Skip to content

Comments

fix: remove stale fast-xml-parser override, upgrade aws-cdk-lib#368

Merged
notgitika merged 3 commits intomainfrom
fix/npm-audit-minimatch-ajv
Feb 20, 2026
Merged

fix: remove stale fast-xml-parser override, upgrade aws-cdk-lib#368
notgitika merged 3 commits intomainfrom
fix/npm-audit-minimatch-ajv

Conversation

@tejaskash
Copy link
Contributor

@tejaskash tejaskash commented Feb 20, 2026
edited
Loading

Summary

Remaining audit findings are unfixable upstream issues:

  • aws-cdk-lib bundles [email protected] — overrides cannot affect bundled deps
  • eslint (all versions including v10) depends on ajv@^6 — no v6 patch exists

Test plan

  • npm run lint passes
  • npm test — all 1,737 unit tests pass

@tejaskash
fix: resolve npm audit vulnerabilities for minimatch and ajv
064db03 
- Add minimatch override to 10.2.1 (GHSA-3ppc-4f35-3m26) fixing 19 of
  21 high-severity ReDoS findings across eslint, typescript-eslint,
  archiver, and prettier-plugin-sort-imports transitive deps
- Upgrade aws-cdk-lib devDependency to ^2.239.0 to fix bundled
  ajv 8.17.1 -> 8.18.0 (GHSA-2g4f-4pwh-qvx6)
- Scope security:audit to production deps (--omit=dev) since remaining
  findings are in bundled dev deps with no upstream fix available
  (aws-cdk-lib bundled minimatch v3, eslint ajv v6)
@tejaskash tejaskash requested a review from a team February 20, 2026 19:38
@github-actions github-actions bot added the size/xs PR size: XS label Feb 20, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 20, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 43.53% 2883 / 6623
🔵 Statements 43.12% 3038 / 7045
🔵 Functions 45.53% 607 / 1333
🔵 Branches 48.48% 1893 / 3904
Generated in workflow #484 for commit 0cb086b by the Vitest Coverage Report Action

@tejaskash
fix: remove stale fast-xml-parser override
9ac54cc 
@aws-sdk/[email protected] now natively pins [email protected],
so the CVE-2026-26278 override is no longer needed.
@github-actions github-actions bot added size/xs PR size: XS and removed size/xs PR size: XS labels Feb 20, 2026
notgitika
notgitika requested changes Feb 20, 2026
View reviewed changes
@tejaskash
fix: revert minimatch override and audit script change
0cb086b 
Keep security:audit at --audit-level=high without --omit=dev.
Remove minimatch override to avoid major version bump risk (v3 -> v10).
Remaining minimatch and ajv findings are upstream issues with no fix.
@github-actions github-actions bot added size/xs PR size: XS and removed size/xs PR size: XS labels Feb 20, 2026
@tejaskash tejaskash changed the title fix: resolve npm audit vulnerabilities for minimatch and ajv fix: remove stale fast-xml-parser override, upgrade aws-cdk-lib Feb 20, 2026
notgitika
notgitika approved these changes Feb 20, 2026
View reviewed changes
Copy link
Contributor

@notgitika notgitika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks

@notgitika notgitika merged commit 4a02d94 into main Feb 20, 2026
17 of 19 checks passed
@notgitika notgitika deleted the fix/npm-audit-minimatch-ajv branch February 20, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notgitika notgitika notgitika approved these changes

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tejaskash @notgitika