expansion@5.0.5. Upstream pickup will land eventually via Renovate; in the meantime the audit gate blocks CI on every PR. Overrides are the standard pnpm escape hatch for this exact situation. The pattern is already used in this file (axios, ajv, esbuild, follow-redirects, ip-address, protobufjs, tmp, yaml).
  • Pruning policy. Once Nx ships a release whose pnpm-lock.yaml resolves both packages at or above the patched versions on its own, both override entries can be removed. The convention in this file's existing entries is to leave overrides in place even when redundant (cheap insurance against silent regressions); pruning is a separate sweep, not part of this fix.
  • No application code touched. Both packages live deep in the Nx/Module Federation build tooling — brace-expansion inside minimatch's glob expansion, ws inside Module Federation's HMR dev socket. Neither surfaces in the BFF or SPA runtime bundles. Build + test + lint were re-run across portal-shell, portal-admin, portal-bff, shared-charts, shared-ui as a sanity check; all green.

Test plan

  • pnpm install — lockfile reconciled, no extraneous package churn.
  • pnpm audit --audit-level=moderate — "No known vulnerabilities found" (replaces the two-row failure that started this PR).
  • pnpm nx run-many -t build test lint -p portal-shell,portal-admin,portal-bff,shared-charts,shared-ui — all green. Module Federation's HMR socket (the surface that uses ws) is exercised implicitly by every Angular build via @nx/angular's webpack pipeline.
  • Manual smokepnpm nx serve portal-shell + pnpm nx serve portal-admin: dev servers come up, HMR reloads on a trivial edit, no warnings or stack traces about ws or brace-expansion resolution.

What's next

  • Renovate will eventually pick up an Nx release whose own sub-chain ships ws@>=8.20.1 and brace-expansion@>=5.0.6 natively. At that point, the two override entries here are dead weight and can be pruned as a follow-up sweep alongside any other stale overrides.
## Summary Clears the two moderate GHSA advisories that started failing `ci:audit`: - **`brace-expansion`** `>=5.0.0 <5.0.6` — DoS via large numeric range that bypasses the documented `max` protection ([GHSA-jxxr-4gwj-5jf2](https://github.com/advisories/GHSA-jxxr-4gwj-5jf2)). The existing override floor was at `5.0.5`; bumped one patch to `5.0.6`. - **`ws`** `>=8.0.0 <8.20.1` — uninitialized memory disclosure ([GHSA-58qx-3vcg-4xpx](https://github.com/advisories/GHSA-58qx-3vcg-4xpx)). No prior override; added one scoped to the 8.x advisory window only. Both are reached transitively through Nx; nothing in this repo's own dependency surface is vulnerable directly. ## What lands `package.json` (`pnpm.overrides` block): ```diff - "brace-expansion@<5.0.5": ">=5.0.5", + "brace-expansion@<5.0.6": ">=5.0.6", + "ws@>=8.0.0 <8.20.1": ">=8.20.1", ``` `pnpm-lock.yaml` reconciled with `pnpm install`. ## Notes for the reviewer - **Why the `ws` override is range-scoped, not a blanket `ws@<8.20.1`.** Lighthouse pulls `ws@7.5.10` via its own tree; the 7.x line sits entirely outside the advisory window (`>=8.0.0 <8.20.1`). A blanket `<8.20.1` override would force-bump that transitive across a major version boundary and risk Lighthouse breakage with no security gain. The range form `>=8.0.0 <8.20.1 → >=8.20.1` patches exactly the vulnerable consumers (`@module-federation/dts-plugin`, etc.) and leaves Lighthouse's pin untouched. - **Why an override and not waiting for Nx to bump.** Nx 22.7.2 is already on `main` (commits `bd94bb4` / `6b20c34`) but its sub-chain still resolves `ws@8.18.0` and `brace-expansion@5.0.5`. Upstream pickup will land eventually via Renovate; in the meantime the audit gate blocks CI on every PR. Overrides are the standard pnpm escape hatch for this exact situation. The pattern is already used in this file (`axios`, `ajv`, `esbuild`, `follow-redirects`, `ip-address`, `protobufjs`, `tmp`, `yaml`). - **Pruning policy.** Once Nx ships a release whose `pnpm-lock.yaml` resolves both packages at or above the patched versions on its own, both override entries can be removed. The convention in this file's existing entries is to leave overrides in place even when redundant (cheap insurance against silent regressions); pruning is a separate sweep, not part of this fix. - **No application code touched.** Both packages live deep in the Nx/Module Federation build tooling — `brace-expansion` inside `minimatch`'s glob expansion, `ws` inside Module Federation's HMR dev socket. Neither surfaces in the BFF or SPA runtime bundles. Build + test + lint were re-run across `portal-shell`, `portal-admin`, `portal-bff`, `shared-charts`, `shared-ui` as a sanity check; all green. ## Test plan - [x] `pnpm install` — lockfile reconciled, no extraneous package churn. - [x] `pnpm audit --audit-level=moderate` — "No known vulnerabilities found" (replaces the two-row failure that started this PR). - [x] `pnpm nx run-many -t build test lint -p portal-shell,portal-admin,portal-bff,shared-charts,shared-ui` — all green. Module Federation's HMR socket (the surface that *uses* `ws`) is exercised implicitly by every Angular build via `@nx/angular`'s webpack pipeline. - [ ] **Manual smoke** — `pnpm nx serve portal-shell` + `pnpm nx serve portal-admin`: dev servers come up, HMR reloads on a trivial edit, no warnings or stack traces about `ws` or `brace-expansion` resolution. ## What's next - Renovate will eventually pick up an Nx release whose own sub-chain ships `ws@>=8.20.1` and `brace-expansion@>=5.0.6` natively. At that point, the two override entries here are dead weight and can be pruned as a follow-up sweep alongside any other stale overrides.
julien added 1 commit 2026-05-19 12:27:32 +02:00
chore(deps): bump brace-expansion + ws overrides to clear audit
CI / scan (pull_request) Successful in 3m22s
CI / commits (pull_request) Successful in 3m52s
CI / check (pull_request) Successful in 5m41s
CI / a11y (pull_request) Successful in 2m46s
Docs site / build (pull_request) Successful in 3m57s
CI / perf (pull_request) Successful in 8m57s
18a9370354
Two new GHSA advisories surfaced in pnpm audit:

- brace-expansion >=5.0.0 <5.0.6 — DoS via large numeric range
  (GHSA-jxxr-4gwj-5jf2). The existing override floor was 5.0.5;
  bump to 5.0.6.
- ws >=8.0.0 <8.20.1 — uninitialized memory disclosure
  (GHSA-58qx-3vcg-4xpx). Reached via @nx/angular >
  @nx/module-federation > @module-federation/enhanced >
  @module-federation/dts-plugin > ws@8.18.0. Pinning the override
  to the 8.x range only — lighthouse's transitive ws@7.5.10 sits
  outside the advisory.

Both fixes are pure pnpm.overrides bumps; remove them once Nx's
upstream chain catches up.
julien merged commit 8136695fa8 into main 2026-05-19 12:28:14 +02:00
julien deleted branch chore/audit-bump-brace-expansion-ws 2026-05-19 12:28:15 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#190