Skip to content

fix(deps): override morgan to 1.11.0 to resolve GHSA-4vj7-5mj6-jm8m#438

Open
tkislan wants to merge 1 commit into
mainfrom
tk/fix-vulnerabilities-2026-07-12
Open

fix(deps): override morgan to 1.11.0 to resolve GHSA-4vj7-5mj6-jm8m#438
tkislan wants to merge 1 commit into
mainfrom
tk/fix-vulnerabilities-2026-07-12

Conversation

@tkislan

@tkislan tkislan commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

The audit-all CI job (npx better-npm-audit audit) is failing on a single non-excepted advisory: morgan@1.10.1GHSA-4vj7-5mj6-jm8m / CVE-2026-5078 (moderate, CVSS 5.3): log forging via unneutralized control characters in the :remote-user token.

This PR resolves it by pinning morgan to the patched 1.11.0 via a targeted npm override, matching the repo's established convention for transitive security fixes.

The other 30 advisories reported by npm audit are all already covered by documented, unexpired exceptions in .nsprc (elliptic, @tootallnate/once, uuid, @opentelemetry/core, js-yaml). morgan was the only new, non-excepted finding — and the only thing turning CI red.

Root cause

morgan is a dev/test-only transitive dependency — never part of the shipped extension bundle (which is why audit-prod was green while audit-all was red):

@vscode/test-web@0.0.71 (devDependency) → koa-morgan@1.0.1 → morgan@1.10.1

Fix

  "overrides": {
      ...
      "form-data@>=4.0.0 <4.0.6": "4.0.6",
+     "morgan@<1.11.0": "1.11.0"
  }

Why an override rather than an .nsprc exception — consistent with how this repo distinguishes the two:

  • 1.11.0 is the patched release (OSV: introduced 1.2.0, fixed 1.11.0) and the latest published version.
  • It's a semver-compatible minor bump that sits inside koa-morgan's own declared range (morgan: ^1.6.1), so it resolves cleanly with no forced major.
  • .nsprc exceptions in this repo are reserved for breaking-major / no-fix-available cases — which does not apply here.

Behavioral safety (per online research + tarball diff of 1.10.1 vs 1.11.0):

  • The 1.10.1 → 1.11.0 change is tiny and additive: a private escapeLogField() helper applied to the :remote-user token, plus a new additive :pid token. All predefined formats (combined, common, dev, short, tiny) are textually unchanged.
  • @vscode/test-web invokes morgan with the dev format, which never references :remote-user — so this repo's test-server log output is byte-for-byte identical after the bump. The new escaping only alters output when a Basic-auth username contains control characters (exactly the vulnerability being fixed).
  • The only other lockfile change is a dev-only nested on-finished dedupe (2.3.0 → 2.4.1).
  • morgan@1.11.0 is clean of any other known advisory (OSV + Snyk).

Verification

Check Before After
npx better-npm-audit audit (audit-all) ❌ exit 1 ✅ exit 0 (🤝 All good!)
npx better-npm-audit audit --production (audit-prod) ✅ exit 0 ✅ exit 0
npx prettier --check package.json ✅ clean
Lockfile drift (npm install idempotent) ✅ no drift

Scope

Only package.json (one-line override) and package-lock.json (morgan 1.10.1 → 1.11.0 + nested on-finished dedupe) are touched. No source changes.

🤖 Generated with Claude Code

https://claude.ai/code/session_01CPTs6CHNncauUuTGkwpNtH

Summary by CodeRabbit

  • Chores
    • Updated dependency resolution to ensure a consistent version of a logging component.

The `audit-all` CI job (better-npm-audit) was failing on morgan@1.10.1,
which is vulnerable to log forging via unneutralized control characters
in the :remote-user token (GHSA-4vj7-5mj6-jm8m / CVE-2026-5078, moderate,
CVSS 5.3).

morgan is a dev/test-only transitive dependency, never shipped in the
extension bundle:

    @vscode/test-web@0.0.71 -> koa-morgan@1.0.1 -> morgan

Resolved by adding a targeted npm override to 1.11.0 (the patched
release, which is also the latest), consistent with the repo's existing
override convention for transitive security fixes. 1.11.0 satisfies
koa-morgan's `^1.6.1` range, so it is a semver-compatible minor bump and
no `.nsprc` exception is warranted. The 1.10.1 -> 1.11.0 diff is tiny and
additive (escapes control chars in the :remote-user token, plus a new
:pid token); all predefined formats are unchanged, and @vscode/test-web
uses the `dev` format, which does not reference :remote-user. The only
other lockfile change is a dev-only nested on-finished dedupe
(2.3.0 -> 2.4.1).

Verified locally: `npx better-npm-audit audit` now exits 0 (was 1),
`--production` still passes, prettier is clean, and the lockfile is
drift-free (idempotent under `npm install`).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CPTs6CHNncauUuTGkwpNtH
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The package.json dependency overrides now pin morgan versions below 1.11.0 to 1.11.0. The existing form-data override remains unchanged.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: dinohamzic, mfranczel

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Updates Docs ✅ Passed PASS: This PR only pins a transitive dependency in package manifests; it adds no user-facing feature, so no docs update is applicable.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: pinning morgan to 1.11.0 via an override to address the security advisory.

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (735e5f5) to head (daf5737).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@     Coverage Diff     @@
##   main   #438   +/-   ##
===========================
===========================
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tkislan tkislan marked this pull request as ready for review July 12, 2026 08:20
@tkislan tkislan requested a review from a team as a code owner July 12, 2026 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant