dostulata/initiative
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
934d98025e075e064ea05e145225796290126114
initiative/package.json
T
Lukas 934d98025e chore(deps): suppress two new unreachable undici advisories 
GHSA-vxpw-j846-p89q (WebSocket DoS via fragment count bypass) and
GHSA-hm92-r4w5-c3mj (SOCKS5 proxy pool cross-origin reuse) just
landed in the registry. Both are fixed in undici>=7.28.0 and both
sit in code paths we don't exercise from tests (no WebSocket
client, no SOCKS5 proxy). Same blocker as GHSA-vmh5-mc38-953g:
jsdom@29.1.1 reaches into undici 7's private module layout, so
we can't move the pin to 7.28+. Added them to the existing
ignoreGhsas list and consolidated the per-entry notes.
2026-06-19 16:51:56 +02:00

54 lines
2.4 KiB
JSON
Raw Blame History

{
"private": true,
"packageManager": "pnpm@10.32.1+sha512.a706938f0e89ac1456b6563eab4edf1d1faf3368d1191fc5c59790e96dc918e4456ab2e67d613de1043d2e8c81f87303e6b40d4ffeca9df15ef1ad567348f2be",
"pnpm": {
"overrides": {
"undici": "~7.24.0",
"picomatch": ">=4.0.4"
},
"auditConfig": {
"ignoreGhsas": [
"GHSA-vmh5-mc38-953g",
"GHSA-vxpw-j846-p89q",
"GHSA-hm92-r4w5-c3mj"
],
"_ignoreGhsasNotes": {
"_shared": "All three advisories sit in undici, are reached only via jsdom in test runs, and are fixed in undici>=7.28.0. We can't move there because jsdom@29.1.1 reaches into undici 7's private module layout and crashes on the 7.28+ restructure. None of the vulnerable code paths run in our tests (no SOCKS5 proxy, no WebSocket client). Drop these entries when jsdom updates its undici pin.",
"GHSA-vmh5-mc38-953g": "SOCKS5 ProxyAgent TLS bypass — unreachable, no SOCKS5 proxy in tests.",
"GHSA-vxpw-j846-p89q": "WebSocket client DoS via fragment-count bypass — unreachable, no WS client in tests.",
"GHSA-hm92-r4w5-c3mj": "SOCKS5 proxy pool cross-origin reuse — unreachable, no SOCKS5 proxy in tests."
}
}
},
"devDependencies": {
"@biomejs/biome": "2.4.8",
"@vitest/coverage-v8": "^4.1.0",
"jscpd": "^4.0.8",
"jsinspect-plus": "^3.1.3",
"knip": "^5.88.1",
"lefthook": "^2.1.4",
"oxlint": "^1.56.0",
"oxlint-tsgolint": "^0.17.1",
"typescript": "^5.8.0",
"vitest": "^4.1.0"
},
"scripts": {
"prepare": "lefthook install",
"format": "biome format --write .",
"format:check": "biome format .",
"lint": "biome lint .",
"lint:fix": "biome lint --write .",
"typecheck": "tsc --build",
"test": "vitest run",
"test:watch": "vitest",
"knip": "knip",
"jscpd": "jscpd",
"jsinspect": "jsinspect -c .jsinspectrc apps/web/src packages/domain/src packages/application/src",
"oxlint": "oxlint --tsconfig apps/web/tsconfig.json --type-aware --deny-warnings",
"check:ignores": "node scripts/check-lint-ignores.mjs",
"check:classnames": "node scripts/check-cn-classnames.mjs",
"check:props": "node scripts/check-component-props.mjs",
"check": "pnpm audit --audit-level=high && knip && biome check . && node scripts/check-lint-ignores.mjs && node scripts/check-cn-classnames.mjs && node scripts/check-component-props.mjs && jscpd && pnpm jsinspect && tsc --build && oxlint --tsconfig apps/web/tsconfig.json --type-aware --deny warnings && vitest run"
}
}
Reference in New Issue View Git Blame Copy Permalink