Skip to content

chore: resolve CVE security vulnerabilities via package resolutions (HIGH / CRITICAL)#198

Open
MSACC wants to merge 3 commits intomasterfrom
chore/security-updates
Open

chore: resolve CVE security vulnerabilities via package resolutions (HIGH / CRITICAL)#198
MSACC wants to merge 3 commits intomasterfrom
chore/security-updates

Conversation

@MSACC
Copy link
Collaborator

@MSACC MSACC commented Nov 24, 2025

Add package resolutions to fix all critical and high severity CVE vulnerabilities detected in dependencies.

Security fixes:

  • elliptic@^6.6.1 - Fixes critical CVE (private key extraction vulnerability)
  • glob@^10.5.0 - Fixes CVE-2025-64756 (command injection in CLI)
  • tmp@^0.2.4 - Fixes CVE-2025-54798 (arbitrary file write via symlink)
  • @babel/helpers@^7.26.10 - Fixes RegExp complexity vulnerability
  • js-yaml@^3.14.2 - Fixes prototype pollution vulnerability

Results:

  • Eliminated all critical vulnerabilities (1 → 0)
  • Eliminated all high severity vulnerabilities (4 → 0)
  • Reduced moderate vulnerabilities (33 → 11)
  • Production dependencies: only 2 low severity issues remaining

Build and ESLint checks pass successfully.

@MSACC
chore: resolve CVE security vulnerabilities via package resolutions (…
1ea62f8 
…HIGH / CRITICAL)

Add package resolutions to fix all critical and high severity CVE vulnerabilities detected in dependencies.

  Security fixes:
  - elliptic@^6.6.1 - Fixes critical CVE (private key extraction vulnerability)
  - glob@^10.5.0 - Fixes CVE-2025-64756 (command injection in CLI)
  - tmp@^0.2.4 - Fixes CVE-2025-54798 (arbitrary file write via symlink)
  - @babel/helpers@^7.26.10 - Fixes RegExp complexity vulnerability
  - js-yaml@^3.14.2 - Fixes prototype pollution vulnerability

  Results:
  - Eliminated all critical vulnerabilities (1 → 0)
  - Eliminated all high severity vulnerabilities (4 → 0)
  - Reduced moderate vulnerabilities (33 → 11)
  - Production dependencies: only 2 low severity issues remaining

  Build and ESLint checks pass successfully.
@MSACC MSACC requested a review from boazpoolman November 24, 2025 22:30
boazpoolman
boazpoolman requested changes Nov 25, 2025
View reviewed changes
Copy link
Member

@boazpoolman boazpoolman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR @MSACC. I've left some comments, could you address those? Apart from that it would be great if you could update all the Strapi packages as well in this PR.

boazpoolman
boazpoolman reviewed Nov 25, 2025
View reviewed changes
@MSACC
Copy link
Collaborator Author

MSACC commented Dec 1, 2025

As discussed in our call @boazpoolman we will fix the tests later. Ready for review

@MSACC
chore: add Node version management and update engine requirements
290f8c6 
Add .nvmrc file specifying Node 20.18.1 LTS for consistent development
environment. Update package.json engines to require Node 20-22 to align
with security resolution requirements and ensure compatibility.
@MSACC MSACC force-pushed the chore/security-updates branch from c50f77c to 290f8c6 Compare December 7, 2025 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boazpoolman boazpoolman boazpoolman requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MSACC @boazpoolman