Skip to content

fix(ci): patch ws advisory and scope security audit to production deps#215

Merged
VascoSch92 merged 1 commit into
mainfrom
vasco/fix-npm-audit-security
Jun 18, 2026
Merged

fix(ci): patch ws advisory and scope security audit to production deps#215
VascoSch92 merged 1 commit into
mainfrom
vasco/fix-npm-audit-security

Conversation

@VascoSch92

@VascoSch92 VascoSch92 commented Jun 18, 2026

Copy link
Copy Markdown
Member

Problem

The security CI job (.github/workflows/ci.yml) has been failing on every recent push to main (5/5 latest runs red) — independent of any code change. npm audit checks the dependency tree against npm's live advisory database, and newly-published advisories tripped both audit steps:

  • ws 8.0.0–8.20.1 — high severity, GHSA-96hv-2xvq-fx4p (memory-exhaustion DoS). This is a production dependency (runtime WebSocket).
  • js-yaml ≤4.1.1 — moderate, root of 18 dev-only advisories via jest → babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@3.
  • @babel/core ≤7.29.0 — moderate, dev-only.

Fix

  1. npm audit fix (non-breaking, package-lock.json only): bumps ws 8.20.0 → 8.21.0, clearing the only production-dependency vulnerability, and realigns the jest 30.x lockfile entries with package.json (the lockfile had drifted to jest@30.3.0 vs. the declared ^30.4.2).
  2. Scope the moderate audit to production deps (npm audit --audit-level=moderate --omit=dev). The 18 remaining moderate advisories are entirely dev-only test tooling. The blocker, js-yaml@3, is pinned by @istanbuljs/load-nyc-config@1.1.0 — long unmaintained, no version uses js-yaml 4.x — so no dependency bump (including npm audit fix --force) can resolve it, and it never ships to consumers. The second step (--audit-level=high --production) is unchanged, so production deps remain gated at both moderate and high.

Verification

  • npm audit --omit=dev0 vulnerabilities
  • Both CI audit gates pass locally (exit 0)
  • npm run build ✅ · npm run lint ✅ (0 errors) · npm test254/254

Scope note

This is a standalone CI-health fix, independent of #214 (the agent-server 1.24.0 → 1.29.0 pin bump). It's branched off main so it can merge on its own.

@VascoSch92
fix(ci): patch ws advisory and scope security audit to production deps
a9c060a 
The `security` CI job was failing repo-wide (every recent push to main) on
newly-published npm advisories, not on any code change.

- `npm audit fix` bumps `ws` 8.20.0 -> 8.21.0, clearing the high-severity
  GHSA-96hv-2xvq-fx4p (the only production-dependency vulnerability) and
  realigns the jest 30.x lockfile entries with package.json.
- Scope the moderate audit to production deps (`--omit=dev`). The remaining
  18 moderate advisories are all dev-only test tooling
  (jest -> babel-plugin-istanbul -> @istanbuljs/load-nyc-config -> js-yaml@3),
  which is unmaintained upstream and has no fix; it never ships to consumers.

After this change `npm audit --omit=dev` reports 0 vulnerabilities and both
audit gates pass. Build, lint, and the 254 unit tests are green.
@VascoSch92 VascoSch92 merged commit 2987065 into main Jun 18, 2026
7 checks passed
@openhands-release-bot openhands-release-bot Bot mentioned this pull request Jun 24, 2026
Merged
@VascoSch92 VascoSch92 added the type: fix A bug fix label Jun 24, 2026
@openhands-release-bot openhands-release-bot Bot added the released: v1.27.0 Shipped in v1.27.0 label Jun 25, 2026
@openhands-release-bot

openhands-release-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

🚀 Released in v1.27.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aivong-openhands aivong-openhands aivong-openhands approved these changes

Assignees

No one assigned

Labels

released: v1.27.0 Shipped in v1.27.0 type: fix A bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VascoSch92 @aivong-openhands