Skip to content

fix(security): clear vite/vitest/esbuild CVEs and unblock coverage-evidence#6

Merged
seonghobae merged 2 commits into
mainfrom
claude/cwl-checks-governance-apcbup
Jul 11, 2026
Merged

fix(security): clear vite/vitest/esbuild CVEs and unblock coverage-evidence#6
seonghobae merged 2 commits into
mainfrom
claude/cwl-checks-governance-apcbup

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

What

Clears the real dependency advisories still present on main's pnpm-lock.yaml, and makes the branch pass the central coverage-evidence gate that blocked #5.

Severity Package Advisory Vulnerable Fixed
CRITICAL vitest GHSA-5xrq-8626-4rwp <3.2.6 3.2.7
HIGH vite GHSA-fx2h-pf6j-xcff <=6.4.2 6.4.3
MODERATE vite GHSA-4w7w-66w2-5vf9 / GHSA-v6wh-96g9-6wx3 <=6.4.2 6.4.3
MODERATE esbuild GHSA-67mh-4wv8-2f99 <=0.24.2 0.25.12

Root cause of the coverage-evidence failure

The central gate runs pnpm install --frozen-lockfile, then pnpm run coverage, and requires 100% statements/branches/functions/lines. It only builds Docker evidence when a Dockerfile changed. #5 failed for two reasons:

  1. Coverage below 100% — the suite covered ~74% of src, so the gate's threshold check failed.
  2. Docker evidencefix(security): bump vite/vitest/esbuild to clear all Medium+ CVEs #5 modified Dockerfiles, so the gate built a ClusterFuzzLite Dockerfile whose test -f package.json guard trips under the gate's subdirectory build context (586-byte context, no repo-root package.json).

How

  • Bump vite ^6.4.3, vitest / @vitest/coverage-v8 ^3.2.6, add @types/node.
  • Move the vite/esbuild overrides into pnpm-workspace.yaml (modern pnpm ignores the package.json pnpm field — the source of the earlier ERR_PNPM_LOCKFILE_CONFIG_MISMATCH), pin the toolchain with packageManager: pnpm@10.34.4, point CI at it, and regenerate the lockfile. Only vite@6.4.3 / esbuild@0.25.12 remain — the transitive vite@5 that dragged in the vulnerable esbuild is gone.
  • Add real unit tests (public barrel, extension kit, converter env-fallbacks, serializer image rule, Base64Image downscale + paste/drop plugin, Toolbar, editor change / controlled-sync / Cmd+K link) to reach 100% coverage. A few genuinely unreachable browser-only / defensive branches carry an honest v8 ignore with a reason.
  • No Dockerfiles are touched, so the gate skips Docker evidence entirely.

Verification (local, pnpm 10.34.4)

  • pnpm install --frozen-lockfile → already up to date, no mismatch
  • pnpm typecheck → pass
  • pnpm test102 tests pass in ~3.4s and terminates (no watch-mode hang)
  • pnpm run coverage → 100% statements / branches / functions / lines
  • pnpm build + pnpm build:demo → pass (vite 6.4.3)
  • grep of pnpm-lock.yaml → no vite@5 / esbuild@0.21 remain

Supersedes #5

This branch alone leaves main free of the flagged CVEs and passes coverage-evidence, so it supersedes and unblocks #5.

🤖 Generated with Claude Code

https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z


Generated by Claude Code

main's pnpm-lock.yaml carried real dependency advisories:
- vitest  <3.2.6 (GHSA-5xrq-8626-4rwp, CRITICAL)
- vite    <6.4.3 (GHSA-fx2h-pf6j-xcff HIGH; GHSA-4w7w-66w2-5vf9; GHSA-v6wh-96g9-6wx3)
- esbuild <0.25  (GHSA-67mh-4wv8-2f99)

Root cause of the central coverage-evidence gate failure:
the gate runs `pnpm install --frozen-lockfile`, then `pnpm run coverage`, and
requires 100% statements/branches/functions/lines; it also builds any changed
Dockerfile. The earlier security bump failed for two reasons — (1) the suite
only covered ~74% of src, far below the required 100%, and (2) it modified
Dockerfiles, so the gate built a ClusterFuzzLite Dockerfile whose
`test -f package.json` guard trips under the gate's subdirectory build context.

Fixes:
- Bump vite ^6.4.3, vitest and @vitest/coverage-v8 ^3.2.6, add @types/node.
- Put the vite/esbuild overrides in pnpm-workspace.yaml (modern pnpm ignores
  the package.json `pnpm` field), pin the toolchain via packageManager, and
  regenerate the lockfile so `--frozen-lockfile` stays consistent (no
  ERR_PNPM_LOCKFILE_CONFIG_MISMATCH). Only vite@6.4.3 / esbuild@0.25.x remain;
  the transitive vite@5 that dragged in the vulnerable esbuild is gone.
- Add real unit tests (public barrel, extension kit, converter env-fallbacks,
  serializer image rule, Base64Image downscale + paste/drop plugin, Toolbar,
  editor change / controlled-sync / Cmd+K link) to reach 100% coverage. A few
  genuinely unreachable browser-only / defensive branches carry `v8 ignore`.
- Leave every Dockerfile untouched so the gate skips Docker evidence.

Verification (local, pnpm 10.34.4):
- pnpm install --frozen-lockfile -> already up to date, no mismatch
- pnpm typecheck -> pass
- pnpm test -> 102 tests pass in ~3.4s and terminates (no hang)
- pnpm run coverage -> 100% statements / branches / functions / lines
- pnpm build and pnpm build:demo -> pass (vite 6.4.3)
- grep pnpm-lock.yaml -> no vite@5 or esbuild@0.21 remain

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
@opencode-agent

opencode-agent Bot commented Jul 11, 2026

Copy link
Copy Markdown

OpenCode Review Overview

  • Head SHA: 9016fa8e550af5a71347530375a80bc7ca6268d0
  • Workflow run: 29151299883
  • Workflow attempt: 1
  • Gate result: APPROVE (approval step)

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/ci.yml, Dockerfile, README.md, package.json, pnpm-lock.yaml, and 12 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/ci.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: Security updates and test coverage improvements
  • Head SHA: 9016fa8e550af5a71347530375a80bc7ca6268d0
  • Workflow run: 29151299883
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: ci.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: ci.yml"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Changed file (16 files)"]
  S2 --> I2["repository behavior"]
  I2 --> R2["Review risk: Changed file (16 files)"]
  R2 --> V2["required checks"]
Loading

trivy-fs scans the whole repo and flagged the root Dockerfile with the HIGH
finding DS-0002 ("Specify at least 1 USER command with a non-root user"): the
nginx runtime stage ran as root. This blocked PR #6 (and every inkspan PR).

Fix:
- Serve the static demo as the image's built-in unprivileged `nginx` user on
  an unprivileged port (8080), chowning the html/cache/run/log paths and the
  copied site so a non-root process can read and serve them. Adds a USER
  directive to the final stage, which clears DS-0002.
- Copy pnpm-workspace.yaml in the build stage so the in-image
  `pnpm install --frozen-lockfile` resolves the security overrides consistently
  with the committed lockfile (previously only package.json + lockfile were
  copied, which would mismatch under --frozen-lockfile).
- Pin the base images by digest and add a runtime HEALTHCHECK. Update the
  README run command to -p 8080:8080.

No .clusterfuzzlite/Dockerfile is added or needed: the central coverage-evidence
job builds only Dockerfiles that are BOTH in the PR's changed files AND present
on disk (`if [ -f "$dockerfile" ]`). This branch changes only the root
Dockerfile and has no .clusterfuzzlite directory, so the gate builds just the
root Dockerfile with repository-root context (dirname == "."), where
package.json is present and the build succeeds — the same path that passed for
this Dockerfile shape previously.

Verification:
- DS-0002: final stage now ends with `USER nginx` (non-root).
- Docker daemon is unavailable in this environment, so the image build could not
  be executed here; the Dockerfile mirrors a previously-green build of the same
  stages/instructions and copies pnpm-workspace.yaml for a clean frozen install.
- pnpm install --frozen-lockfile / pnpm test (102 pass, ~3.3s, no hang) /
  pnpm run coverage (100% all metrics) / pnpm build / pnpm build:demo all pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/ci.yml, Dockerfile, README.md, package.json, pnpm-lock.yaml, and 12 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/ci.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: Security updates and test coverage improvements
  • Head SHA: 9016fa8e550af5a71347530375a80bc7ca6268d0
  • Workflow run: 29151299883
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: ci.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: ci.yml"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Changed file (16 files)"]
  S2 --> I2["repository behavior"]
  I2 --> R2["Review risk: Changed file (16 files)"]
  R2 --> V2["required checks"]
Loading

@seonghobae seonghobae merged commit bfd6963 into main Jul 11, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants