marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(deps): pin esbuild 0.28.1 and cookie >=0.7.0 to clear npm audit gate (#817) #819

Merged
marcel merged 1 commits from feat/issue-817-npm-audit-esbuild-cookie into main 2026-06-13 00:34:06 +02:00
Conversation 0 Commits 1 Files Changed 2 +119 -111
marcel commented 2026-06-13 00:24:53 +02:00
Owner
Copy Link

Closes #817.

What & why

The CI step "Security audit (no dev deps)" (npm audit --audit-level=high --omit=dev) was failing repo-wide on every PR — newly-published advisories landed against the already-pinned esbuild@0.27.7 (the two high findings GHSA-gv7w-rqvm-qjhr / GHSA-g7r4-m6w7-qqqr, pulled in transitively via vite@sveltejs/vite-plugin-svelte). The fix for both only exists at esbuild@0.28.1, and no vite@7.x accepts it (they all pin esbuild ^0.27.0) — so a scoped vite bump is a verified dead-end.

This is Option 1 from the issue: an overrides block, not a Vite 8 migration.

"overrides": {
  "esbuild": "0.28.1",
  "cookie": ">=0.7.0"
}
  • esbuild pinned exact (no caret) so a future 0.29.x can't silently float in and re-break vite — Renovate proposes bumps explicitly.
  • cookie >=0.7.0 clears the low GHSA-pxg6-pf52-xh8x reaching the prod tree via @sentry/sveltekit (resolves to 1.1.1); drop-in, done in the same pass.

package.json + the regenerated package-lock.json are committed together in one atomic commit. patch-package/postinstall and the @vitest/browser-playwright@4.1.6 exact pin (ADR-012) were left untouched.

Known-risk validation (the override forces esbuild outside vite@7.3.3's declared ^0.27.0 range)

This was validated, not assumedesbuild@0.28.1 overridden confirmed via npm ls esbuild; build, lint and a dev-server boot all succeed.

Verification checklist

[x] cd frontend && npm install
[x] npm audit --audit-level=high --omit=dev   -> exit 0, "found 0 vulnerabilities"
[x] npm run build                              -> succeeds (adapter-node ✔ done + postbuild wasm assert)
[x] npm run check                              -> 801 errors / 38 warnings (matches known baseline; 0 in package.json/lock; CI doesn't gate)
[x] npm run lint                               -> clean
[ ] npm run test                               -> deferred to CI (full suite is OOM-unsafe to run on this machine; change touches zero source, only dep versions)
[x] npm run dev                                -> boots on :5174, /hilfe/transkription renders 200, no esbuild transform error -> killed

Note on npm run test: the full Vitest browser sweep is not run locally (it reliably OOMs this dev box). Since this change modifies only dependency versions — no application source — the suite is left to CI. Lockfile change cleanly invalidates the node_modules cache (key is hashFiles('frontend/package-lock.json')).

Out of scope

Prevention/early-warning (nightly audit gate + Renovate vulnerability surfacing) is tracked in its own follow-up issue, per the decision on #817.

