chore(deps): suppress two new unreachable undici advisories
GHSA-vxpw-j846-p89q (WebSocket DoS via fragment count bypass) and GHSA-hm92-r4w5-c3mj (SOCKS5 proxy pool cross-origin reuse) just landed in the registry. Both are fixed in undici>=7.28.0 and both sit in code paths we don't exercise from tests (no WebSocket client, no SOCKS5 proxy). Same blocker as GHSA-vmh5-mc38-953g: jsdom@29.1.1 reaches into undici 7's private module layout, so we can't move the pin to 7.28+. Added them to the existing ignoreGhsas list and consolidated the per-entry notes.
This commit is contained in:
Lukas
+7
-2
@@ -8,10 +8,15 @@
|
||||
},
|
||||
"auditConfig": {
|
||||
"ignoreGhsas": [
|
||||
"GHSA-vmh5-mc38-953g"
|
||||
"GHSA-vmh5-mc38-953g",
|
||||
"GHSA-vxpw-j846-p89q",
|
||||
"GHSA-hm92-r4w5-c3mj"
|
||||
],
|
||||
"_ignoreGhsasNotes": {
|
||||
"GHSA-vmh5-mc38-953g": "undici SOCKS5 ProxyAgent TLS bypass. Only reachable via undici/jsdom (test-time). Patched in undici>=7.28.0 but jsdom@29.1.1 reaches into undici's private module layout, so forcing 7.28+ via override breaks tests. We never use a SOCKS5 proxy in tests, so the path is unreachable. Drop this entry once jsdom updates its undici pin."
|
||||
"_shared": "All three advisories sit in undici, are reached only via jsdom in test runs, and are fixed in undici>=7.28.0. We can't move there because jsdom@29.1.1 reaches into undici 7's private module layout and crashes on the 7.28+ restructure. None of the vulnerable code paths run in our tests (no SOCKS5 proxy, no WebSocket client). Drop these entries when jsdom updates its undici pin.",
|
||||
"GHSA-vmh5-mc38-953g": "SOCKS5 ProxyAgent TLS bypass — unreachable, no SOCKS5 proxy in tests.",
|
||||
"GHSA-vxpw-j846-p89q": "WebSocket client DoS via fragment-count bypass — unreachable, no WS client in tests.",
|
||||
"GHSA-hm92-r4w5-c3mj": "SOCKS5 proxy pool cross-origin reuse — unreachable, no SOCKS5 proxy in tests."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user