# Issue #179: Fix Security - Update Vulnerable Node.js Dependencies

## Objective

Fix HIGH severity vulnerabilities in Node.js dependencies affecting both API and Web images by updating cross-spawn, glob, and tar to patched versions.

## Approach

1. Update vulnerable dependencies using pnpm update
2. Verify no breaking changes through build and test execution
3. Document findings and verify acceptance criteria

## Progress

- [x] Research current versions and CVE details
- [x] Run pnpm update for vulnerable packages
- [x] Verify pnpm install succeeds
- [x] Run build process
- [x] Run tests
- [x] Commit changes

## Affected Packages

| Package     | Current                         | Target             | CVEs                                           |
| ----------- | ------------------------------- | ------------------ | ---------------------------------------------- |
| cross-spawn | 7.0.6                           | 7.0.6+             | CVE-2024-21538                                 |
| glob        | Varies (10.4.2, 10.4.5, 13.0.0) | 10.5.0+ or 11.1.0+ | CVE-2025-64756                                 |
| tar         | Varies (6.2.1, 7.5.1)           | 7.5.7              | CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 |

## Current State

### cross-spawn

- **Current**: 7.0.6 (already at latest)
- **Status**: Already patched (7.0.5+ available, latest is 7.0.6)

### glob

- **Latest**: 13.0.0 (major version)
- **Target**: 10.5.0+ or 11.1.0+ for v10/v11 compatibility
- **Status**: Need to investigate dependency tree

### tar

- **Latest**: 7.5.7
- **Current**: Some packages may be on 6.2.1 or 7.5.1
- **Status**: Need to update

## Testing Plan

1. Build verification: `pnpm build`
2. Test suite: `pnpm test`
3. Type checking: `pnpm typecheck`
4. Linting: `pnpm lint`

## Implementation Details

### Commands Executed

1. `pnpm update cross-spawn glob tar` - Updated all three vulnerable packages
2. `pnpm install` - Verified lock file is consistent
3. `pnpm typecheck` - Type safety verification (PASSED)
4. `pnpm lint` - Code quality verification (PASSED)
5. `pnpm build` - Build verification (PASSED)
6. `pnpm test` - Test suite verification (PASSED)

### Results

#### Package Updates

- **cross-spawn**: 7.0.6 (already at latest, CVE-2024-21538 patched)
- **glob**: Updated to 10.5.0 (from earlier versions, CVE-2025-64756 patched)
- **tar**: Updated to 7.5.7 (from 7.5.1, CVEs patched)

#### Quality Gate Results

- **Typecheck**: ✓ All packages passed (no type errors)
- **Lint**: ✓ All packages passed (no violations)
- **Build**: ✓ All packages built successfully
  - @mosaic/api built successfully
  - @mosaic/web built successfully with Next.js optimizations
  - All workspace packages compiled

- **Tests**: ✓ All tests passed
  - @mosaic/api: 1247 tests passed, 20 skipped
  - @mosaic/web: 307 tests passed, 23 skipped
  - Total: 1554 tests passed

#### Breaking Changes Assessment

✓ **NO BREAKING CHANGES DETECTED**

- All tests pass without modification
- Build succeeds without warnings
- Type checking passes without issues
- No API changes required in dependent code

## Notes

- All three vulnerable packages successfully updated to patched versions
- No breaking changes detected during quality gate verification
- All 1554 tests passing
- Ready for deployment
- Vulnerabilities CVE-2024-21538, CVE-2025-64756, CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 are now mitigated