Skip to content

chore(deps): bump the all-deps group in /templates/express-js with 12 updates #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 4 commits into from
Closed

chore(deps): bump the all-deps group in /templates/express-js with 12 updates #697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
302cee9
chore(deps): bump the all-deps group
dependabot[bot] Apr 9, 2026
400fa40
fix(ci): update audit GHSA ignores for express-js template
SnowboardTechie Apr 10, 2026
3585b82
docs: document suppressed audit GHSAs with severity, source, and reme…
SnowboardTechie Apr 10, 2026
bdfe4f7
docs: add AUDIT_EXCEPTIONS.md registry and simplify inline GHSA comments
SnowboardTechie Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions AUDIT_EXCEPTIONS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Audit Exceptions

Transitive vulnerabilities suppressed via `pnpm.auditConfig.ignoreGhsas` in template `package.json` files. These are unfixable on our end — only the upstream maintainers can update their pinned transitive dependencies.

Each entry documents the GHSA, severity, affected package, dependency path, and what needs to happen upstream before the exception can be removed.

For background on the audit CI step, see [DEPENDENCY_MANAGEMENT.md](./DEPENDENCY_MANAGEMENT.md).

---

## `templates/quickstart`

All 3 exceptions trace back to `@typespec/compiler`'s transitive dependencies.

| GHSA | Severity | Package | Issue | Dependency path |
|------|----------|---------|-------|-----------------|
| GHSA-c2c7-rcm5-vvqj | Moderate | picomatch | ReDoS via extglob quantifiers | `@typespec/compiler > globby > fast-glob > micromatch > picomatch` |
| GHSA-3v7f-55p6-f55p | Moderate | picomatch | Method injection in POSIX character classes | Same path as above |
| GHSA-48c2-rrv3-qjmp | High | yaml | Stack overflow via deeply nested collections | `@typespec/compiler > yaml` |

**Remediation:** Remove these entries when `@typespec/compiler` updates `picomatch` to >=2.3.2 and `yaml` to >=2.8.3.

---

## `templates/express-js`

### via express / supertest

| GHSA | Severity | Package | Issue | Dependency path |
|------|----------|---------|-------|-----------------|
| GHSA-37ch-88jc-xwx2 | High | path-to-regexp | ReDoS via multiple route params | `express > path-to-regexp` |
| GHSA-w7fw-mjwx-w883 | Low | qs | arrayLimit bypass DoS in comma parsing | `supertest > superagent > qs` |

**Remediation:** Remove when `express` updates `path-to-regexp` to >=0.1.13 and `superagent` updates `qs` to >=6.15.1.

### via vitest

| GHSA | Severity | Package | Issue | Dependency path |
|------|----------|---------|-------|-----------------|
| GHSA-v2wj-q39q-566r | High | vite | `server.fs.deny` bypass with queries | `vitest > vite` |
| GHSA-p9ff-h696-f583 | High | vite | Arbitrary file read via dev server WebSocket | `vitest > vite` |
| GHSA-4w7w-66w2-5vf9 | Medium | vite | Path traversal in optimized deps `.map` handling | `vitest > vite` |
| GHSA-mw96-cpmx-2vgc | High | rollup | Arbitrary file write via path traversal | `vitest > vite > rollup` |
| GHSA-c2c7-rcm5-vvqj | High | picomatch | ReDoS via extglob quantifiers | `vitest > picomatch` |
| GHSA-3v7f-55p6-f55p | Medium | picomatch | Method injection in POSIX character classes | `vitest > picomatch` |

**Remediation:** Remove when `vitest` updates to `vite` >=7.3.2, `rollup` >=4.60.1, and `picomatch` >=4.0.4.

### via @typespec/compiler

| GHSA | Severity | Package | Issue |
|------|----------|---------|-------|
| GHSA-3ppc-4f35-3m26 | High | minimatch | ReDoS via repeated wildcards |
| GHSA-7r86-cg39-jmmj | High | minimatch | ReDoS via non-adjacent backtracking |
| GHSA-23c5-xmqv-rm74 | High | minimatch | ReDoS via nested extglobs |
| GHSA-83g3-92jg-28cx | High | node-tar | Arbitrary file write via hardlink/symlink chain |
| GHSA-qffp-2rhf-9h96 | High | node-tar | Hardlink path traversal via drive-relative linkpath |
| GHSA-9ppj-qmqm-q256 | High | node-tar | Symlink path traversal via drive-relative linkpath |
| GHSA-25h7-pfq9-p65f | High | flatted | Unbounded recursion DoS in `parse()` |
| GHSA-rf6f-7fwh-wjgh | High | flatted | Prototype pollution via `parse()` |
| GHSA-2g4f-4pwh-qvx6 | Medium | ajv | ReDoS when using `$data` option |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion | Zero-step sequence causes process hang |
| GHSA-48c2-rrv3-qjmp | Medium | yaml | Stack overflow via deeply nested collections |

