fix(security): resolve high-severity vulnerabilities in qs and valibot#146
fix(security): resolve high-severity vulnerabilities in qs and valibot#146
Conversation
Address 2 high-severity vulnerabilities identified by npm audit: 1. CVE-2025-15284 (qs): DoS via arrayLimit bypass in bracket notation - Added npm overrides to force qs@6.14.1 - Upstream fix pending: cypress-io/request#97 - Tracked in #145 for override removal once upstream releases 2. CVE-2025-66020 (valibot): ReDoS in EMOJI_REGEX - Updated react-router 7.9.4 → 7.11.0 - Updated @react-router/dev 7.9.4 → 7.11.0 - These updates pull in valibot@1.2.0 (fixed version) Both vulnerabilities affect dev dependencies only (Cypress and React Router dev tooling). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
WalkthroughUpdates Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Possibly related issues
Pre-merge checks✅ Passed checks (3 passed)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🧰 Additional context used🧠 Learnings (4)📓 Common learnings📚 Learning: 2025-12-30T22:04:36.017ZApplied to files:
📚 Learning: 2025-12-30T22:04:36.017ZApplied to files:
📚 Learning: 2025-12-30T22:04:36.017ZApplied to files:
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🔇 Additional comments (2)
Comment |
Deploying portfolio with
|
| Latest commit: |
0ab3570
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://8ab66905.portfolio-next.pages.dev |
| Branch Preview URL: | https://fix-security-vulnerabilities.portfolio-next.pages.dev |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
portfolio-feature-flags | 0ab3570 | Commit Preview URL Branch Preview URL |
Jan 02 2026, 05:07 PM |
taearls
left a comment
There was a problem hiding this comment.
Summary
This PR addresses 2 high-severity security vulnerabilities identified by Dependabot and npm audit:
- CVE-2025-15284 (qs): DoS via
arrayLimitbypass in bracket notation - CVE-2025-66020 (valibot): ReDoS vulnerability in
EMOJI_REGEX
Changed files: 2 files, +986 additions, -2283 deletions
Impact areas: Dev dependencies (Cypress, React Router tooling)
Review depth: Full validation
Quality Checks Results
- ✅ ESLint:
npm run lint:check- Pass - ✅ OxLint:
npm run oxlint:check- Pass (3 pre-existing warnings, unrelated to this PR) - ✅ Prettier:
npm run format:check- Pass - ✅ Stylelint:
npm run lint:css- Pass - ✅ Unit Tests:
npm run test- Pass (289/289 tests) - ✅ Build:
npm run build- Pass - ⏭️ E2E Tests: Skipped (no UI changes, dependency-only update)
Code Review Findings
✅ Positive Observations
- Appropriate fix strategy: Using npm
overridesfor the qs vulnerability is the correct approach when upstream hasn't released a fix yet - Minimal changes: Only package.json modified with version bumps and overrides section
- Good documentation: PR description clearly explains the vulnerabilities, root causes, and fixes
- Follow-up tracking: Issue #145 created to track removal of the override once upstream merges
Security Verification
$ npm audit
found 0 vulnerabilities
$ npm ls qs valibot
├─┬ @react-router/dev@7.11.0
│ └── valibot@1.2.0 ← Fixed (was 1.1.0)
└─┬ cypress@15.8.1
└─┬ @cypress/request@3.0.9
└── qs@6.14.1 overridden ← Fixed (was 6.14.0)
Security Review
- ✅ No exposed secrets in code or commit history
- ✅ Dependencies updated to patched versions
- ✅ Both vulnerabilities are in dev dependencies only (no production impact)
- ✅ Override is scoped appropriately (only affects qs)
Testing Analysis
- Coverage: All 289 existing tests pass
- Risk assessment: Low - these are patch/minor version updates to dev dependencies
- react-router 7.9.4 → 7.11.0: No breaking changes in this range (verified via changelog)
Recommendations
No changes required. The implementation is clean and follows best practices for addressing transitive dependency vulnerabilities.
Minor note for future: Once cypress-io/request#97 is merged and released, the overrides section can be removed (tracked in #145).
Approval Status
✅ LGTM - Ready to merge
Reasoning:
- Both high-severity vulnerabilities are properly addressed
- All quality checks pass
- Minimal, focused changes with clear documentation
- Follow-up tracking in place for override removal
Review completed using: npm run lint:check, npm run oxlint:check, npm run format:check, npm run lint:css, npm run test, npm run build, npm audit
Reviewed by: Claude Code Agent
Summary
Vulnerabilities Addressed
Changes
qs (Dependabot #27)
arrayLimitbypass allows DoS via memory exhaustion@cypress/request@3.0.9pinsqs@6.14.0overridesin package.json to forceqs@6.14.1qsto v6.14.1 cypress-io/request#97valibot
EMOJI_REGEXvalidation@react-router/dev@7.9.4depends onvalibot@1.1.0react-routerand@react-router/devto7.11.0, which depends onvalibot@^1.2.0Verification
Test plan
npm auditreturns 0 vulnerabilities🤖 Generated with Claude Code
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.