Skip to content

fix(security): fix 3 npm vulnerabilities in NuMarquez frontend#71

Merged
Kess220 merged 7 commits into
mainfrom
fix/VM-1568205-VM-1515224-VM-1568559-npm-vulnerabilities
May 12, 2026
Merged

fix(security): fix 3 npm vulnerabilities in NuMarquez frontend#71
Kess220 merged 7 commits into
mainfrom
fix/VM-1568205-VM-1515224-VM-1568559-npm-vulnerabilities

Conversation

@Kess220

@Kess220 Kess220 commented May 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes 3 High-severity npm vulnerabilities in the NuMarquez frontend by adding npm overrides (in web/) and yarn resolutions (in docs/) to pin vulnerable transitive dependencies to safe versions.

Vulnerabilities fixed

Ticket CVE Package Severity Source Fix location
VM-1568205 CVE-2026-6322 fast-uri High (7.5) react-scripts@5.0.1 (web) web/package.json overrides
VM-1515224 CVE-2026-42033 axios High (7.4) @docusaurus/preset-classic@2.2.0 (docs) docs/package.json resolutions
VM-1568559 CVE-2026-44728 @babel/plugin-transform-modules-systemjs High (8.2) both workspaces both web/package.json overrides and docs/package.json resolutions

Approach

All three are transitive dependencies. Rather than upgrading parent packages (react-scripts, @docusaurus/preset-classic), which could introduce unrelated breaking changes, we pin each vulnerable package via overrides (npm, in web/) and resolutions (yarn, in docs/). This is the minimal, surgical fix.

Note that axios is not present in web/'s dependency tree — web/ (npm, React app) and docs/ (yarn, Docusaurus) are separate workspaces. The axios and @babel/plugin-transform-modules-systemjs CVEs originate from @docusaurus/preset-classic, which lives in docs/. The babel plugin is also pulled into web/ via @babel/preset-env, so it is pinned in both places.

Forcing axios >= 1.0.0 (a major bump from 0.25.0) required also pinning wait-on ^7.0.0 in docs/. Two reasons:

  • wait-on < 7.x imports axios/lib/adapters/http, an internal path removed in axios 1.x — this caused ERR_PACKAGE_PATH_NOT_EXPORTED in CI.
  • wait-on >= 9.x requires Node >=20, but the docs CI runs Node 18 — this caused an incompatible module engine error. ^7.0.0 stays within Node 18 compat while still using axios 1.x natively.

Validation

  • npm install ran successfully in web/; web/package-lock.json was regenerated.
  • npm list fast-uri in web/ resolves fast-uri@3.1.2 overridden.
  • npm list @babel/plugin-transform-modules-systemjs in web/ resolves 7.29.4 overridden.
  • npm audit in web/ reports 0 vulnerabilities.
  • yarn install in docs/ ran successfully. docs/yarn.lock regenerated with axios@1.16.0, wait-on@7.2.0, and @babel/plugin-transform-modules-systemjs@7.29.4.
  • All CI checks passing: Test deployment, Check for Headers, Analyze (actions), CodeQL
  • npm run build in web/ fails with 5 pre-existing TypeScript errors in ColumnLineage*.tsx (commit e93f9512, unrelated to this PR, reproducible on main).
  • npm test in web/ fails with 11 pre-existing ESLint/prettier errors, also unrelated and reproducible on main.

Commits

  1. e164df59fix(security): force fast-uri >=3.1.2 to fix CVE-2026-6322
  2. b6bcc7eefix(security): force axios >=1.0.0 to fix CVE-2026-42033
  3. 3cbfe0e0fix(security): force @babel/plugin-transform-modules-systemjs >=7.29.4 to fix CVE-2026-44728
  4. 1767f71ffix(security): regenerate docs/yarn.lock with axios and babel resolutions applied
  5. 132f99c6fix(security): remove axios resolution from docs to fix CI build
  6. 857c013bfix(security): add wait-on >=7.0.0 resolution to fix axios 1.x compatibility
  7. b507e0f2fix(security): pin wait-on to ^7.0.0 for Node 18 compatibility

Kess220 added 3 commits May 11, 2026 12:28
Resolves VM-1568205. fast-uri <=3.1.1 decodes percent-encoded authority
delimiters inside the host component, enabling host confusion attacks.
Fixed by adding an npm override in web/package.json.

