Skip to content

fix: replace allowlisted vulnerabilities with npm overrides#189

Merged
gibaros merged 1 commit intomainfrom
chore/fix-axios-override
Feb 18, 2026
Merged

fix: replace allowlisted vulnerabilities with npm overrides#189
gibaros merged 1 commit intomainfrom
chore/fix-axios-override

Conversation

@gibaros
Copy link
Contributor

@gibaros gibaros commented Feb 18, 2026

Summary

  • Added axios@1.13.5 override to fix GHSA-43fc-jf86-j433 (axios DoS vulnerability)
  • Added lodash@4.17.23 and lodash-es@4.17.23 overrides to fix GHSA-xxjr-mmjv-4gpg (prototype pollution)
  • Removed both GHSAs from audit-ci.jsonc allowlist — only GHSA-2g4f-4pwh-qvx6 (ajv ReDoS) remains as it genuinely cannot be overridden without breaking standard@17

Context

PR #188 incorrectly allowlisted these vulnerabilities instead of fixing them with npm overrides. This PR corrects that by applying proper overrides for the patched versions.

Test plan

  • npm run audit:check passes (only ajv allowlisted)
  • npm ls axios shows 1.13.5 everywhere
  • npm ls lodash-es shows 4.17.23 (overridden from 4.17.21)
  • All 136 unit tests pass

🤖 Generated with Claude Code

@gibaros @claude
fix: replace allowlisted vulnerabilities with npm overrides
ccdbf15 
- Added axios@1.13.5 override to fix GHSA-43fc-jf86-j433 (DoS)
- Added lodash@4.17.23 and lodash-es@4.17.23 overrides to fix GHSA-xxjr-mmjv-4gpg (prototype pollution)
- Removed GHSA-43fc-jf86-j433 and GHSA-xxjr-mmjv-4gpg from audit-ci allowlist
- Only GHSA-2g4f-4pwh-qvx6 (ajv) remains allowlisted as it cannot be overridden without breaking standard@17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 18, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

elnyry-sam-k
elnyry-sam-k approved these changes Feb 18, 2026
View reviewed changes
Copy link
Member

@elnyry-sam-k elnyry-sam-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@gibaros gibaros merged commit 904fcad into main Feb 18, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elnyry-sam-k elnyry-sam-k elnyry-sam-k approved these changes

@bushjames bushjames Awaiting requested review from bushjames bushjames is a code owner

@kleyow kleyow Awaiting requested review from kleyow kleyow is a code owner

@oderayi oderayi Awaiting requested review from oderayi oderayi is a code owner

@vijayg10 vijayg10 Awaiting requested review from vijayg10 vijayg10 is a code owner

@shashi165 shashi165 Awaiting requested review from shashi165 shashi165 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gibaros @elnyry-sam-k

Comments