chore(deps): bump brace-expansion + ws overrides to clear audit #190
Reference in New Issue
Block a user
Delete Branch "chore/audit-bump-brace-expansion-ws"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Clears the two moderate GHSA advisories that started failing
ci:audit:brace-expansion>=5.0.0 <5.0.6— DoS via large numeric range that bypasses the documentedmaxprotection (GHSA-jxxr-4gwj-5jf2). The existing override floor was at5.0.5; bumped one patch to5.0.6.ws>=8.0.0 <8.20.1— uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx). No prior override; added one scoped to the 8.x advisory window only.Both are reached transitively through Nx; nothing in this repo's own dependency surface is vulnerable directly.
What lands
package.json(pnpm.overridesblock):pnpm-lock.yamlreconciled withpnpm install.Notes for the reviewer
wsoverride is range-scoped, not a blanketws@<8.20.1. Lighthouse pullsws@7.5.10via its own tree; the 7.x line sits entirely outside the advisory window (>=8.0.0 <8.20.1). A blanket<8.20.1override would force-bump that transitive across a major version boundary and risk Lighthouse breakage with no security gain. The range form>=8.0.0 <8.20.1 → >=8.20.1patches exactly the vulnerable consumers (@module-federation/dts-plugin, etc.) and leaves Lighthouse's pin untouched.main(commitsbd94bb4/6b20c34) but its sub-chain still resolvesws@8.18.0andbrace-expansion@5.0.5. Upstream pickup will land eventually via Renovate; in the meantime the audit gate blocks CI on every PR. Overrides are the standard pnpm escape hatch for this exact situation. The pattern is already used in this file (axios,ajv,esbuild,follow-redirects,ip-address,protobufjs,tmp,yaml).pnpm-lock.yamlresolves both packages at or above the patched versions on its own, both override entries can be removed. The convention in this file's existing entries is to leave overrides in place even when redundant (cheap insurance against silent regressions); pruning is a separate sweep, not part of this fix.brace-expansioninsideminimatch's glob expansion,wsinside Module Federation's HMR dev socket. Neither surfaces in the BFF or SPA runtime bundles. Build + test + lint were re-run acrossportal-shell,portal-admin,portal-bff,shared-charts,shared-uias a sanity check; all green.Test plan
pnpm install— lockfile reconciled, no extraneous package churn.pnpm audit --audit-level=moderate— "No known vulnerabilities found" (replaces the two-row failure that started this PR).pnpm nx run-many -t build test lint -p portal-shell,portal-admin,portal-bff,shared-charts,shared-ui— all green. Module Federation's HMR socket (the surface that usesws) is exercised implicitly by every Angular build via@nx/angular's webpack pipeline.pnpm nx serve portal-shell+pnpm nx serve portal-admin: dev servers come up, HMR reloads on a trivial edit, no warnings or stack traces aboutwsorbrace-expansionresolution.What's next
ws@>=8.20.1andbrace-expansion@>=5.0.6natively. At that point, the two override entries here are dead weight and can be pruned as a follow-up sweep alongside any other stale overrides.