chore(security): close all open Dependabot + CodeQL alerts#459
Merged
chore(security): close all open Dependabot + CodeQL alerts#459
Conversation
Removes the unused `to-ico` and `png-to-ico` devDependencies, which were never imported by any script but pulled in `request`, `form-data`, `qs`, `tough-cookie`, `mkdirp@0.5.1`, and old `minimist` through `jimp@0.2.x` — the source of 7 of 8 Dependabot alerts (2 critical: form-data unsafe random, minimist prototype pollution). Adds an `overrides` block forcing `esbuild ^0.25.0` to clear the last Dependabot alert (esbuild dev-server CORS, GHSA-67mh-4wv8-2f99). The vite path-traversal alert is already fixed by the installed vite 5.4.21 / 8.0.8 — Dependabot will auto-clear it on next scan. Also fixes two CodeQL findings: - ci.yml had no top-level permissions block (medium). Restricted to `contents: read` — the workflow only reads code and runs tests. - estimateReadingTime in blog/posts.data.ts used a single-pass tag strip (`/<[^>]*>/g`) flagged as `js/incomplete-multi-character- sanitization` (high). Replaced with a fixed-point loop so nested / overlapping tag sequences can't leak through. The output is only used for word-count math, not rendered, so this is defensive rather than load-bearing — but clears the alert. Build + 33 tests pass on the new lockfile.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes all 8 open Dependabot alerts and both open CodeQL findings on
runcycles/docs.Changes
to-ico+png-to-icodevDepsgrep. They drag in deprecatedrequest@2.x(and its transitiveform-data/qs/tough-cookie),mkdirp@0.5.1→minimist@0.0.8, andminimist@1.xdirectly.overrides: { esbuild: "^0.25.0" }esbuildconsumers (vite via vitepress + vitest) onto the patched line.vite@5.4.21andvite@8.0.8already include the path-traversal patch. Dependabot will auto-clear on next scan.ci.ymlGITHUB_TOKEN tocontents: readactions/missing-workflow-permissions, MEDIUM)estimateReadingTimeHTML strip/<[^>]*>/gwas flagged as incomplete sanitization (overlapping tag sequences could leak). Output is only used for word-count math, not rendered, so defensive — but clears the rule.js/incomplete-multi-character-sanitization, HIGH)Why
to-ico/png-to-icohaven't been used by any script in this repo for some time — they likely date from an earlier favicon-generation flow that was replaced bysharp(still a dep). Removing them is purely cleanup; the deprecatedrequestchain they pulled in was the source of two of the critical alerts.esbuildoverride is the standard transitive-pinning play — Vite's API surface has been stable across the 0.21 → 0.25 esbuild range, and the build verifies cleanly.Test plan
npm install— 129 packages removed, no new vulns introducednpm test— 3 files, 33 tests, all passnpm run build— full vitepress build succeeds (87s)