Skip to content

Resolved fixable npm audit vulnerabilities#338

Merged
som-sewardr1 merged 6 commits intomasterfrom
20260219-audit-fixes
Feb 23, 2026
Merged

Resolved fixable npm audit vulnerabilities#338
som-sewardr1 merged 6 commits intomasterfrom
20260219-audit-fixes

Conversation

@rseward
Copy link
Contributor

@rseward rseward commented Feb 19, 2026

Reduced vulnerabilities from 83 → 57; upgraded axios, cypress, wait-on; removed unused faker and lodash.template; applied non-breaking audit fixes.

  • Upgraded axios 0.21.4 -> 1.13.5 (fixes SSRF/credential leakage)
  • Upgraded cypress 12.17.4 -> 15.10.0 (fixes critical @cypress/request SSRF)
  • Upgraded wait-on 3.3.0 -> 9.0.4 (fixes tough-cookie prototype pollution)
  • Removed unused lodash.template (command injection, no upstream fix)
  • Removed unused faker 6.6.6 (malicious/corrupted package)
  • Applied npm audit fix: @babel/helpers, @babel/runtime, node-forge, on-headers, prismjs, qs

Description

Reminders

  • Did you bump the version in package.json so that releases to npm are
    made without version conflict?
    • Did you also run npm install to update the version number in the package.lock?
  • If you'd like to see this code deployed after merge, don't forget to cut a release in this repo, then update the package versions in discovery-ui

rseward and others added 4 commits February 19, 2026 21:59
@rseward @claude
Resolved fixable npm audit vulnerabilities
4a3dbfc 
- Upgraded axios 0.21.4 -> 1.13.5 (fixes SSRF/credential leakage)
- Upgraded cypress 12.17.4 -> 15.10.0 (fixes critical @cypress/request SSRF)
- Upgraded wait-on 3.3.0 -> 9.0.4 (fixes tough-cookie prototype pollution)
- Removed unused lodash.template (command injection, no upstream fix)
- Removed unused faker 6.6.6 (malicious/corrupted package)
- Applied npm audit fix: @babel/helpers, @babel/runtime, node-forge, on-headers, prismjs, qs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rseward @claude
Bump version to 2.1.43
d9dd9fd 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rseward @claude
Regenerate package-lock.json with Node 20 / npm 10 to match CI
521bcb4 
The lockfile was previously generated with Node 24 / npm 11, causing
npm ci to fail in GitHub Actions which runs Node 20.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rseward @claude
Fix cy.intercept fixture paths to include file extensions
a844515 
Cypress 13+ requires explicit file extensions in cy.intercept() fixture
references. Cypress 12 auto-resolved missing extensions; the newer
versions do not, causing execOptions.factory.call is not a function errors
across all e2e specs.

Added .json extension to 11 fixture paths in search_page.js and
2 fixture paths in details_page.js.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rseward rseward self-assigned this Feb 19, 2026
rseward and others added 2 commits February 19, 2026 23:33
@rseward @claude
Fix Cypress 15 compatibility: React 16 vs cypress/react (React 18)
8d4009d 
Three related issues after upgrading from Cypress 12 to 15:

1. cypress/support/component.ts imported { mount } from 'cypress/react',
   which in Cypress 15 requires react-dom/client (React 18 API). This
   project uses React 16, causing the import to throw at startup and
   corrupting the Cypress command registry — the root cause of the
   "execOptions.factory.call is not a function" errors across all e2e specs.

2. cypress.config.ts declared a component devServer with bundler: "webpack",
   but @cypress/webpack-dev-server is not installed. Removed the component
   config block to prevent Cypress from attempting to resolve it.

3. cypress/plugins/index.js did not return config, which is required by
   Cypress 13+ setupNodeEvents.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rseward @claude
Fix axios 1.x webpack bundling error causing Cypress test failures
ecc2ecd 
Axios 1.x ships its library as ESM modules (import/export syntax). When
webpack 5's ProvidePlugin tries to inject require('process/browser') into
these ESM files during bundling, the resolution fails in webpack 5's ESM
module context. The result is a broken module factory in the browser bundle
which throws "TypeError: execOptions.factory.call is not a function" as an
uncaught exception during every Cypress test visit.

Root cause traced to: webpack/lib/javascript/JavascriptModulesPlugin.js
where __webpack_modules__[moduleId] was not a function for the axios module.

Fix: alias 'axios' to its pre-built browser CJS bundle
(axios/dist/browser/axios.cjs) which already handles process/browser
internally and produces no ESM/CJS resolution conflicts with webpack 5.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@som-sewardr1
Copy link
Contributor

som-sewardr1 commented Feb 23, 2026

Let's close these CVEs.

@som-sewardr1
Copy link
Contributor

som-sewardr1 commented Feb 23, 2026

Merging to squash CVEs.

som-sewardr1
som-sewardr1 approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@som-sewardr1 som-sewardr1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean CVE resolution.

@som-sewardr1 som-sewardr1 merged commit f6ee434 into master Feb 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@som-sewardr1 som-sewardr1 som-sewardr1 approved these changes

Assignees

@rseward rseward

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rseward @som-sewardr1