Skip to content

fix(deps): resolve Dependabot alerts #657 and #658 (postcss, uuid)#236

Merged
kherembourg merged 2 commits into
mainfrom
fix/dependabot-postcss-uuid
May 4, 2026
Merged

fix(deps): resolve Dependabot alerts #657 and #658 (postcss, uuid)#236
kherembourg merged 2 commits into
mainfrom
fix/dependabot-postcss-uuid

Conversation

@kherembourg
Copy link
Copy Markdown
Contributor

@kherembourg kherembourg commented Apr 28, 2026

Summary

  • Add postcss >=8.5.10 override in test-projects/expo-purchasely-test/package.json (GHSA-qx2v-qp2m-jg93 — XSS via unescaped </style> in CSS Stringify Output)
  • Add uuid >=14.0.0 override in the same project (GHSA-w5hq-g745-h8pq — buffer bounds check in v3/v5/v6 with buf arg)
  • Lockfile resolves to postcss 8.5.12 and uuid 14.0.0; npm audit reports 0 vulnerabilities

Test plan

  • npm install --package-lock-only regenerates the lockfile cleanly
  • npm audit reports 0 vulnerabilities in the expo project
  • CI build-android, build-ios, lint, test pass

🤖 Generated with Claude Code

@kherembourg @claude
fix(deps): resolve Dependabot alerts #657 and #658
2464df2 
Add overrides in expo-purchasely-test to enforce patched floors:
- postcss >=8.5.10 (GHSA-qx2v-qp2m-jg93, XSS via unescaped </style>)
- uuid >=14.0.0 (GHSA-w5hq-g745-h8pq, buffer bounds check)

Lockfile resolves to postcss 8.5.12 and uuid 14.0.0; npm audit reports 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 28, 2026
edited
Loading

Greptile Summary

This PR resolves Dependabot alert #657 by adding a postcss >=8.5.10 override (resolves to 8.5.12 in the lockfile), and correctly drops the uuid override that was previously flagged as incompatible with xcode's CJS require('uuid') — instead the lockfile now scopes uuid@7.0.3 under node_modules/xcode/node_modules/uuid rather than hoisting it. The approach is sound and the CI build-ios/android steps remain the final validation gate.

Confidence Score: 5/5

Safe to merge — both dependency changes are correct and the previous uuid CJS-incompatibility concern has been properly addressed.

No P0 or P1 issues found. The postcss override cleanly addresses GHSA-qx2v-qp2m-jg93, and uuid@7.0.3 is correctly scoped to xcode's local node_modules to avoid the breaking CJS change in uuid v10+.

No files require special attention.

Important Files Changed
Filename Overview
test-projects/expo-purchasely-test/package.json Adds postcss >=8.5.10 override; uuid override removed per previous review feedback — clean dependency security fix
test-projects/expo-purchasely-test/package-lock.json Lockfile updated: postcss bumped to 8.5.12, nanoid range updated to ^3.3.11 within postcss entry, and uuid@7.0.3 re-scoped to node_modules/xcode/node_modules/uuid (no longer hoisted) to avoid CJS compatibility issues

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json overrides] -->|postcss override added| B["postcss@8.5.12 - GHSA-qx2v-qp2m-jg93 fixed"]
    A -->|uuid override removed| C[No top-level uuid hoisting]
    C --> D["xcode@5.0.1 - requires uuid ^7.0.3"]
    D -->|nested scoped install| E["node_modules/xcode/node_modules/uuid@7.0.3 - CJS compat preserved"]
    B --> F[npm audit: 0 vulnerabilities]
    E --> F
Loading

Reviews (2): Last reviewed commit: "fix(deps): drop uuid override (incompati..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread test-projects/expo-purchasely-test/package.json Outdated
@kherembourg @claude
fix(deps): drop uuid override (incompatible with xcode CJS)
91e32cd 
Greptile flagged that uuid v10+ dropped CommonJS support and v14 requires
Node ≥20, which would break the only consumer in this tree:
xcode@3.0.1 declares uuid ^7.0.3 and uses require('uuid') (CJS).

GHSA-w5hq-g745-h8pq has no patched version in the v7 range, so we
cannot satisfy both xcode and the advisory. Per Greptile's second
recommendation, accept the audit finding for this build-time dev
dependency that never processes user-supplied buf arguments.

Dependabot alert #657 will be dismissed as tolerable_risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kherembourg
Copy link
Copy Markdown
Contributor Author

kherembourg commented Apr 28, 2026

Greptile P1 finding addressed in 91e32cd (push-back per option 2):

# Finding Resolution
1 uuid 7→14 may break iOS builds (xcode CJS / Node ≥20) Removed uuid override. No patched version exists in the v7 range; xcode is a build-time dev tool that uses uuid.v4() (random), not the v3/v5/v6 + buf paths in GHSA-w5hq-g745-h8pq. Dependabot alert #657 will be dismissed as tolerable_risk.
2 postcss XSS Override postcss >=8.5.10 retained — lockfile resolves to 8.5.12 (no consumer compatibility issues).

@kherembourg
Copy link
Copy Markdown
Contributor Author

kherembourg commented Apr 28, 2026

@greptileai review

@kherembourg kherembourg requested review from EPIKorial and chouaibMo May 4, 2026 12:45
@kherembourg kherembourg merged commit bff4298 into main May 4, 2026
5 checks passed
@kherembourg kherembourg deleted the fix/dependabot-postcss-uuid branch May 4, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@EPIKorial EPIKorial EPIKorial approved these changes

@chouaibMo chouaibMo chouaibMo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kherembourg @EPIKorial @chouaibMo