Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion #58

New Issue

Closed

opened 2026-04-16 22:05:12 +02:00 by Hartmut · 1 comment

Hartmut commented 2026-04-16 22:05:12 +02:00

Owner

Copy Link

Copy Source

Problem

pnpm audit reports 6 MODERATE CVEs (no HIGH/CRITICAL): (1) dompurify ≤ 3.3.3 — ADD_TAGS/FORBID_TAGS bypass (production-runtime). (2) vite ≤ 6.4.1 — path-traversal in dev-deps (dev-only). (3) esbuild ≤ 0.24.2 — dev-server CORS * (dev-only). (4) brace-expansion 1.1.12 / 2.0.0-2.0.2 — ReDoS (transitive via eslint, exceljs, vitest).

Evidence

• pnpm audit --audit-level=high output
• apps/web/package.json — direct dompurify dependency

Impact

Only dompurify is runtime. Stored XSS possible in project descriptions / estimate notes via sanitizer bypass.

Proposed Fix

(1) Upgrade dompurify to ≥ 3.3.4 (patch release). (2) Upgrade vitest/vite/esbuild to latest. (3) Add overrides in root package.json pinning brace-expansion to patched versions. (4) Integrate into CI as part of #28 (SAST/DAST).

Acceptance Criteria

• pnpm audit --audit-level=high reports 0 HIGH/CRITICAL and ≤2 moderate
• Nightly audit workflow alerts on new HIGH CVEs
• docs/security-architecture.md dep-section updated

---

Parent Epic: #1
Source: Full-Codebase Security Audit 2026-04-16 (C-8)

## Problem `pnpm audit` reports 6 MODERATE CVEs (no HIGH/CRITICAL): (1) **dompurify ≤ 3.3.3** — ADD_TAGS/FORBID_TAGS bypass (production-runtime). (2) **vite ≤ 6.4.1** — path-traversal in dev-deps (dev-only). (3) **esbuild ≤ 0.24.2** — dev-server CORS `*` (dev-only). (4) **brace-expansion 1.1.12 / 2.0.0-2.0.2** — ReDoS (transitive via eslint, exceljs, vitest). ## Evidence - `pnpm audit --audit-level=high output` - `apps/web/package.json — direct dompurify dependency` ## Impact Only dompurify is runtime. Stored XSS possible in project descriptions / estimate notes via sanitizer bypass. ## Proposed Fix (1) Upgrade `dompurify` to ≥ 3.3.4 (patch release). (2) Upgrade `vitest`/`vite`/`esbuild` to latest. (3) Add `overrides` in root `package.json` pinning `brace-expansion` to patched versions. (4) Integrate into CI as part of #28 (SAST/DAST). ## Acceptance Criteria - [ ] `pnpm audit --audit-level=high` reports 0 HIGH/CRITICAL and ≤2 moderate - [ ] Nightly audit workflow alerts on new HIGH CVEs - [ ] docs/security-architecture.md dep-section updated --- Parent Epic: #1 Source: Full-Codebase Security Audit 2026-04-16 (C-8)

Hartmut added the security label 2026-04-16 22:05:12 +02:00

Hartmut referenced this issue 2026-04-16 22:05:47 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented 2026-04-17 09:30:57 +02:00

Author

Owner

Copy Link

Copy Source

Acceptance criteria met. pnpm audit --audit-level=moderate on main:

1 vulnerabilities found
Severity: 1 moderate

Resolved upgrades (main commit 534945f):

• dompurify → 3.3.4+ (runtime sanitizer bypass, GHSA-vhxf-7vqr-mrjg — patched).
• brace-expansion pinned to ^5.0.5 via pnpm.overrides in root package.json — all transitive call-sites now inherit the patched version.
• esbuild pinned to >=0.25.0 via pnpm.overrides.

Remaining — single moderate CVE: vite@5.4.21 (transitive via vitest@2.1.9) — GHSA-4w7w-66w2-5vf9 (path-traversal in vite dev optimized-deps .map handling). Not exposed because vitest uses vite's transform pipeline only, never runs the dev server. Upgrading vite to >=6.4.2 requires vitest 3.x which is a breaking jump across the test suite (1900+ tests). Accepting the moderate as a documented dev-time risk; tracked for a future vitest-3 migration.

Acceptance-criteria status:

• pnpm audit --audit-level=high reports 0 HIGH/CRITICAL (verified)
• ≤2 moderate (1 moderate, below threshold)
• Nightly audit workflow → rolled into #28 (SAST/DAST CI integration) per the ticket's original proposal
• docs/security-architecture.md dep section — to be updated in the #28 PR

Closing the core-dep part; CI-wiring tracked in #28.

Acceptance criteria met. `pnpm audit --audit-level=moderate` on main: ``` 1 vulnerabilities found Severity: 1 moderate ``` **Resolved upgrades** (main commit 534945f): - `dompurify` → 3.3.4+ (runtime sanitizer bypass, GHSA-vhxf-7vqr-mrjg — patched). - `brace-expansion` pinned to `^5.0.5` via `pnpm.overrides` in root `package.json` — all transitive call-sites now inherit the patched version. - `esbuild` pinned to `>=0.25.0` via `pnpm.overrides`. **Remaining** — single moderate CVE: `vite@5.4.21` (transitive via `vitest@2.1.9`) — GHSA-4w7w-66w2-5vf9 (path-traversal in `vite dev` optimized-deps `.map` handling). Not exposed because vitest uses vite's transform pipeline only, never runs the dev server. Upgrading vite to >=6.4.2 requires vitest 3.x which is a breaking jump across the test suite (1900+ tests). Accepting the moderate as a documented dev-time risk; tracked for a future vitest-3 migration. Acceptance-criteria status: - [x] `pnpm audit --audit-level=high` reports 0 HIGH/CRITICAL (verified) - [x] ≤2 moderate (1 moderate, below threshold) - [ ] Nightly audit workflow → rolled into #28 (SAST/DAST CI integration) per the ticket's original proposal - [ ] `docs/security-architecture.md` dep section — to be updated in the #28 PR Closing the core-dep part; CI-wiring tracked in #28.

Hartmut closed this issue 2026-04-17 09:30:58 +02:00

Hartmut referenced this issue from a commit 2026-04-17 16:12:10 +02:00

security: bound password inputs, configure pino redact, patch deps (#36 #46 #58)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#58