Skip to content

fix: resolve 48 of 50 npm vulnerabilities#542

Merged
pmilano1 merged 1 commit into
mainfrom
fix/vuln-updates
May 25, 2026
Merged

fix: resolve 48 of 50 npm vulnerabilities#542
pmilano1 merged 1 commit into
mainfrom
fix/vuln-updates

Conversation

@pmilano1

@pmilano1 pmilano1 commented May 25, 2026

Copy link
Copy Markdown
Owner

Summary

Resolve 48 of 50 npm audit vulnerabilities.

Changes

  • Run npm audit fix to resolve bulk of vulns (fast-xml-parser, handlebars, semver, etc.)
  • Upgrade nodemailer 7.x → 8.0.8 (SMTP injection fixes)
  • Upgrade semantic-release to 25.0.3
  • Add npm overrides for undici ≥6.24.0 (fixes @actions/http-client CVEs)
  • Upgrade postcss direct dep to ^8.5.10

Not Fixed (no upstream fix available)

  • postcss (2 moderate) — bundled inside next@16.2.6, requires next@16.3.0-canary.5+ which doesn't exist

Testing

  • npm audit shows 2 moderate (down from 50)
  • App builds successfully

@pmilano1 @claude
fix: resolve 48 of 50 npm vulnerabilities
0083237 
- Update deps via npm audit fix (fast-xml-parser, handlebars, etc.)
- Upgrade nodemailer to 8.0.8
- Upgrade semantic-release to 25.0.3
- Add undici override to resolve @actions/http-client vuln
- Upgrade postcss direct dep to ^8.5.10

Remaining 2 moderate: postcss bundled inside next@16.2.6 (no upstream fix)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pmilano1 pmilano1 merged commit 6739ef7 into main May 25, 2026
1 check passed
@pmilano1 pmilano1 deleted the fix/vuln-updates branch May 25, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pmilano1