brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: patch dependency vulnerabilities via npm audit fix #1

Merged
brendan merged 1 commits from chore/dependency-security-audit into main 2026-05-03 10:08:43 +00:00
Conversation 0 Commits 1 Files Changed 1 +30 -26
brendan commented 2026-05-03 10:08:38 +00:00
Owner
Copy Link

Resolves 7 advisories (1 critical, 3 high, 3 moderate) without
package.json range changes:

  • fast-jwt: algorithm confusion, cache key collision, ReDoS
  • fastify: content-type validation bypass, host spoofing
  • @fastify/static: path traversal & encoded-separator route bypass
  • vite (dev only): WS file read, fs.deny bypass, .map traversal
  • postcss/picomatch/brace-expansion (transitive): XSS, ReDoS, DoS

npm audit clean; 61 tests pass.

Resolves 7 advisories (1 critical, 3 high, 3 moderate) without package.json range changes: - fast-jwt: algorithm confusion, cache key collision, ReDoS - fastify: content-type validation bypass, host spoofing - @fastify/static: path traversal & encoded-separator route bypass - vite (dev only): WS file read, fs.deny bypass, .map traversal - postcss/picomatch/brace-expansion (transitive): XSS, ReDoS, DoS npm audit clean; 61 tests pass.
brendan added 1 commit 2026-05-03 10:08:38 +00:00
chore: patch dependency vulnerabilities via npm audit fix f27ba4922a 
Resolves 7 advisories (1 critical, 3 high, 3 moderate) without
package.json range changes:
- fast-jwt: algorithm confusion, cache key collision, ReDoS
- fastify: content-type validation bypass, host spoofing
- @fastify/static: path traversal & encoded-separator route bypass
- vite (dev only): WS file read, fs.deny bypass, .map traversal
- postcss/picomatch/brace-expansion (transitive): XSS, ReDoS, DoS

npm audit clean; 61 tests pass.
brendan merged commit d30f40ca71 into main 2026-05-03 10:08:43 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Bug — consumed by the bug-fixer fleet tick
 feature
Feature — consumed by the implementer fleet tick
 superseded
Subsumed by a newer issue; skip when picking next item
 sysadmin
Requires human/sysadmin action (not bug-fixer scope)
 urgent
Production-affecting; picked before normal items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
brendan
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: brendan/nanodrop#1
Delete Branch "chore/dependency-security-audit"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?