strapi-plugin-config-sync icon indicating copy to clipboard operation
strapi-plugin-config-sync copied to clipboard
verified publisher icon pluginpal

chore: resolve CVE security vulnerabilities via package resolutions (HIGH / CRITICAL)

Open MSACC opened this issue 4 weeks ago • 1 comments

Add package resolutions to fix all critical and high severity CVE vulnerabilities detected in dependencies.

Security fixes:

  • elliptic@^6.6.1 - Fixes critical CVE (private key extraction vulnerability)
  • glob@^10.5.0 - Fixes CVE-2025-64756 (command injection in CLI)
  • tmp@^0.2.4 - Fixes CVE-2025-54798 (arbitrary file write via symlink)
  • @babel/helpers@^7.26.10 - Fixes RegExp complexity vulnerability
  • js-yaml@^3.14.2 - Fixes prototype pollution vulnerability

Results:

  • Eliminated all critical vulnerabilities (1 → 0)
  • Eliminated all high severity vulnerabilities (4 → 0)
  • Reduced moderate vulnerabilities (33 → 11)
  • Production dependencies: only 2 low severity issues remaining

Build and ESLint checks pass successfully.

MSACC avatar Nov 24 '25 22:11 MSACC

As discussed in our call @boazpoolman we will fix the tests later. Ready for review

MSACC avatar Dec 01 '25 19:12 MSACC