Skip to content

PER-14336: Remediate npm vulnerabilities (97→10) and remove unused dependencies#619

Open
zeevmoney wants to merge 5 commits intomasterfrom
per-14336/remediate-npm-vulns
Open

PER-14336: Remediate npm vulnerabilities (97→10) and remove unused dependencies#619
zeevmoney wants to merge 5 commits intomasterfrom
per-14336/remediate-npm-vulns

Conversation

@zeevmoney
Copy link
Copy Markdown
Contributor

@zeevmoney zeevmoney commented Mar 31, 2026
edited
Loading

Summary

  • Remediate 87 of 97 npm vulnerabilities across all severity levels (2 critical, 38 high, 38 moderate, 19 low → 10 remaining)
  • Remove 5 unused dependencies (lodash, ignore-styles, postcss-preset-env, remark-gfm, @babel/register) and 1 abnormal dependency (npm)
  • Update direct dependencies (axios, playwright, Docusaurus ecosystem, react-syntax-highlighter, react-code-blocks), add npm overrides for transitive vulnerabilities
  • Add Dependabot configuration for automated npm + GitHub Actions security updates, remove stale packageManager yarn field

Linear Issue

PER-14336

What changed

Removed unused dependencies

Package Reason
lodash No imports in source code — transitive deps have their own copies
ignore-styles Zero references anywhere in the codebase
postcss-preset-env Not in any PostCSS config — only tailwindcss + autoprefixer are used
remark-gfm Docusaurus 3.x has built-in GFM support
@babel/register Commented out in docusaurus.config.js
npm Abnormal production dependency — accounts for ~25 transitive vulnerabilities

Direct dependency updates

Package From To Fixes
axios ^1.8.4 1.14.0 (pinned) CVE-2026-25639 DoS, supply chain risk
@docusaurus/* (7 pkgs) ^3.7.0 ^3.9.2 convict, serialize-js, node-forge, undici, etc.
react-syntax-highlighter ^15.6.1 ^16.1.1 prismjs XSS/DOM clobbering (6 advisories)
react-code-blocks ^0.0.9-0 ^0.1.6
@playwright/test ^1.50.0 ^1.58.2 CVE-2025-59288 SSL cert bypass

Infrastructure

  • .github/dependabot.yml — weekly npm + GitHub Actions update scanning
  • ajv@8.18.0 + ajv-formats@3.0.1 as devDependencies (fixes schema-utils@4 compatibility with Docusaurus 3.9.2)
  • npm overrides for: serialize-javascript, node-forge, cross-spawn, picomatch, minimatch
  • Removed stale packageManager: yarn@1.22.22 field (no yarn.lock exists)

Remaining vulnerabilities (10)

All in transitive dependencies with no available fix:

  • @untitaker/hyperlink (dev-only link checker): 7 vulns from bundled old axios/glob/minimatch — does not affect production
  • react-code-blocks: 3 vulns from bundled prismjs <1.30.0 — no upstream fix available

Test plan

  • npm run build — full production build succeeds
  • npm run hyperlink — 0 bad links, 0 bad anchors across 2363 files
  • npm audit — verified 10 remaining (down from 97)
  • npm ls axios — confirmed no compromised versions (1.7.9/0.8.3)
  • Removed packages have zero references in source code
  • Visual regression test on staging deployment
  • Verify Docusaurus 3.9.2 deprecation warnings (onBrokenMarkdownLinks config)

Tests

  • Build verification (production build + link check)
  • Integration tests: needed — visual regression on staging
  • Unit tests: N/A (dependency updates only, no source code changes)
  • Test infrastructure: existing CI (Argos visual regression)

Generated with Claude Code

@zeevmoney @claude
PER-14336: Remediate 87 of 97 npm vulnerabilities
0fd1d05 
- Remove `npm` from production dependencies (~25 vulns eliminated)
- Update axios 1.8.4 → 1.14.0 (pinned, fixes DoS CVE-2026-25639)
- Update lodash 4.17.21 → 4.17.23 (pinned, fixes prototype pollution)
- Update @playwright/test 1.50.0 → 1.58.2 (fixes SSL cert bypass)
- Update all @docusaurus/* packages 3.7.0 → 3.9.2
- Update react-syntax-highlighter 15.6.1 → 16.1.1 (fixes prismjs XSS)
- Update react-code-blocks 0.0.9-0 → 0.1.6
- Add npm overrides for transitive vulns (serialize-javascript, node-forge,
  cross-spawn, picomatch, minimatch)
- Add ajv@8 + ajv-formats as devDependencies to fix schema-utils@4 compat
- Remove stale packageManager field (yarn@1.22.22 with no yarn.lock)
- Add .github/dependabot.yml for automated npm + GH Actions updates

Remaining 10 vulns are in @untitaker/hyperlink (dev-only) and
react-code-blocks (bundled prismjs, no upstream fix available).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@linear
Copy link
Copy Markdown

linear bot commented Mar 31, 2026

PER-14336 Security: Remediate 97 npm vulnerabilities in docs repository

@netlify
Copy link
Copy Markdown

netlify bot commented Mar 31, 2026
edited
Loading

Deploy Preview for permitio-docs ready!

Name Link
🔨 Latest commit bb88920
🔍 Latest deploy log https://app.netlify.com/projects/permitio-docs/deploys/69d79533acbfca000839d42e
😎 Deploy Preview https://deploy-preview-619--permitio-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zeevmoney @claude
Remove 5 unused dependencies
931b7b8 
- lodash: no imports in source code (transitive deps have own copies)
- ignore-styles: zero references in codebase
- postcss-preset-env: not in any PostCSS config (only tailwindcss/autoprefixer used)
- remark-gfm: Docusaurus 3.x has built-in GFM support
- @babel/register: commented out in docusaurus.config.js

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@zeevmoney zeevmoney changed the title PER-14336: Remediate npm vulnerabilities (97→10) PER-14336: Remediate npm vulnerabilities (97→10) and remove unused dependencies Mar 31, 2026
@zeevmoney zeevmoney marked this pull request as ready for review April 3, 2026 17:29
Copilot AI review requested due to automatic review settings April 3, 2026 17:29
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces npm security vulnerabilities and simplifies the dependency graph by upgrading key packages, removing unused/abnormal dependencies, adding npm overrides for vulnerable transitive deps, and introducing Dependabot for ongoing automated updates.

Changes:

  • Upgraded Docusaurus, axios, Playwright, and code-highlighting packages; removed several unused dependencies.
  • Added npm overrides entries to remediate vulnerable transitive dependencies.
  • Added .github/dependabot.yml to enable weekly npm and GitHub Actions update scanning.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
package.json Dependency upgrades/removals plus new npm overrides and devDependency additions.
.github/dependabot.yml Adds weekly Dependabot update configuration for npm and GitHub Actions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zeevmoney @claude
Fix Argos CI upload by passing ARGOS_TOKEN explicitly
fed30f8 
Newer @argos-ci/core no longer auto-detects the GitHub token
and requires an explicit ARGOS_TOKEN secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@argos-ci
Copy link
Copy Markdown

argos-ci bot commented Apr 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build Status Details Updated (UTC)
default (Inspect) ⚠️ Changes detected (Review) 299 changed Apr 9, 2026, 12:13 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zeevmoney