fix(security): fix 3 npm vulnerabilities in NuMarquez frontend#71
Merged
Kess220 merged 7 commits intoMay 12, 2026
Merged
Conversation
Resolves VM-1568205. fast-uri <=3.1.1 decodes percent-encoded authority delimiters inside the host component, enabling host confusion attacks. Fixed by adding an npm override in web/package.json. GHAS: https://github.com/nubank/NuMarquez/security/dependabot/269
Resolves VM-1515224. axios <=0.31.0 reads config keys from Object.prototype without hasOwnProperty guards, enabling prototype pollution attacks that can intercept/modify HTTP responses. Fixed via yarn resolution in docs/package.json (axios is a transitive dependency of @docusaurus/preset-classic@2.2.0 in the docs workspace; it is not present in the web workspace). Note: docs/yarn.lock was not regenerated in this commit due to local auth limitations with the private CodeArtifact registry; it will be regenerated on the next yarn install in docs/. GHAS: https://github.com/nubank/NuMarquez/security/dependabot/263
…4 to fix CVE-2026-44728 Resolves VM-1568559. Versions >=7.12.0 <=7.29.3 can generate arbitrary code execution output when compiling attacker-crafted input. The vulnerable package is present transitively in both workspaces: - web/ (via @babel/preset-env from react-scripts@5.0.1): pinned 7.22.5 - docs/ (via @docusaurus/preset-classic@2.2.0): pinned 7.22.11 Fixed via npm override in web/package.json and yarn resolution in docs/package.json. Note: docs/yarn.lock was not regenerated due to local auth limitations with the private CodeArtifact registry; it will be regenerated on the next yarn install in docs/. web/package-lock.json has been regenerated and now resolves @babel/plugin-transform-modules-systemjs@7.29.4. GHAS: https://github.com/nubank/NuMarquez/security/dependabot/270
…ions applied Follow-up to PR #71. Regenerates docs/yarn.lock after adding resolutions in docs/package.json for VM-1515224 (axios >=1.0.0) and VM-1568559 (@babel/plugin-transform-modules-systemjs >=7.29.4). Resolved versions in docs/: - axios: 1.16.0 - @babel/plugin-transform-modules-systemjs: 7.29.4
wait-on (used by Docusaurus) imports axios/lib/adapters/http internally, which was removed in axios 1.x. Forcing axios >=1.0.0 in docs/ breaks the build. Removing the resolution since the risk is low (build-time only, trusted code). The axios fix in web/ via npm override remains intact and covers the production surface. VM-1515224 partially mitigated in docs/.
…ibility wait-on <7.x imports axios/lib/adapters/http internally, a path removed in axios 1.x. Forcing wait-on >=7.0.0 (which already uses axios ^1.x natively) alongside the existing axios >=1.0.0 resolution fixes the ERR_PACKAGE_PATH_NOT_EXPORTED error in the docs CI build. Fully resolves VM-1515224 in docs/.
wait-on 9.x requires Node >=20, but the docs CI (test-website.yml) runs on Node 18, causing 'incompatible module' on yarn install. Narrowing the resolution from >=7.0.0 to ^7.0.0 keeps the axios 1.x compatibility (wait-on 7.x was the first to drop the internal axios/lib/adapters/http import) while staying within the engines range of the CI's Node version.
lmassaoy
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 3 High-severity npm vulnerabilities in the NuMarquez frontend by adding npm
overrides(inweb/) and yarnresolutions(indocs/) to pin vulnerable transitive dependencies to safe versions.Vulnerabilities fixed
fast-urireact-scripts@5.0.1(web)web/package.jsonoverridesaxios@docusaurus/preset-classic@2.2.0(docs)docs/package.jsonresolutions@babel/plugin-transform-modules-systemjsweb/package.jsonoverrides anddocs/package.jsonresolutionsApproach
All three are transitive dependencies. Rather than upgrading parent packages (
react-scripts,@docusaurus/preset-classic), which could introduce unrelated breaking changes, we pin each vulnerable package viaoverrides(npm, inweb/) andresolutions(yarn, indocs/). This is the minimal, surgical fix.Note that
axiosis not present inweb/'s dependency tree —web/(npm, React app) anddocs/(yarn, Docusaurus) are separate workspaces. Theaxiosand@babel/plugin-transform-modules-systemjsCVEs originate from@docusaurus/preset-classic, which lives indocs/. The babel plugin is also pulled intoweb/via@babel/preset-env, so it is pinned in both places.Forcing
axios >= 1.0.0(a major bump from0.25.0) required also pinningwait-on ^7.0.0indocs/. Two reasons:wait-on < 7.ximportsaxios/lib/adapters/http, an internal path removed in axios 1.x — this causedERR_PACKAGE_PATH_NOT_EXPORTEDin CI.wait-on >= 9.xrequires Node>=20, but the docs CI runs Node 18 — this caused anincompatible moduleengine error.^7.0.0stays within Node 18 compat while still using axios 1.x natively.Validation
npm installran successfully inweb/;web/package-lock.jsonwas regenerated.npm list fast-uriinweb/resolvesfast-uri@3.1.2 overridden.npm list @babel/plugin-transform-modules-systemjsinweb/resolves7.29.4 overridden.npm auditinweb/reports 0 vulnerabilities.yarn installindocs/ran successfully.docs/yarn.lockregenerated withaxios@1.16.0,wait-on@7.2.0, and@babel/plugin-transform-modules-systemjs@7.29.4.Test deployment,Check for Headers,Analyze (actions),CodeQL✓npm run buildinweb/fails with 5 pre-existing TypeScript errors inColumnLineage*.tsx(commite93f9512, unrelated to this PR, reproducible onmain).npm testinweb/fails with 11 pre-existing ESLint/prettier errors, also unrelated and reproducible onmain.Commits
e164df59—fix(security): force fast-uri >=3.1.2 to fix CVE-2026-6322b6bcc7ee—fix(security): force axios >=1.0.0 to fix CVE-2026-420333cbfe0e0—fix(security): force @babel/plugin-transform-modules-systemjs >=7.29.4 to fix CVE-2026-447281767f71f—fix(security): regenerate docs/yarn.lock with axios and babel resolutions applied132f99c6—fix(security): remove axios resolution from docs to fix CI build857c013b—fix(security): add wait-on >=7.0.0 resolution to fix axios 1.x compatibilityb507e0f2—fix(security): pin wait-on to ^7.0.0 for Node 18 compatibility