Skip to content

chore(deps): fix all npm audit vulnerabilities (10 → 0)#85

Merged
judedanbo merged 1 commit into
mainfrom
chore/npm-audit-security-fixes
Jun 22, 2026
Merged

chore(deps): fix all npm audit vulnerabilities (10 → 0)#85
judedanbo merged 1 commit into
mainfrom
chore/npm-audit-security-fixes

Conversation

@judedanbo

Copy link
Copy Markdown
Owner

Summary

Resolves all 10 vulnerabilities reported by npm audit (4 low, 3 moderate, 3 high). Affected packages: @babel/core, esbuild, js-yaml, launch-editor, nodemailer, nuxt, tar, vite.

How

  • 7 fixed via semver-compatible updates: nuxt → 4.4.8, vite → 7.3.5, nodemailer → 8.0.11 (intermediate), plus @babel/core, js-yaml, launch-editor, tar.
  • nodemailer ^8.0.7^9.0.0: clears the remaining high (GHSA-p6gq-j5cr-w38f, the message-level raw option bypass). The codebase only uses createTransport / verify / sendMail({from,to,subject,html}) — all fully v9-compatible — and never uses the raw option the advisory concerns.
  • overrides: { esbuild: ">=0.28.1" }: clears two low esbuild advisories (GHSA-g7r4-m6w7-qqqr, dev-server-only / Windows-only) that @eslint/config-inspector and vite were pinning to a vulnerable 0.27.7.

Verification

  • npm auditfound 0 vulnerabilities
  • nuxi typecheck → clean
  • npm run build → build complete
  • ✅ Unit tests for the affected surface (email.service, smtp-check, notification.service) → 62/62 passing

Note: the production build needs a raised Node heap (NODE_OPTIONS=--max-old-space-size) on memory-constrained machines — the default ~2GB OOMs during Nitro bundling. This is pre-existing and unrelated to these dependency changes.

🤖 Generated with Claude Code

Resolves all 10 advisories reported by `npm audit` (4 low, 3 moderate,
3 high).

Auto-fixed via semver-compatible updates: nuxt 4.4.8, vite 7.3.5,
nodemailer 8.0.11 (intermediate), @babel/core, js-yaml, launch-editor,
tar.

Two required deliberate manifest changes:

- nodemailer ^8.0.7 → ^9.0.0: clears the remaining high (GHSA-p6gq, the
  message-level `raw` option bypass). The codebase only uses
  createTransport / verify / sendMail({from,to,subject,html}) — all
  v9-compatible — and never uses the `raw` option the advisory concerns.
- overrides.esbuild ">=0.28.1": clears two low esbuild advisories that
  @eslint/config-inspector and vite were pinning to 0.27.7.

Verified: `npm audit` reports 0 vulnerabilities; nuxi typecheck clean;
production build succeeds; email/SMTP/notification unit tests pass
(62/62).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@judedanbo judedanbo merged commit 3ab63ea into main Jun 22, 2026
1 check passed
@judedanbo judedanbo deleted the chore/npm-audit-security-fixes branch June 22, 2026 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant