From 934d98025e075e064ea05e145225796290126114 Mon Sep 17 00:00:00 2001 From: Lukas Date: Fri, 19 Jun 2026 16:51:56 +0200 Subject: [PATCH] chore(deps): suppress two new unreachable undici advisories GHSA-vxpw-j846-p89q (WebSocket DoS via fragment count bypass) and GHSA-hm92-r4w5-c3mj (SOCKS5 proxy pool cross-origin reuse) just landed in the registry. Both are fixed in undici>=7.28.0 and both sit in code paths we don't exercise from tests (no WebSocket client, no SOCKS5 proxy). Same blocker as GHSA-vmh5-mc38-953g: jsdom@29.1.1 reaches into undici 7's private module layout, so we can't move the pin to 7.28+. Added them to the existing ignoreGhsas list and consolidated the per-entry notes. --- package.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index f84dfd4..c1ebd1e 100644 --- a/package.json +++ b/package.json @@ -8,10 +8,15 @@ }, "auditConfig": { "ignoreGhsas": [ - "GHSA-vmh5-mc38-953g" + "GHSA-vmh5-mc38-953g", + "GHSA-vxpw-j846-p89q", + "GHSA-hm92-r4w5-c3mj" ], "_ignoreGhsasNotes": { - "GHSA-vmh5-mc38-953g": "undici SOCKS5 ProxyAgent TLS bypass. Only reachable via undici/jsdom (test-time). Patched in undici>=7.28.0 but jsdom@29.1.1 reaches into undici's private module layout, so forcing 7.28+ via override breaks tests. We never use a SOCKS5 proxy in tests, so the path is unreachable. Drop this entry once jsdom updates its undici pin." + "_shared": "All three advisories sit in undici, are reached only via jsdom in test runs, and are fixed in undici>=7.28.0. We can't move there because jsdom@29.1.1 reaches into undici 7's private module layout and crashes on the 7.28+ restructure. None of the vulnerable code paths run in our tests (no SOCKS5 proxy, no WebSocket client). Drop these entries when jsdom updates its undici pin.", + "GHSA-vmh5-mc38-953g": "SOCKS5 ProxyAgent TLS bypass — unreachable, no SOCKS5 proxy in tests.", + "GHSA-vxpw-j846-p89q": "WebSocket client DoS via fragment-count bypass — unreachable, no WS client in tests.", + "GHSA-hm92-r4w5-c3mj": "SOCKS5 proxy pool cross-origin reuse — unreachable, no SOCKS5 proxy in tests." } } },