Skip to content

chore: npm audit fixes, gitleaks hook, gitignore hardening, and script inventory update#1541

Open
aritro2002 wants to merge 6 commits into
mainfrom
chore/npm-audit-fixes-and-script-inventory-update
Open

chore: npm audit fixes, gitleaks hook, gitignore hardening, and script inventory update#1541
aritro2002 wants to merge 6 commits into
mainfrom
chore/npm-audit-fixes-and-script-inventory-update

Conversation

@aritro2002

Copy link
Copy Markdown
Contributor

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

This PR addresses npm audit findings, hardens the repository's security posture via .gitignore and commit hook improvements, and brings the third-party script inventory in sync with the actual codebase.
Dependency Updates:

  • Bumped copy-webpack-plugin from ^11.0.0 to ^14.0.0 in Hyperswitch-React-Demo-App
  • Bumped webpack-dev-server from ^5.0.4 to ^5.2.3 in Hyperswitch-React-Demo-App
  • Updated package-lock.json for both root and demo app post-audit
    Note: The remaining 3 moderate vulnerabilities (uuid < 14.0.0 via sockjswebpack-dev-server) are an open upstream bug in sockjs. The suggested fix (npm audit fix --force) would downgrade webpack-dev-server to 1.16.5 — a breaking regression. These are devDependencies only and have zero impact on the production bundle.

Security — .gitignore Hardening:

  • Added sensitive credential file patterns: *.keystore, *.p12, *.pfx, *.jks, google-services.json, GoogleService-Info.plist, .env, .env.*
  • Added IDE-specific ignore entries: VSCode, JetBrains, Vim/Neovim, Emacs, Sublime Text
  • Added AI agent config ignore entries: Cursor, OpenCode, GitHub Copilot, Cline/Roo, Windsurf, Claude/Anthropic, Aider

Security — Commit Hook:

  • Added Gitleaks secret scanning to .githooks/commit-msg
  • Aborts commit if secrets are detected in staged changes
  • Auto-installs Gitleaks via Homebrew if not present; exits with a clear error if Homebrew is also unavailable
    Documentation:
  • Updated Braintree script version from 3.88.43.92.1 to match actual usage in Hyper.res and BraintreeHelpers.res
  • Added missing apple-pay.min.js Braintree script loaded by BraintreeHelpers.res
  • Added Klarna sandbox/testing URLs (js.playground.klarna.com, eu.playground.klarnaevt.com) present in the CSP allowlist

Changes Summary

Modified Files:

  • .gitignore — Added credential, IDE, and AI agent ignore patterns
  • .githooks/commit-msg — Added Gitleaks secret scanning step
  • package-lock.json — Updated dependency tree post npm audit
  • package.json — Dependency version updates
  • Hyperswitch-React-Demo-App/package.json — Bumped copy-webpack-plugin and webpack-dev-server
  • Hyperswitch-React-Demo-App/package-lock.json — Updated dependency tree
  • docs/SCRIPT_INVENTORY.md — Corrected Braintree version, added missing scripts, added Klarna playground URLs

How did you test it?

  • Ran npm audit to verify remaining vulnerabilities are upstream-blocked and not actionable
  • Verified webpack-dev-server@5.2.3 is the latest release and still depends on the unfixed sockjs
  • Manually triggered the commit hook to confirm Gitleaks scan runs and blocks commits containing secrets
  • Verified .gitignore patterns against common credential and IDE file naming conventions
  • Cross-referenced script URLs against source files: src/hyper-loader/Hyper.res, src/Utilities/BraintreeHelpers.res, public/build.html, webpack.common.js
image
Screen.Recording.2026-05-05.at.3.54.54.pm.mov

Checklist

  • I ran npm run re:build
  • I reviewed submitted code
  • I added unit tests for my changes where possible

@aritro2002 aritro2002 self-assigned this May 5, 2026
@aritro2002 aritro2002 added the Ready for Review PR with label Ready for Review should only be reviewed. label May 5, 2026
@semanticdiff-com

semanticdiff-com Bot commented May 5, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  Hyperswitch-React-Demo-App/package-lock.json  21% smaller
  .githooks/commit-msg Unsupported file format
  .gitignore Unsupported file format
  Hyperswitch-React-Demo-App/package.json  0% smaller
  docs/SCRIPT_INVENTORY.md Unsupported file format
  package-lock.json Unsupported file format
  package.json  0% smaller

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Ready for Review PR with label Ready for Review should only be reviewed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: npm audit fixes, gitleaks hook, gitignore hardening, and script inventory update

1 participant