Skip to content

chore(deps): npm audit fix — patches 3 dev-only transitive vulns#23

Merged
cote-star merged 1 commit into
mainfrom
fix/security-puppeteer-devdep
Jun 3, 2026
Merged

chore(deps): npm audit fix — patches 3 dev-only transitive vulns#23
cote-star merged 1 commit into
mainfrom
fix/security-puppeteer-devdep

Conversation

@cote-star
Copy link
Copy Markdown
Owner

@cote-star cote-star commented Jun 3, 2026

Summary

Lockfile-only refresh closing the 3 dependabot alerts on the default branch.

Alert Severity Package Fix
GHSA-v39h-62p7-jpjc high fast-uri 3.1.0 → 3.1.2 host confusion via percent-encoded authority delimiters
GHSA-q3j6-qgpj-74h6 high fast-uri 3.1.0 → 3.1.2 path traversal via percent-encoded dot segments
GHSA-v2v4-37r5-5v8g medium ip-address 10.1.0 → 10.2.0 XSS in Address6 HTML-emitting methods

Impact

Both chains are dev-only:

fast-uri   ← ajv         (devDep — JSON schema validator used in CI tests)
ip-address ← puppeteer   (devDep — demo-record tool, only used by maintainers)

The published agent-chorus package has zero runtime dependencies (see files: list in package.json — record_demo.js is not shipped). End users installing agent-chorus from npm or crates.io were never exposed. The alerts represented dashboard noise, not exploitable risk in any chorus-shipped code path.

Why fix anyway: keeping the security dashboard clean means future real alerts stand out instead of getting lost in known-noise.

Changes

  • package-lock.json — lockfile-only diff (14 insertions / 14 deletions).
  • No package.json edits.
  • No version bump.
  • No behavior change.

Test plan

  • npm auditfound 0 vulnerabilities (was 4: 2 high + 2 moderate)
  • cargo test --manifest-path cli/Cargo.toml → 164 pass
  • bash scripts/conformance.sh → conformance complete, Node ≡ Rust
  • chorus --version0.16.0 (unchanged)
  • chorus list --agent codex → works

🤖 Generated with Claude Code

@cote-star @claude
chore(deps): npm audit fix — patches 3 dev-only transitive vulns
4f95dbd 
Lockfile-only refresh resolves all three dependabot alerts on the
default branch:

  GHSA-v39h-62p7-jpjc  fast-uri 3.1.0 → 3.1.2  (high; host confusion)
  GHSA-q3j6-qgpj-74h6  fast-uri 3.1.0 → 3.1.2  (high; path traversal)
  GHSA-v2v4-37r5-5v8g  ip-address 10.1.0 → 10.2.0  (moderate; XSS)

Both chains are dev-only:

  fast-uri  ← ajv (devDependency, JSON-schema validator used in CI)
  ip-address ← puppeteer (devDependency, demo-record tool only)

The published agent-chorus package has zero runtime dependencies
(see `files:` list in package.json — record_demo.js is not shipped),
so end users were never exposed. The alerts were a noise-on-default-
branch signal, not exploitable in any chorus-shipped code path. This
patch keeps that signal clean so a future real alert stands out.

No package.json edit, no version bump, no behavior change. Lockfile-
only diff. Conformance + 164 cargo tests green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cote-star cote-star merged commit 261688c into main Jun 3, 2026
2 checks passed
@cote-star cote-star deleted the fix/security-puppeteer-devdep branch June 3, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cote-star