Skip to content

Triage open Dependabot vulnerabilities (20 remaining after 0.3.7) #1353

Closed
#1483
Closed
Triage open Dependabot vulnerabilities (20 remaining after 0.3.7)#1353
#1483
Labels
P1High priority - Address soon, next in queuearea: infraDocker, deployment, CI/CDeffort/highCross-cutting changes, multiple domains, requires design decisionssecuritySecurity vulnerabilities and hardening
@Wirasm

Description

@Wirasm
Wirasm
opened on Apr 22, 2026

Context

The push for v0.3.7 surfaced 21 open Dependabot alerts. 0.3.7 addressed one (axios CVE-2025-62718 via a root overrides bump, credits @stefans71 in #1153), leaving 20 open across several transitive dependencies that need a pass.

Open alerts (as of 2026-04-22)

High (9)

Package CVE / GHSA Summary
axios CVE-2026-25639 DoS via __proto__ key in mergeConfig
flatted CVE-2026-33228 Prototype pollution via parse()
lodash CVE-2026-4800 Code injection via _.template imports key names
minimatch CVE-2026-27903 ReDoS via multiple non-adjacent GLOBSTAR segments (×2 manifests)
path-to-regexp CVE-2026-4926 DoS via sequential optional groups
undici CVE-2026-1526 Unbounded memory consumption in WebSocket permessage-deflate
undici CVE-2026-1528 Malicious WebSocket 64-bit length overflows parser
undici CVE-2026-2229 Unhandled exception in WebSocket client (invalid server_max_window_bits)

Medium (11)

Package CVE / GHSA Summary
axios CVE-2026-40175 Unrestricted cloud-metadata exfiltration via header injection
follow-redirects GHSA-r4q5-vmmm-2653 Leaks custom auth headers on cross-domain redirect
lodash CVE-2025-13465 Prototype pollution in _.unset / _.omit
lodash CVE-2026-2950 Prototype pollution via array-path bypass in _.unset / _.omit
path-to-regexp CVE-2026-4923 ReDoS via multiple wildcards
picomatch CVE-2026-33672 Method injection in POSIX character classes
qs CVE-2025-15284 DoS via arrayLimit bracket-notation bypass
undici CVE-2026-1525 CRLF injection via upgrade option
undici CVE-2026-1527 HTTP request/response smuggling
undici CVE-2026-22036 Unbounded decompression chain in Fetch API Content-Encoding

Low (1)

Package CVE / GHSA Summary
qs CVE-2026-2391 DoS via arrayLimit comma-parsing bypass

What to do

For each alert, decide between:

  1. Override at root overrides (like we did for axios in fix: override axios to ^1.15.0 for CVE-2025-62718 #1153) — cleanest when the transitive dep's new major version is semver-compatible with the ranges our direct deps allow.
  2. Bump the direct dep that pulls the vulnerable transitive — when the transitive is gated by a stale direct dep (e.g. an old @slack/*, drizzle, hono, vite, etc.).
  3. Accept and dismiss — when the vulnerable code path is not reachable in our runtime (e.g. a dev-only dep used in tests). Dismiss in the Dependabot UI with a clear reason so the audit trail is preserved.

Suggested batching: do all undici alerts together (shared direct ancestor), all lodash together, all axios together. minimatch / picomatch / path-to-regexp / qs / flatted / follow-redirects / path-to-regexp are likely transitive through tooling (eslint, vite, etc.) and may be dev-only.

Verification

  • bun install after each override should not change direct-dep versions
  • bun run validate must still pass
  • GitHub security tab confirms the alerts close on next dependency graph refresh

Dashboard: https://github.com/coleam00/Archon/security/dependabot

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1High priority - Address soon, next in queuearea: infraDocker, deployment, CI/CDeffort/highCross-cutting changes, multiple domains, requires design decisionssecuritySecurity vulnerabilities and hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions