fix: upgrade happy-dom and pin transitive deps to fix known CVEs#167
Open
brentrockwood wants to merge 5 commits into
Open
fix: upgrade happy-dom and pin transitive deps to fix known CVEs#167brentrockwood wants to merge 5 commits into
brentrockwood wants to merge 5 commits into
Conversation
Addresses three advisories identified by npm audit: - @happy-dom/global-registrator: ^15.11.0 → ^20.9.0 GHSA-37j7-fg3j-429f (critical) — VM context escape → RCE GHSA-6q6h-j7hj-3r64 (high) — unsanitized export names executed as code GHSA-w4gp-fjgq-3q4g (high) — fetch credentials leak - rollup (transitive, via overrides): 3.29.5 → 3.30.0 GHSA-mw96-cpmx-2vgc (high) — arbitrary file write via path traversal - postcss (transitive, via overrides): 8.5.6 → 8.5.14 GHSA-qx2v-qp2m-jg93 (moderate) — XSS via unescaped </style> in output happy-dom v20 requires a document URL when using relative-URL fetch calls, so GlobalRegistrator.register() is updated to pass url: 'http://localhost/' as recommended by the library. Test pass/fail counts are unchanged (38/293 failures are all pre-existing and caused by the absent WASM build artifact). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Security hardening on top of the CVE fixes: - Remove ^ ranges from @happy-dom/global-registrator, rollup override, and postcss override so lockfile regeneration cannot silently pull in a newer (potentially compromised) version. - Add .devcontainer/devcontainer.json for DevPod / VS Code Dev Containers. The container image is pinned by SHA256 content digest (not just tag). postCreateCommand enables Nix flakes, initializes the git submodule, and pre-populates the Nix store from flake.lock so `nix develop` is instant. All downloads inside the container are hash-verified by Nix against flake.lock, including the pinned Zig 0.15.2 toolchain. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The SSH_AUTH_SOCK bind mount failed on macOS where the socket path is inside a sandboxed temp directory Docker can't reach. Removing it keeps the devcontainer portable. The // comments also caused a JSON parse error in DevPod; devcontainer.json is strict JSON, not JSONC. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses known vulnerabilities in dev dependencies found by `npm audit`, with exact version pinning.
Critical / High — happy-dom upgrade
`@happy-dom/global-registrator` upgraded from `^15.11.0` → exact `20.9.0`:
`GlobalRegistrator.register()` API is unchanged between v15 and v20. The only required code change is passing `url: 'http://localhost/'\` to `register()`, which happy-dom v20 requires so relative-URL `fetch` calls have a valid base (it previously defaulted to `about:blank`, which v20 no longer allows for relative URL resolution).
High — rollup path traversal (transitive)
Added `overrides` to pin `rollup` to exact `3.30.0`:
Moderate — postcss XSS (transitive)
Added `overrides` to pin `postcss` to exact `8.5.10`:
Supply-chain hardening
All new version constraints use exact pins (no `^`) so lockfile regeneration cannot silently pull in a different version.
Test plan
Out of scope
`vite@4.5.14` and `esbuild@0.18.20` also have known advisories but require a major Vite version bump (v4 → v6+). Separate effort.
🤖 Generated with Claude Code