docfast

openclawd/docfast

Fork 0

Commit graph

Author	SHA1	Message	Date
openclawd	2186747940	security(deps): fix npm audit vulnerabilities (nodemailer CRLF, path-to-regexp ReDoS) All checks were successful Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 18m58s Details Resolves 7 npm audit findings (3 moderate, 4 high) via `npm audit fix` — no --force needed, all bumps satisfied by existing semver ranges: basic-ftp 5.2.0 -> 5.2.2 (high: FTP command injection via CRLF) brace-expansion 1.1.12 -> 1.1.13 (moderate: ReDoS / mem exhaustion) nodemailer 8.0.3 -> 8.0.5 (high: SMTP command injection via CRLF in EHLO/HELO transport name, GHSA-vvjj-xcjg-gr5g, and envelope.size injection GHSA-c7w3-x93f-qmm8) path-to-regexp 8.3.0 -> 8.4.2 (high: ReDoS, GHSA-j3q9-mxjg-w52f and GHSA-27v5-c462-wpq7) picomatch 4.0.3 -> 4.0.4 (high: method injection + ReDoS) vite 0.115.0 -> 0.124.0 (high: path traversal / FS bypass, dev-only, transitive via vitest) yaml 2.x -> patched (moderate: stack overflow, dev-only) Only package-lock.json changed — no source changes required, no API breaks. nodemailer 8.0.5 is fully backwards-compatible with our usage in src/services/email.ts. Adds src/__tests__/no-vulnerable-deps.test.ts as a TDD regression guard: runs `npm audit --omit=dev --json` and asserts metadata.vulnerabilities.high === 0 && critical === 0. Network failures are skipped rather than failing CI. Red→Green verified locally (stashed lockfile -> 2 high failures; restored -> 0). Test count: 901 -> 902 (new regression guard). npm audit: 4 high -> 0.	2026-04-10 20:09:44 +02:00

Author

SHA1

Message

Date

openclawd

2186747940

security(deps): fix npm audit vulnerabilities (nodemailer CRLF, path-to-regexp ReDoS)

Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 18m58s

Details

Resolves 7 npm audit findings (3 moderate, 4 high) via `npm audit fix`
— no --force needed, all bumps satisfied by existing semver ranges:

  basic-ftp        5.2.0   -> 5.2.2    (high: FTP command injection via CRLF)
  brace-expansion  1.1.12  -> 1.1.13   (moderate: ReDoS / mem exhaustion)
  nodemailer       8.0.3   -> 8.0.5    (high: SMTP command injection via
                                        CRLF in EHLO/HELO transport name,
                                        GHSA-vvjj-xcjg-gr5g, and envelope.size
                                        injection GHSA-c7w3-x93f-qmm8)
  path-to-regexp   8.3.0   -> 8.4.2    (high: ReDoS, GHSA-j3q9-mxjg-w52f and
                                        GHSA-27v5-c462-wpq7)
  picomatch        4.0.3   -> 4.0.4    (high: method injection + ReDoS)
  vite             0.115.0 -> 0.124.0  (high: path traversal / FS bypass,
                                        dev-only, transitive via vitest)
  yaml             2.x     -> patched  (moderate: stack overflow, dev-only)

Only package-lock.json changed — no source changes required, no API
breaks. nodemailer 8.0.5 is fully backwards-compatible with our usage
in src/services/email.ts.

Adds src/__tests__/no-vulnerable-deps.test.ts as a TDD regression guard:
runs `npm audit --omit=dev --json` and asserts
metadata.vulnerabilities.high === 0 && critical === 0. Network failures
are skipped rather than failing CI. Red→Green verified locally (stashed
lockfile -> 2 high failures; restored -> 0).

Test count: 901 -> 902 (new regression guard). npm audit: 4 high -> 0.

2026-04-10 20:09:44 +02:00

1 commit