**Remediation:** Remove when `@typespec/compiler` updates its transitive dependencies.
1 change: 1 addition & 0 deletions DEPENDENCY_MANAGEMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- Group minor/patch updates by manifest (e.g. `pnpm-lock.yaml` or `poetry.lock`) into a single PR
- Ignore major bumps for packages — these are handled manually to control breaking changes
- Catalog-managed deps (TypeSpec, vitest, etc.) bypass Dependabot entirely due to pnpm catalog bugs
- Suppress known transitive vulnerabilities via `pnpm.auditConfig.ignoreGhsas` — see [AUDIT_EXCEPTIONS.md](./AUDIT_EXCEPTIONS.md) for the full registry

This repo uses a split strategy for automated dependency updates: Dependabot handles most things, and a scheduled GitHub Actions workflow handles the rest. Expect roughly 3-5 dependency PRs per week in normal operation.

Expand Down
40 changes: 28 additions & 12 deletions templates/express-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,38 +36,54 @@
"zod": "^3.25.76"
},
"devDependencies": {
"@eslint/js": "^9.39.2",
"@eslint/js": "^9.39.4",
"@types/cors": "^2.8.19",
"@types/express": "^4.17.25",
"@types/js-yaml": "^4.0.9",
"@types/node": "^20.19.30",
"@types/node": "^20.19.39",
"@types/supertest": "^6.0.3",
"@types/swagger-ui-express": "^4.1.8",
"@types/uuid": "^10.0.0",
"@typespec/compiler": "~1.5.0",
"@typespec/http": "~1.5.0",
"@typespec/json-schema": "~1.5.0",
"@typespec/openapi": "~1.5.0",
"@typespec/openapi3": "~1.5.0",
"@typespec/rest": "~0.75.0",
"@typespec/versioning": "~0.75.0",
"@vitest/eslint-plugin": "^1.6.6",
"eslint": "^9.39.2",
"@typespec/compiler": "~1.11.0",
"@typespec/http": "~1.11.0",
"@typespec/json-schema": "~1.11.0",
"@typespec/openapi": "~1.11.0",
"@typespec/openapi3": "~1.11.0",
"@typespec/rest": "~0.81.0",
"@typespec/versioning": "~0.81.0",
"@vitest/eslint-plugin": "^1.6.15",
"eslint": "^9.39.4",
"eslint-config-prettier": "^9.1.2",
"eslint-plugin-prettier": "^5.5.5",
"prettier": "^3.8.1",
"supertest": "^7.2.2",
"tsx": "^4.21.0",
"typescript": "^5.9.3",
"typescript-eslint": "^8.54.0",
"typescript-eslint": "^8.58.1",
"vitest": "^3.2.4"
},
"pnpm": {
"auditConfig": {
"//ignoreGhsas": "See AUDIT_EXCEPTIONS.md for details on each suppressed advisory",
"ignoreGhsas": [
"GHSA-3ppc-4f35-3m26",
"GHSA-83g3-92jg-28cx",
"GHSA-2g4f-4pwh-qvx6",
"GHSA-mw96-cpmx-2vgc",
"GHSA-7r86-cg39-jmmj",
"GHSA-23c5-xmqv-rm74",
"GHSA-qffp-2rhf-9h96",
"GHSA-9ppj-qmqm-q256",
"GHSA-25h7-pfq9-p65f",
"GHSA-rf6f-7fwh-wjgh",
"GHSA-37ch-88jc-xwx2",
"GHSA-c2c7-rcm5-vvqj",
"GHSA-v2wj-q39q-566r",
"GHSA-p9ff-h696-f583",
"GHSA-f886-m6hf-6m8v",
"GHSA-3v7f-55p6-f55p",
"GHSA-48c2-rrv3-qjmp",
"GHSA-4w7w-66w2-5vf9",
"GHSA-w7fw-mjwx-w883"
]
}
Expand Down
Loading
Loading