Skip to content

Fix npm security vulnerabilities#19

Merged
achim-k merged 1 commit intomainfrom
cursor/comlink-vulnerabilities-6f16
Feb 10, 2026
Merged

Fix npm security vulnerabilities#19
achim-k merged 1 commit intomainfrom
cursor/comlink-vulnerabilities-6f16

Conversation

@achim-k
Copy link

@achim-k achim-k commented Feb 10, 2026

Fix npm security vulnerabilities by updating dependencies and adjusting TypeScript configuration.

Slack Thread

Open in Cursor Open in Web

@cursoragent @achim-k
Fix npm security vulnerabilities
9dbc7b6 
- Update mocha from 10.2.0 to 10.8.2 (fixes diff, js-yaml, nanoid, serialize-javascript vulnerabilities)
- Update rollup from 3.10.1 to 3.29.5 (fixes high severity DOM Clobbering XSS vulnerability)
- Update rimraf from 4.1.2 to 4.4.1 (fixes symbolic link following issue)
- Update TypeScript from 4.9.4 to 5.7.2 (required for compatibility with newer @types/node)
- Add skipLibCheck to tsconfig.json to resolve type conflicts between DOM and Node types

All 6 vulnerabilities (1 low, 4 moderate, 1 high) have been resolved.
Tests pass with same results as main branch (2 pre-existing flaky iframe tests).

Co-authored-by: Hans-Joachim Krauch <achim-k@users.noreply.github.com>
@cursor
Copy link

cursor bot commented Feb 10, 2026

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@achim-k achim-k changed the title Comlink vulnerabilities Fix vulnerabilities Feb 10, 2026
@achim-k achim-k changed the title Fix vulnerabilities Fix npm security vulnerabilities Feb 10, 2026
achim-k
achim-k commented Feb 10, 2026
View reviewed changes
tsconfig.json

/* Strict Type-Checking Options */
"strict": true /* Enable all strict type-checking options. */,
"skipLibCheck": true /* Skip type checking of declaration files. */,
Copy link
Author

@achim-k achim-k Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cursor is this necessary? Can it be removed?

Copy link

@cursor cursor bot Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, skipLibCheck: true is necessary with the TypeScript upgrade. Without it, the type checking fails with these errors:

error TS2430: Interface 'TextDecoder' incorrectly extends interface 'import("node:util").TextDecoder'.
error TS2430: Interface 'TextEncoder' incorrectly extends interface 'import("node:util").TextEncoder'.

This is a known conflict between DOM types (from lib.dom.d.ts) and Node types when using TypeScript 5.7+ with newer @types/node. The project needs both:
DOM types: For the browser/worker environment (the core comlink functionality)
Node types: For testing with mocha

skipLibCheck is a standard and safe solution—it only skips type checking of .d.ts declaration files in node_modules, not your actual source code. Your source code still gets full strict type checking.

Alternative: We could downgrade TypeScript back to 4.9.4, but that would prevent using mocha 10.8.2 (which requires newer TypeScript due to its dependencies), leaving us with the security vulnerabilities unfixed.

Open in Cursor Open in Web

@achim-k achim-k marked this pull request as ready for review February 10, 2026 22:07
@achim-k achim-k merged commit 9c9a20c into main Feb 10, 2026
1 check passed
@achim-k achim-k deleted the cursor/comlink-vulnerabilities-6f16 branch February 10, 2026 22:38
@achim-k achim-k mentioned this pull request Feb 10, 2026
Merged
achim-k added a commit that referenced this pull request Feb 10, 2026
@achim-k
4.4.2 (#18)
2186e68 
### Changelog
- Include cause property in communicated error fields (#17)
- Enable NPM trusted publishing with OIDC (#15)
- Fix npm security vulnerabilities (#19)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@defunctzombie defunctzombie defunctzombie approved these changes

@jtbandes jtbandes Awaiting requested review from jtbandes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@achim-k @defunctzombie @cursoragent