Skip to content

security: vulnerability remediation#200

Merged
ulziibay-kernel merged 1 commit intomainfrom
security/vuln-remediation
Apr 2, 2026
Merged

security: vulnerability remediation#200
ulziibay-kernel merged 1 commit intomainfrom
security/vuln-remediation

Conversation

@kernel-internal
Copy link
Copy Markdown
Contributor

@kernel-internal kernel-internal bot commented Apr 2, 2026
edited by cursor bot
Loading

Vulnerability Remediation — 2026-04-02

Fixed

CVE Package Severity Old Version New Version Manifest
CVE-2025-7783 form-data warn 4.0.0 4.0.5 images/chromium-headful/client/package-lock.json

Skipped (non-actionable)

Alert Type Package Severity Reason
criticalCVE @babel/traverse warn Dev-only transitive dependency in the headful client build toolchain (dev: true in the lockfile); not deployed to production.

Deferred (needs human review)

None.

Verification

  • npm run build in images/chromium-headful/client
  • No test script exists in images/chromium-headful/client/package.json
  • Post-fix Socket rescan reports only the skipped dev-only @babel/traverse alert

Made with Cursor

Note

Medium Risk
Updates axios and related transitive packages (form-data, follow-redirects, proxy-from-env, and new helpers) which can subtly affect HTTP request/redirect/proxy behavior in the headful client.

Overview
Updates the headful Chromium client’s HTTP dependency stack for vulnerability remediation.

Bumps axios to ^1.14.0 in package.json and refreshes package-lock.json, pulling in newer transitive versions (notably form-data@4.0.5, follow-redirects@1.15.11, proxy-from-env@2.1.0) and additional small helper packages recorded in the lockfile.

Written by Cursor Bugbot for commit 21b39a5. This will update automatically on new commits. Configure here.

@kernel-internal
security: vulnerability remediation (2026-04-02)
21b39a5 
Upgrade the headful client's axios dependency so its transitive form-data package resolves past CVE-2025-7783.

- bump images/chromium-headful/client axios from ^1.2.3 to ^1.14.0
- update form-data in the client lockfile from 4.0.0 to 4.0.5

Made-with: Cursor
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 2, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​resize-observer-polyfill@​1.5.19910010075100
Addednpm/​simple-markdown@​0.7.39910010075100
Addednpm/​sweetalert2@​11.4.899989195100
Addednpm/​sass-loader@​10.4.19810010088100
Updatednpm/​axios@​1.2.6 ⏵ 1.14.091 -7100 +3110095100
Addednpm/​sass@​1.57.110010010095100

View full report

@ulziibay-kernel ulziibay-kernel self-requested a review April 2, 2026 21:49
@ulziibay-kernel ulziibay-kernel merged commit 10dd568 into main Apr 2, 2026
7 checks passed
@ulziibay-kernel ulziibay-kernel deleted the security/vuln-remediation branch April 2, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel ulziibay-kernel approved these changes

Assignees

@tnsardesai tnsardesai

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulziibay-kernel @tnsardesai