🤖 Generated with Claude Code

Closes #817. ## What & why The CI step **"Security audit (no dev deps)"** (`npm audit --audit-level=high --omit=dev`) was failing **repo-wide on every PR** — newly-published advisories landed against the already-pinned `esbuild@0.27.7` (the two high findings GHSA-gv7w-rqvm-qjhr / GHSA-g7r4-m6w7-qqqr, pulled in transitively via `vite` → `@sveltejs/vite-plugin-svelte`). The fix for both only exists at `esbuild@0.28.1`, and **no `vite@7.x` accepts it** (they all pin `esbuild ^0.27.0`) — so a scoped vite bump is a verified dead-end. This is **Option 1** from the issue: an `overrides` block, not a Vite 8 migration. ```json "overrides": { "esbuild": "0.28.1", "cookie": ">=0.7.0" } ``` - `esbuild` pinned **exact** (no caret) so a future `0.29.x` can't silently float in and re-break vite — Renovate proposes bumps explicitly. - `cookie >=0.7.0` clears the low GHSA-pxg6-pf52-xh8x reaching the prod tree via `@sentry/sveltekit` (resolves to `1.1.1`); drop-in, done in the same pass. `package.json` + the regenerated `package-lock.json` are committed together in one atomic commit. `patch-package`/`postinstall` and the `@vitest/browser-playwright@4.1.6` exact pin (ADR-012) were left untouched. ## Known-risk validation (the override forces esbuild *outside* vite@7.3.3's declared `^0.27.0` range) This was **validated, not assumed** — `esbuild@0.28.1 overridden` confirmed via `npm ls esbuild`; build, lint and a dev-server boot all succeed. ## Verification checklist ``` [x] cd frontend && npm install [x] npm audit --audit-level=high --omit=dev -> exit 0, "found 0 vulnerabilities" [x] npm run build -> succeeds (adapter-node ✔ done + postbuild wasm assert) [x] npm run check -> 801 errors / 38 warnings (matches known baseline; 0 in package.json/lock; CI doesn't gate) [x] npm run lint -> clean [ ] npm run test -> deferred to CI (full suite is OOM-unsafe to run on this machine; change touches zero source, only dep versions) [x] npm run dev -> boots on :5174, /hilfe/transkription renders 200, no esbuild transform error -> killed ``` > **Note on `npm run test`:** the full Vitest browser sweep is not run locally (it reliably OOMs this dev box). Since this change modifies only dependency versions — no application source — the suite is left to CI. Lockfile change cleanly invalidates the `node_modules` cache (key is `hashFiles('frontend/package-lock.json')`). ## Out of scope Prevention/early-warning (nightly audit gate + Renovate vulnerability surfacing) is tracked in its own follow-up issue, per the decision on #817. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
marcel added 1 commit 2026-06-13 00:24:53 +02:00
fix(deps): pin esbuild 0.28.1 and cookie >=0.7.0 to clear npm audit gate
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 4m46s
Details
CI / OCR Service Tests (pull_request) Successful in 24s
Details
CI / Backend Unit Tests (pull_request) Successful in 5m42s
Details
CI / fail2ban Regex (pull_request) Successful in 47s
Details
CI / Semgrep Security Scan (pull_request) Successful in 21s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m8s
Details
CI / Unit & Component Tests (push) Successful in 5m23s
Details
CI / OCR Service Tests (push) Successful in 24s
Details
CI / Backend Unit Tests (push) Successful in 6m4s
Details
CI / fail2ban Regex (push) Successful in 48s
Details
CI / Semgrep Security Scan (push) Successful in 25s
Details
CI / Compose Bucket Idempotency (push) Successful in 1m12s
Details
nightly / deploy-staging (push) Successful in 5m20s
Details
d11378c254 
The CI step "Security audit (no dev deps)" (npm audit --audit-level=high
--omit=dev) failed repo-wide on every PR: newly-published advisories landed
against the already-pinned esbuild 0.27.7 (GHSA-gv7w-rqvm-qjhr,
GHSA-g7r4-m6w7-qqqr — both high), pulled in transitively via
vite -> @sveltejs/vite-plugin-svelte. The fix for both only exists at
esbuild@0.28.1. A scoped vite@7 minor bump cannot help — all vite 7.x pin
esbuild ^0.27.0.

Add an overrides block:
  - esbuild 0.28.1 (exact, no caret — a future 0.29.x must not silently
    float in and re-break vite; let Renovate propose bumps explicitly)
  - cookie >=0.7.0 (clears the low GHSA-pxg6-pf52-xh8x reaching the prod
    tree via @sentry/sveltekit; drop-in, done in the same pass)

npm audit --audit-level=high --omit=dev now exits 0 with 0 vulnerabilities.
npm run build, lint, and a dev-server boot all succeed with the forced
esbuild 0.28.1 (validated, not assumed — it sits outside vite@7.3.3's
declared ^0.27.0 range).

Closes #817

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
marcel merged commit d11378c254 into main 2026-06-13 00:34:06 +02:00
marcel deleted branch feat/issue-817-npm-audit-esbuild-cookie 2026-06-13 00:34:06 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 needs-discussion
Has an open decision or design question that must be resolved before implementation can start.
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#819
Delete Branch "feat/issue-817-npm-audit-esbuild-cookie"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?