Skip to content

Fix ch3 dependency vulnerabilities with npm overrides#37

Open
ldthorson90 wants to merge 7 commits into
webofthings:masterfrom
ldthorson90:security-fix-ch3-overrides
Open

Fix ch3 dependency vulnerabilities with npm overrides#37
ldthorson90 wants to merge 7 commits into
webofthings:masterfrom
ldthorson90:security-fix-ch3-overrides

Conversation

@ldthorson90

Copy link
Copy Markdown

Summary

  • Adds npm overrides for form-data, qs, and tough-cookie to resolve 3 of 4 remaining vulnerabilities in chapter3-node-js
  • Updates request package to latest v2 release (2.88.2)
  • Reduces vulnerability count from 4 (2 critical, 2 moderate) to 1 (moderate)

Remaining

  • 1 moderate SSRF vulnerability in the deprecated request package (no fix available without replacing the library entirely)

Test plan

  • Verify npm audit in chapter3-node-js shows only 1 remaining vulnerability
  • Verify chapter3 examples still run correctly

🤖 Generated with Claude Code

ldthorson90 and others added 7 commits October 25, 2016 17:23
npm audit fix --force on all chapter directories. Resolves
critical RCE in ejs/handlebars/morgan and high-severity DoS
in body-parser/ws/method-override. chapter3 has 4 remaining
vulns that require manual dep replacement (ejs/handlebars
are direct dependencies with no safe upgrade path).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix critical dependency vulnerabilities
Adds overrides for form-data, qs, and tough-cookie to resolve
3 of 4 remaining vulnerabilities. The last one (request SSRF)
requires replacing the deprecated request library entirely.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant