Skip to content

fix(deps): CLICK-973 bump up dependencies to resolve security vulnerabilities#21

Open
davidatwhiletrue wants to merge 1 commit into
masterfrom
feature/CLICK-973-bump-up-dependencies
Open

fix(deps): CLICK-973 bump up dependencies to resolve security vulnerabilities#21
davidatwhiletrue wants to merge 1 commit into
masterfrom
feature/CLICK-973-bump-up-dependencies

Conversation

@davidatwhiletrue
Copy link
Copy Markdown
Member

@davidatwhiletrue davidatwhiletrue commented May 11, 2026

Summary

Resolves security vulnerabilities reported by GitHub Dependabot in the csprclick-react project.

Changes

  • Updated casper-js-sdk from 5.0.5^5.0.12
    • Removes the vulnerable elliptic dependency and replaces it with @noble/curves
  • Added overrides in package.json for:
    • minimatch^9.0.7
    • brace-expansion^2.0.3
    • Fixes ReDoS vulnerabilities in the @nrwl/eslint-plugin-nx / nx toolchain
  • Ran npm audit fix to patch additional vulnerabilities in:
    • axios, lodash, postcss, rollup, vite, flatted, follow-redirects, js-yaml, picomatch, tmp, yaml, etc.

Verification

  • npm audit0 vulnerabilities remaining (was 29)
  • npm run build — ✅ passes
  • npm run lint — ✅ passes

@davidatwhiletrue
fix(deps): resolve security vulnerabilities in dependencies
9cb0fd5 
- Update casper-js-sdk from 5.0.5 to ^5.0.12 to fix elliptic vulnerability
- Add npm overrides for minimatch (^9.0.7) and brace-expansion (^2.0.3)
- Run npm audit fix to patch axios, lodash, postcss, rollup, vite, etc.

Resolves 29 vulnerabilities (18 high, 7 moderate, 4 low).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LookerClocker LookerClocker Awaiting requested review from LookerClocker

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidatwhiletrue