chore: Resolve all 105 security vulnerabilities#213
Merged
Conversation
Security Audit Results: - Before: 5 critical, 14 high, 56 moderate, 30 low - After: 0 vulnerabilities Changes: - Added yup@^0.32.9 to dependencies (explicit declaration) - Added strip-ansi@^6.0.1 to devDependencies (build compatibility) - Updated @strapi/strapi@^5.24.1 in devDependencies - Added 18 yarn resolutions for vulnerable packages - Added .nvmrc with Node 20.18.0 Key Resolutions: - form-data@^4.0.4, koa@^2.15.4, axios@^1.12.0 - glob@^10.5.0, tar-fs@^2.1.4, esbuild@^0.25.0 - js-yaml@^4.1.1, undici@^6.21.2, vite@^5.4.12 - ai@^5.0.52, brace-expansion@^2.0.2, formidable@^2.1.3 - tmp@^0.2.4, strip-ansi@^6.0.1, string-width@^4.2.3 - wrap-ansi@^7.0.0, ansi-regex@^5.0.1 Note: Symlinks required in node_modules after yarn install: ln -sf strip-ansi-cjs strip-ansi ln -sf string-width-cjs string-width ln -sf wrap-ansi-cjs wrap-ansi Verified: Build and lint successful, no breaking changes
Contributor
Author
|
@TMSchipper Could you please check if all publisher functionalities still work. I am not yet familiar with this plugin and its functionalities. And no unit tests are in place yet. |
Remove all yarn resolutions as these should be handled by Strapi itself. The resolutions were targeting Strapi's runtime dependencies (koa, axios, vite, undici, etc.) which are Strapi's responsibility to maintain. Updated @strapi/strapi from 5.24.1 to 5.33.4 to get latest security fixes. Remaining vulnerabilities (50 total): - Primarily from Strapi dependencies (vite, tmp) - DevDependencies (react-router-dom, eslint) These should be addressed upstream by Strapi. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Update all Strapi packages to latest versions: - @strapi/strapi: 5.33.4 → 5.34.0 - @strapi/design-system: ^2.0.0-rc.11 → ^2.1.2 - @strapi/icons: ^2.0.0-rc.11 → ^2.1.2 - @strapi/utils: ^5.2.0 → ^5.34.0 Still 50 vulnerabilities present (7 Low, 30 Moderate, 13 High). These are primarily in Strapi's own dependencies and should be addressed upstream. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
Author
|
Checked by @TMSchipper |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Audit Results:
Changes:
Key Resolutions:
Note: Symlinks required in node_modules after yarn install:
ln -sf strip-ansi-cjs strip-ansi
ln -sf string-width-cjs string-width
ln -sf wrap-ansi-cjs wrap-ansi
Verified: Build and lint successful, no breaking changes