🏥 CI FailureDependency Vulnerability Audit fails: high-severity rollup vulnerability in docs-site

[github-actions]

Summary

The "Audit Docs Site Package" job in the Dependency Vulnerability Audit workflow fails because npm audit found a high-severity vulnerability in the docs-site/ package dependencies.

Triggered by commit: b508e3f (feat(proxy): make copilot api target configurable for enterprise envi…)

Vulnerabilities Found

🔴 High Severity

Package	Range	Advisory	Fix
rollup	4.0.0 – 4.58.0	GHSA-mw96-cpmx-2vgc — Arbitrary File Write via Path Traversal	npm audit fix

🟡 Moderate Severity (15 total)

Package	Chain	Fix
lodash 4.0.0–4.17.21	@astrojs/check → @astrojs/language-server → volar-service-yaml → yaml-language-server	npm audit fix --force (breaking: upgrades @astrojs/check to 0.9.2)
lodash-es 4.0.0–4.17.22	mermaid → @mermaid-js/parser → langium → chevrotain	npm audit fix

Total: 15 vulnerabilities (1 low, 13 moderate, 1 high)

Root Cause

The rollup high-severity vulnerability (GHSA-mw96-cpmx-2vgc) was published after the current docs-site/package-lock.json was last updated. The CI audit step uses --audit-level=high, so this is correctly catching the issue.

Recommended Actions

1. Immediate fix — run npm audit fix in docs-site/ to patch rollup and lodash-es (non-breaking):

   cd docs-site
   npm audit fix

2. For lodash via @astrojs/check — evaluate whether upgrading @astrojs/check to 0.9.2 is acceptable:

   cd docs-site
   npm audit fix --force   # breaking change: `@astrojs/check` → 0.9.2

3. If @astrojs/check upgrade is not acceptable, consider adding an npm audit overrides/resolutions entry in docs-site/package.json for the lodash chain.

Failing Step

• Job: Audit Docs Site Package
• Step: "Run npm audit (fail on high/critical)" — exit code 1
• Note: The "Audit Main Package" job passed ✅ — only docs-site is affected

Generated by CI Doctor

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

Recurrence on commit f113414

This failure recurred on commit f113414 (test: add CI workflow for non-chroot integration tests (#1048)) — run 22456397267.

The same vulnerabilities persist:

• 🔴 High: rollup 4.0.0–4.58.0 — Arbitrary File Write via Path Traversal (GHSA-mw96-cpmx-2vgc) — fixable with npm audit fix
• 🟡 Moderate: lodash-es chain (mermaid → chevrotain) — fixable with npm audit fix
• 🟡 Moderate: lodash chain (via @astrojs/check) — requires npm audit fix --force (breaking)

Total: 15 vulnerabilities (1 low, 13 moderate, 1 high)

The rollup high-severity vulnerability is still unpatched and the easiest to fix. Running cd docs-site && npm audit fix should resolve it along with the lodash-es chain.

Generated by CI Doctor

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🔁 Recurrence — Run 22456692122

The same failure recurred on commit e8c9d5fe (test: add DNS restriction enforcement tests (#1054)).

Failing job: Audit Docs Site Package
Failing step: "Run npm audit (fail on high/critical)" — exit code 1

Vulnerabilities (unchanged)

Severity	Package	Advisory	Fix
🔴 High	rollup 4.0.0–4.58.0	GHSA-mw96-cpmx-2vgc — Arbitrary File Write via Path Traversal	npm audit fix
🟡 Moderate	lodash 4.0.0–4.17.21	GHSA-xxjr-mmjv-4gpg	npm audit fix --force (breaking)
🟡 Moderate	lodash-es 4.0.0–4.17.22	GHSA-xxjr-mmjv-4gpg	npm audit fix

Total: 15 vulnerabilities (1 low, 13 moderate, 1 high)

This will continue failing on every push until rollup is patched in docs-site/. Run cd docs-site && npm audit fix to resolve the blocking high-severity issue.

Generated by CI Doctor

[github-actions]

🔁 Recurring Failure — Run 22457619049

This failure recurred on commit ee0e81da4e11d850c19f643eb21d2898d38f1003 (2026-02-26).

Same Root Cause

The "Audit Docs Site Package" job continues to fail on npm audit --audit-level=high due to:

• rollup 4.0.0–4.58.0 — GHSA-mw96-cpmx-2vgc: Arbitrary File Write via Path Traversal (high severity)
• lodash 4.0.0–4.17.21 — GHSA-xxjr-mmjv-4gpg: Prototype Pollution in _.unset/_.omit (moderate, via @astrojs/check → @astrojs/language-server → volar-service-yaml → yaml-language-server)
• lodash-es 4.0.0–4.17.22 — same Prototype Pollution issue (moderate, via mermaid → @mermaid-js/parser → langium → chevrotain)

Total: 15 vulnerabilities (1 low, 13 moderate, 1 high)

Fix Still Needed

Run in docs-site/:

cd docs-site && npm audit fix

For the lodash issue in @astrojs/check, a breaking-change fix is needed:

cd docs-site && npm audit fix --force  # installs `@astrojs/check`@0.9.2

Generated by CI Doctor

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster