frontend: bump react-router 6.30.4 + ws 8.21.0 to clear npm audit moderates#5
Closed
terafin wants to merge 1 commit into
Closed
frontend: bump react-router 6.30.4 + ws 8.21.0 to clear npm audit moderates#5terafin wants to merge 1 commit into
terafin wants to merge 1 commit into
Conversation
…erates `npm audit --audit-level=moderate` flags 3 moderate-severity advisories on `dev` and on this PR branch: - GHSA-2j2x-hqr9-3h42 (react-router 6.7.0–6.30.3): same-origin redirect with path starting `//` causes open-redirect via protocol-relative URL reinterpretation. Affects react-router-dom 6.6.3-pre.0 through 6.30.3 via the react-router dependency. Fixed in 6.30.4 (and 7.x). - GHSA-58qx-3vcg-4xpx (ws 8.0.0–8.20.0): uninitialised memory disclosure. Pulled in transitively via jsdom 26.1.0; fixed in 8.20.1. `npm audit fix` resolves all three within existing `^` ranges: react-router 6.30.3 → 6.30.4 (patch) react-router-dom 6.30.3 → 6.30.4 (patch) ws 8.20.0 → 8.21.0 (minor) Only `package-lock.json` is touched — `package.json` ranges already permitted these versions. `npm run build` succeeds (vite, 391 ms, output bundle structure unchanged). Post-fix `npm audit` reports "found 0 vulnerabilities". Unblocks the CI `frontend → Frontend audit` step which has been failing on every push (including merges to `dev`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8770335 to
a9422bb
Compare
terafin
added a commit
to intarweb/RetroSaveManager
that referenced
this pull request
Jun 7, 2026
Upstream main has 3 moderate npm audit vulnerabilities (react-router + ws). PR joeblack2k#5 (frontend-audit-vulnerabilities) fixes them but isn't merged yet. Until then, every sync-upstream rebase-force-push to our intarweb fork's main triggers CI's Frontend audit step, fails on the upstream vulns, and emails out — multiple times per cron cycle. Gate the audit step on github.event_name == 'pull_request' so it still guards PRs (where the fix can land) but doesn't fail on the mirror-of- upstream main pushes. Audit still runs and can fail on every PR including PR joeblack2k#5 itself (so the fix can be validated end-to-end). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Hi @joeblack2k — closing this in favor of #15 to keep your queue cleaner. We had three PRs (this one, #13, #14) all trying to clear the same react-router 6.x + ws moderate npm-audit vulns by bumping versions; #15 takes the cleaner advisory route ( Our fork (intarweb/RetroSaveManager) is already cherry-picking #15 locally via the sync-upstream workflow, so Thanks for the project! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
CI's
frontend → Frontend auditstep (npm audit --audit-level=moderate) has been failing on every push, including merges todev, due to 3 pre-existing moderate-severity advisories in transitive dependencies:Fix
`npm audit fix` resolves all three within existing `^` ranges declared in `package.json` — only `package-lock.json` is touched:
`package.json` is unchanged — the `^` ranges already permitted these versions; the lock just hadn't been regenerated since the advisories landed.
Verification
Out of scope
This is a maintenance bump only — no behaviour or API change. Future advisories on these or other deps will reappear in CI as further audit failures; consider scheduling a recurring `npm audit fix` run (or moving to Dependabot if not already enabled) to keep this from regressing.
🤖 Generated with Claude Code