From daf573756d89f1ac25790c4d6ea0ed3775c058ee Mon Sep 17 00:00:00 2001 From: tomas Date: Sun, 12 Jul 2026 08:12:59 +0000 Subject: [PATCH] fix(deps): override morgan to 1.11.0 to resolve GHSA-4vj7-5mj6-jm8m The `audit-all` CI job (better-npm-audit) was failing on morgan@1.10.1, which is vulnerable to log forging via unneutralized control characters in the :remote-user token (GHSA-4vj7-5mj6-jm8m / CVE-2026-5078, moderate, CVSS 5.3). morgan is a dev/test-only transitive dependency, never shipped in the extension bundle: @vscode/test-web@0.0.71 -> koa-morgan@1.0.1 -> morgan Resolved by adding a targeted npm override to 1.11.0 (the patched release, which is also the latest), consistent with the repo's existing override convention for transitive security fixes. 1.11.0 satisfies koa-morgan's `^1.6.1` range, so it is a semver-compatible minor bump and no `.nsprc` exception is warranted. The 1.10.1 -> 1.11.0 diff is tiny and additive (escapes control chars in the :remote-user token, plus a new :pid token); all predefined formats are unchanged, and @vscode/test-web uses the `dev` format, which does not reference :remote-user. The only other lockfile change is a dev-only nested on-finished dedupe (2.3.0 -> 2.4.1). Verified locally: `npx better-npm-audit audit` now exits 0 (was 1), `--production` still passes, prettier is clean, and the lockfile is drift-free (idempotent under `npm install`). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01CPTs6CHNncauUuTGkwpNtH --- package-lock.json | 44 +++++++++++++------------------------------- package.json | 3 ++- 2 files changed, 15 insertions(+), 32 deletions(-) diff --git a/package-lock.json b/package-lock.json index e520ea76d..02b25b6af 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25179,20 +25179,24 @@ } }, "node_modules/morgan": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.1.tgz", - "integrity": "sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==", + "version": "1.11.0", + "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.11.0.tgz", + "integrity": "sha512-zSkVu3t18r39pw4ixfBKvfZi3y2UOqr7d4WYwcj3m8nXpEQK4rPO6GLzs/CExoRgmX3y9EjmmcXqv6jq0SK46g==", "dev": true, "license": "MIT", "dependencies": { "basic-auth": "~2.0.1", "debug": "2.6.9", "depd": "~2.0.0", - "on-finished": "~2.3.0", + "on-finished": "~2.4.1", "on-headers": "~1.1.0" }, "engines": { "node": ">= 0.8.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/morgan/node_modules/debug": { @@ -25212,19 +25216,6 @@ "dev": true, "license": "MIT" }, - "node_modules/morgan/node_modules/on-finished": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz", - "integrity": "sha512-ikqdkGAAyf/X/gPhXGvfgAytDZtDbr+bkNUJ0N9h5MI/dmdgCs3l6hoHrcUv41sRKew3jIwrp4qQDXiK99Utww==", - "dev": true, - "license": "MIT", - "dependencies": { - "ee-first": "1.1.1" - }, - "engines": { - "node": ">= 0.8" - } - }, "node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", @@ -51762,7 +51753,7 @@ "integrity": "sha512-JOUdCNlc21G50afBXfErUrr1RKymbgzlrO5KURY+wmDG1Uvd2jmxUJcHgylb/mYXy2SjiNZyYim/ptUBGsIi3A==", "dev": true, "requires": { - "morgan": "^1.6.1" + "morgan": "1.11.0" } }, "koa-mount": { @@ -53155,15 +53146,15 @@ } }, "morgan": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.1.tgz", - "integrity": "sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==", + "version": "1.11.0", + "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.11.0.tgz", + "integrity": "sha512-zSkVu3t18r39pw4ixfBKvfZi3y2UOqr7d4WYwcj3m8nXpEQK4rPO6GLzs/CExoRgmX3y9EjmmcXqv6jq0SK46g==", "dev": true, "requires": { "basic-auth": "~2.0.1", "debug": "2.6.9", "depd": "~2.0.0", - "on-finished": "~2.3.0", + "on-finished": "~2.4.1", "on-headers": "~1.1.0" }, "dependencies": { @@ -53181,15 +53172,6 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", "dev": true - }, - "on-finished": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz", - "integrity": "sha512-ikqdkGAAyf/X/gPhXGvfgAytDZtDbr+bkNUJ0N9h5MI/dmdgCs3l6hoHrcUv41sRKew3jIwrp4qQDXiK99Utww==", - "dev": true, - "requires": { - "ee-first": "1.1.1" - } } } }, diff --git a/package.json b/package.json index 9ae5460e0..10916bb9e 100644 --- a/package.json +++ b/package.json @@ -3002,6 +3002,7 @@ "shell-quote@<1.8.4": "1.8.4", "@babel/core@<7.29.6": "7.29.6", "form-data@>=3.0.0 <3.0.5": "3.0.5", - "form-data@>=4.0.0 <4.0.6": "4.0.6" + "form-data@>=4.0.0 <4.0.6": "4.0.6", + "morgan@<1.11.0": "1.11.0" } }