lock icon indicating copy to clipboard operation
lock copied to clipboard
verified publisher icon auth0

security: Remove vulnerable node-es-module-loader dependency (SEC-2160)

Open harekrishnarai opened this issue 7 months ago • 0 comments

Summary

This PR resolves the security vulnerability SEC-2160 by removing the vulnerable [email protected] dependency that was pulling in [email protected].

Changes Made

  1. Removed vulnerable dependency: Removed [email protected] from devDependencies
  2. Updated lang-audit script: Modified scripts/lang-audit.js to use native ES6 dynamic imports instead of the old module loader
  3. Leveraged existing infrastructure: The script already uses the esm package, enabling native import() calls

Security Impact

  • ✅ Eliminates the operational risk from [email protected]
  • ✅ Maintains all existing functionality
  • ✅ All 68 test suites pass (401 tests total)
  • ✅ The i18n:validate script continues to work correctly

Testing

  • All existing tests pass
  • The i18n validation script functions correctly with 100% coverage
  • No breaking changes introduced

This fix completely resolves the Socket security alert for [email protected] while maintaining backward compatibility.

harekrishnarai avatar Jun 11 '25 08:06 harekrishnarai