cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon netlify

chore(deps): bump verdaccio to resolve 10 dev dep security warnings

Open serhalp opened this issue 1 month ago • 1 comments

Before:

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/js-yaml
  @verdaccio/config  <=8.0.0-next-8.25
  Depends on vulnerable versions of js-yaml
  node_modules/@verdaccio/config
    @verdaccio/auth  <=8.0.0-next-8.25
    Depends on vulnerable versions of @verdaccio/config
    Depends on vulnerable versions of @verdaccio/signature
    node_modules/@verdaccio/auth
      verdaccio  5.20.1 - 6.2.1 || 7.0.0-next.0 - 8.0.0-next-8.25
      Depends on vulnerable versions of @verdaccio/auth
      Depends on vulnerable versions of @verdaccio/config
      Depends on vulnerable versions of @verdaccio/middleware
      Depends on vulnerable versions of @verdaccio/signature
      Depends on vulnerable versions of @verdaccio/tarball
      Depends on vulnerable versions of @verdaccio/url
      Depends on vulnerable versions of verdaccio-audit
      node_modules/verdaccio
    @verdaccio/middleware  <=8.0.0-next-8.25
    Depends on vulnerable versions of @verdaccio/config
    Depends on vulnerable versions of @verdaccio/url
    node_modules/@verdaccio/middleware
    @verdaccio/signature  <=8.0.0-next-8.17
    Depends on vulnerable versions of @verdaccio/config
    node_modules/@verdaccio/signature
    verdaccio-audit  11.0.0-6-next.5 - 13.0.0-next-8.25
    Depends on vulnerable versions of @verdaccio/config
    node_modules/verdaccio-audit

validator  <=13.15.20
Severity: high
validator.js has a URL validation bypass vulnerability in its isURL function - https://github.com/advisories/GHSA-9965-vmph-33xx
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - https://github.com/advisories/GHSA-vghf-hv5q-vc2g
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/validator
  @verdaccio/url  <=13.0.0-next-8.24
  Depends on vulnerable versions of validator
  node_modules/@verdaccio/url
    @verdaccio/tarball  <=13.0.0-next-8.24
    Depends on vulnerable versions of @verdaccio/url
    node_modules/@verdaccio/tarball

10 vulnerabilities (5 moderate, 5 high)

After:

audited 1450 packages in 1s

found 0 vulnerabilities

The override is also no longer needed.

serhalp avatar Dec 04 '25 13:12 serhalp

📊 Benchmark results

Comparing with c4ae5bb1169c121e7e9f6ae1419d7b9797c9fd27

  • Dependency count: 1,044 (no change)
  • Package size: 304 MB ⬆️ 0.00% increase vs. c4ae5bb1169c121e7e9f6ae1419d7b9797c9fd27
  • Number of ts-expect-error directives: 378 (no change)

github-actions[bot] avatar Dec 04 '25 13:12 github-actions[bot]