mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
af299abdaf81d080aeb23d0f6c2e603b782b3d00
stack/docs/scratchpads/179-security-nodejs-deps.md
Jason Woltje 79ea041754 fix(#179): Update vulnerable Node.js dependencies 
Update cross-spawn, glob, and tar to patched versions addressing:
- CVE-2024-21538 (cross-spawn)
- CVE-2025-64756 (glob)
- CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 (tar)

All quality gates pass: typecheck, lint, build, and 1554+ tests.
No breaking changes detected.

Fixes #179
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-01 20:54:25 -06:00

3.4 KiB
Raw Blame History

Issue #179: Fix Security - Update Vulnerable Node.js Dependencies

Objective

Fix HIGH severity vulnerabilities in Node.js dependencies affecting both API and Web images by updating cross-spawn, glob, and tar to patched versions.

Approach

  1. Update vulnerable dependencies using pnpm update
  2. Verify no breaking changes through build and test execution
  3. Document findings and verify acceptance criteria

Progress

  • Research current versions and CVE details
  • Run pnpm update for vulnerable packages
  • Verify pnpm install succeeds
  • Run build process
  • Run tests
  • Commit changes

Affected Packages

Package Current Target CVEs
cross-spawn 7.0.6 7.0.6+ CVE-2024-21538
glob Varies (10.4.2, 10.4.5, 13.0.0) 10.5.0+ or 11.1.0+ CVE-2025-64756
tar Varies (6.2.1, 7.5.1) 7.5.7 CVE-2026-23745, CVE-2026-23950, CVE-2026-24842

Current State

cross-spawn

  • Current: 7.0.6 (already at latest)
  • Status: Already patched (7.0.5+ available, latest is 7.0.6)

glob

  • Latest: 13.0.0 (major version)
  • Target: 10.5.0+ or 11.1.0+ for v10/v11 compatibility
  • Status: Need to investigate dependency tree

tar

  • Latest: 7.5.7
  • Current: Some packages may be on 6.2.1 or 7.5.1
  • Status: Need to update

Testing Plan

  1. Build verification: pnpm build
  2. Test suite: pnpm test
  3. Type checking: pnpm typecheck
  4. Linting: pnpm lint

Implementation Details

Commands Executed

  1. pnpm update cross-spawn glob tar - Updated all three vulnerable packages
  2. pnpm install - Verified lock file is consistent
  3. pnpm typecheck - Type safety verification (PASSED)
  4. pnpm lint - Code quality verification (PASSED)
  5. pnpm build - Build verification (PASSED)
  6. pnpm test - Test suite verification (PASSED)

Results

Package Updates

  • cross-spawn: 7.0.6 (already at latest, CVE-2024-21538 patched)
  • glob: Updated to 10.5.0 (from earlier versions, CVE-2025-64756 patched)
  • tar: Updated to 7.5.7 (from 7.5.1, CVEs patched)

Quality Gate Results

  • Typecheck: ✓ All packages passed (no type errors)

  • Lint: ✓ All packages passed (no violations)

  • Build: ✓ All packages built successfully

    • @mosaic/api built successfully
    • @mosaic/web built successfully with Next.js optimizations
    • All workspace packages compiled

  • Tests: ✓ All tests passed

    • @mosaic/api: 1247 tests passed, 20 skipped
    • @mosaic/web: 307 tests passed, 23 skipped
    • Total: 1554 tests passed

Breaking Changes Assessment

NO BREAKING CHANGES DETECTED

  • All tests pass without modification
  • Build succeeds without warnings
  • Type checking passes without issues
  • No API changes required in dependent code

Notes

  • All three vulnerable packages successfully updated to patched versions
  • No breaking changes detected during quality gate verification
  • All 1554 tests passing
  • Ready for deployment
  • Vulnerabilities CVE-2024-21538, CVE-2025-64756, CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 are now mitigated
Reference in New Issue View Git Blame Copy Permalink