Skip to content

fix: upgrade vulnerable transitive deps (SECURE-2965, SECURE-3009, SECURE-3438)#307

Open
OnestarLee wants to merge 1 commit into
mainfrom
fix/secure-deps-3009-2965-3438
Open

fix: upgrade vulnerable transitive deps (SECURE-2965, SECURE-3009, SECURE-3438)#307
OnestarLee wants to merge 1 commit into
mainfrom
fix/secure-deps-3009-2965-3438

Conversation

@OnestarLee
Copy link
Copy Markdown
Collaborator

@OnestarLee OnestarLee commented May 26, 2026
edited by atlassian Bot
Loading

Summary

Pin three transitive dependencies through resolutions in package.json to clear the open Semgrep / GHSA advisories on main.

Ticket Package Severity Before After
SECURE-3438 @babel/plugin-transform-modules-systemjs High 7.28.5 7.29.7
SECURE-2965 fast-xml-parser High 4.5.4 4.5.6
SECURE-3009 handlebars High 4.7.8 (per ticket) 4.7.9 (already resolved)

Why these versions

  • @babel/plugin-transform-modules-systemjs (GHSA-fv7c-fp4j-7gwp) — type confusion / code injection in SystemJS output. 7.29.4+ contains the patch; resolution to ^7.29.4 lands 7.29.7.
  • fast-xml-parser (GHSA-jmr7-xgp7-cmfj) — XML Entity Expansion DoS. Consumers (@react-native-community/cli-config-android, @react-native-community/cli-platform-apple) pin ^4.4.1, so we stay on the v4 legacy dist-tag (4.5.6) which carries the backport rather than jumping to v5.
  • handlebars (GHSA-xjpj-3mr7-gcpf) — already at 4.7.9 in yarn.lock (no action needed in this PR; included for ticket closure).

Test plan

  • yarn install succeeds with updated resolutions
  • yarn build succeeds for all packages
  • yarn test — 32 suites, 187 tests pass
  • CI green

🤖 Generated with Claude Code

@OnestarLee @claude
fix: upgrade vulnerable transitive deps (SECURE-2965, SECURE-3009, SE…
576acaf 
…CURE-3438)

Pin transitive dependencies through `resolutions` to address:

- SECURE-3438 / GHSA-fv7c-fp4j-7gwp (High):
  @babel/plugin-transform-modules-systemjs 7.28.5 -> 7.29.7
  (type confusion / code injection in SystemJS output)

- SECURE-2965 / GHSA-jmr7-xgp7-cmfj (High):
  fast-xml-parser 4.5.4 -> 4.5.6 (latest v4 legacy line with
  XML Entity Expansion DoS backport; consumers pin ^4.4.1)

- SECURE-3009 / GHSA-xjpj-3mr7-gcpf (High):
  handlebars already at 4.7.9 in yarn.lock - verified safe.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 26, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 10.84%. Comparing base (ddde569) to head (576acaf).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #307   +/-   ##
=======================================
  Coverage   10.84%   10.84%           
=======================================
  Files         360      360           
  Lines        9084     9084           
  Branches     2578     2561   -17     
=======================================
  Hits          985      985           
  Misses       8023     8023           
  Partials       76       76

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@OnestarLee OnestarLee requested a review from bang9 May 26, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bang9 bang9 bang9 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OnestarLee @codecov-commenter @bang9