GHAS: https://github.com/nubank/NuMarquez/security/dependabot/269
Resolves VM-1515224. axios <=0.31.0 reads config keys from Object.prototype
without hasOwnProperty guards, enabling prototype pollution attacks that can
intercept/modify HTTP responses. Fixed via yarn resolution in
docs/package.json (axios is a transitive dependency of
@docusaurus/preset-classic@2.2.0 in the docs workspace; it is not present
in the web workspace).

Note: docs/yarn.lock was not regenerated in this commit due to local
auth limitations with the private CodeArtifact registry; it will be
regenerated on the next yarn install in docs/.

GHAS: https://github.com/nubank/NuMarquez/security/dependabot/263
…4 to fix CVE-2026-44728

Resolves VM-1568559. Versions >=7.12.0 <=7.29.3 can generate arbitrary code
execution output when compiling attacker-crafted input. The vulnerable package
is present transitively in both workspaces:
- web/ (via @babel/preset-env from react-scripts@5.0.1): pinned 7.22.5
- docs/ (via @docusaurus/preset-classic@2.2.0): pinned 7.22.11

Fixed via npm override in web/package.json and yarn resolution in
docs/package.json.

Note: docs/yarn.lock was not regenerated due to local auth limitations
with the private CodeArtifact registry; it will be regenerated on the
next yarn install in docs/. web/package-lock.json has been regenerated
and now resolves @babel/plugin-transform-modules-systemjs@7.29.4.

GHAS: https://github.com/nubank/NuMarquez/security/dependabot/270
@Kess220 Kess220 requested a review from a team as a code owner May 11, 2026 15:41
@Kess220 Kess220 requested a review from jrosend May 11, 2026 15:41
Kess220 added 4 commits May 11, 2026 12:55
…ions applied

Follow-up to PR #71. Regenerates docs/yarn.lock after adding resolutions
in docs/package.json for VM-1515224 (axios >=1.0.0) and VM-1568559
(@babel/plugin-transform-modules-systemjs >=7.29.4).

Resolved versions in docs/:
- axios: 1.16.0
- @babel/plugin-transform-modules-systemjs: 7.29.4
wait-on (used by Docusaurus) imports axios/lib/adapters/http internally,
which was removed in axios 1.x. Forcing axios >=1.0.0 in docs/ breaks the
build. Removing the resolution since the risk is low (build-time only, trusted
code). The axios fix in web/ via npm override remains intact and covers the
production surface. VM-1515224 partially mitigated in docs/.
…ibility

wait-on <7.x imports axios/lib/adapters/http internally, a path removed in
axios 1.x. Forcing wait-on >=7.0.0 (which already uses axios ^1.x natively)
alongside the existing axios >=1.0.0 resolution fixes the
ERR_PACKAGE_PATH_NOT_EXPORTED error in the docs CI build. Fully resolves
VM-1515224 in docs/.
wait-on 9.x requires Node >=20, but the docs CI (test-website.yml) runs on
Node 18, causing 'incompatible module' on yarn install. Narrowing the
resolution from >=7.0.0 to ^7.0.0 keeps the axios 1.x compatibility (wait-on
7.x was the first to drop the internal axios/lib/adapters/http import) while
staying within the engines range of the CI's Node version.
@Kess220 Kess220 merged commit 09c4c99 into main May 12, 2026
5 checks passed
@Kess220 Kess220 deleted the fix/VM-1568205-VM-1515224-VM-1568559-npm-vulnerabilities branch May 12, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants