Skip to content

Fix remaining npm audit vulnerabilities across examples#74

Closed
miguelcalderon wants to merge 2 commits intomainfrom
miguel/audit-fix-lockfiles
Closed

Fix remaining npm audit vulnerabilities across examples#74
miguelcalderon wants to merge 2 commits intomainfrom
miguel/audit-fix-lockfiles

Conversation

@miguelcalderon
Copy link
Copy Markdown
Contributor

@miguelcalderon miguelcalderon commented Mar 30, 2026

Summary

Resolves all remaining npm audit vulnerabilities that npm audit fix couldn't handle automatically.

Changes

Example Before After Approach
Angular 18 vulns 0 Fresh lockfile → Angular 21.2.6 picks up XSS fix
Gatsby 21 vulns 0 Migrated from Gatsby (unmaintained) → Vite + React Router
Laravel 7 vulns 0 Migrated from laravel-mix (unmaintained) → Vite + laravel-vite-plugin
React 11 vulns 0 Migrated from CRA/react-scripts (unmaintained) → Vite
Salesforce 10 low 2 moderate ⚠️ Removed unused sfdx-lwc-jest (no tests exist); 2 remaining from fast-xml-parser in @lwc/eslint-plugin-lwc@2.x

Framework migrations

Three examples were using unmaintained build tools with deep, unfixable vulnerability chains:

  • Gatsby → dead project, all 21 vulns rooted in gatsby core
  • laravel-mix → replaced by Vite in modern Laravel, vulns in elliptic/crypto-browserify chain
  • react-scripts (CRA) → deprecated, vulns in jest/jsdom/node-forge chain

All three were migrated to Vite, which is the modern standard for each ecosystem.

Unfixable (Salesforce)

The 2 remaining moderate vulns (fast-xml-parser via @lwc/eslint-plugin-lwc) require migrating to eslint@9, which has cascading peer dependency conflicts across the @salesforce/* packages. This is blocked upstream.

Commits

  1. npm audit fix — lockfile updates across all examples
  2. Manual fixes — dependency upgrades and framework migrations

@miguelcalderon
chore: npm audit fix across all examples
fe112af 
Run npm audit fix on all examples to resolve vulnerabilities
that have non-breaking fixes available.
@miguelcalderon
fix: resolve remaining vulnerabilities in examples
e81a7b6 
- Angular: fresh lockfile resolves all 18 vulns (Angular 21.2.6)
- Gatsby: migrate from Gatsby (dead) to Vite + React Router (21 → 0 vulns)
- Laravel: migrate from laravel-mix (dead) to Vite + laravel-vite-plugin (7 → 0 vulns)
- React: migrate from create-react-app (dead) to Vite (11 → 0 vulns)
- Salesforce: remove unused sfdx-lwc-jest, upgrade eslint plugins (10 low → 2 moderate)

The 2 remaining moderate vulns in Salesforce (fast-xml-parser via @lwc/eslint-plugin-lwc)
require migrating the entire Salesforce eslint chain to eslint@9, which has cascading
peer dependency conflicts across the @salesforce/* packages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@miguelcalderon