Skip to content

fix(deps): resolve 3 GitHub Dependabot vulnerabilities (2 high, 1 moderate) #13

Open
Open
fix(deps): resolve 3 GitHub Dependabot vulnerabilities (2 high, 1 moderate)#13
@CodeMonkeyCybersecurity

Description

@CodeMonkeyCybersecurity
CodeMonkeyCybersecurity
opened on Mar 14, 2026

Problem

GitHub push to CodeMonkeyCybersecurity/hera reported:

GitHub found 3 vulnerabilities on CodeMonkeyCybersecurity/hera's default branch (2 high, 1 moderate)

Action Required

  1. Review vulnerabilities at: https://github.com/CodeMonkeyCybersecurity/hera/security/dependabot
  2. Triage: determine if they are in devDependencies only (lower risk) or in runtime code
  3. Apply Dependabot-suggested updates
  4. Run npm audit and resolve any remaining issues
  5. Per SECURITY.md: Critical/High CVEs block merge, Medium require issue + remediation plan

Assessment

Current devDependencies in package.json:

  • @vitest/coverage-v8: ^4.0.7
  • vitest: ^4.0.7
  • eslint: ^8.57.0
  • husky: ^9.1.7
  • jsdom: ^27.1.0
  • happy-dom: ^20.0.10

Runtime dependencies:

  • ae-cvss-calculator: ^1.0.0

The 2 HIGH CVEs should be treated as P1 (fix this week) per governance TESTING.md §Coverage Thresholds.

Priority: P1 if in runtime deps, P2 if devDependencies only (verify first)
Refs: Discovered during push in fix/1-auth-issue-database-runtime-crashes

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions