Skip to content

fix(deps): clear open Dependabot alerts (Go binary + docs); migrate docs to Yarn 4#518

Merged
oten91 merged 5 commits into
mainfrom
security/audit-critical-fixes
Jul 7, 2026
Merged

fix(deps): clear open Dependabot alerts (Go binary + docs); migrate docs to Yarn 4#518
oten91 merged 5 commits into
mainfrom
security/audit-critical-fixes

Conversation

@oten91

@oten91 oten91 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Clears the open Dependabot alerts across the two affected manifests and migrates the docs workspace to Yarn 4 so its lockfile can carry pinned transitive versions deterministically. Rebased on main (picks up #517's ring-go hash-cache signing path).

Three commits:

  1. fix(deps) — Go modules (compiled gateway binary)

  2. fix(docs) — GitHub Pages url/baseUrl so assets load.

  3. fix(deps) — docusaurus npm alerts + Yarn 4 migration
    Clears 1 critical + 3 high + mediums/lows on docusaurus/yarn.lock (transitive docs-build tooling only — not in the production binary):

    • shell-quote 1.8.3 → 1.9.0 (CRITICAL)
    • ws <8.21 → 8.21.0 (HIGH)
    • undici 6.19.5 → 6.27.0 (HIGH)
    • qs, joi, launch-editor, serialize-javascript, http-proxy-middleware, dompurify, webpack-dev-server, uuid, js-yaml (4.1.0 → 4.3.0; the js-yaml 3.x consumer gray-matter lands on patched 3.15.0)

Yarn 4 migration (docs only)

The docs lockfile was Yarn Classic v1, which could not deterministically pin the transitive versions above. Migrated to Yarn 4 (Berry):

  • package.json: packageManager: yarn@4.13.0 + resolutions
  • .yarnrc.yml: nodeLinker: node-modules (Yarn 4 defaults to PnP, which Docusaurus does not support)
  • yarn.lock converted to Berry format (__metadata v8) — this is the large diff
  • .gitignore: ignore .yarn/* and .pnp.*
  • CI (upload-pages-artifact.yml): corepack enable before setup-node in both jobs — the runner's bundled Yarn is Classic and cannot read a Berry lockfile. Required, or the docs deploy breaks.

js-yaml is intentionally NOT globally forced to 4.x: gray-matter (a Docusaurus core dep) calls the removed js-yaml.safeLoad and requires the 3.x line.

Verification

  • go build ./... passes
  • yarn install + yarn build succeed; static site generates ([SUCCESS] Generated static files)
  • Forced majors (dompurify 2→3, webpack-dev-server 4→5, uuid→11) compile clean

Residual

  • @ai-sdk/provider-utils (low) — no patched release published upstream.
  • Note: the in-code SECURITY_AUDIT.md findings (C1–C7 etc.) are not addressed here — this PR is dependency alerts only.

🤖 Generated with Claude Code

oten91 and others added 5 commits July 7, 2026 23:16
Address open Dependabot alerts affecting the compiled binary:

- golang.org/x/net 0.52.0 -> 0.56.0 (GHSA-5cv4-jp36-h3mw, HTML parser DoS)
- github.com/ethereum/go-ethereum 1.16.9 -> 1.17.4 (indirect)
- github.com/opencontainers/runc 1.2.3 -> 1.3.6 (indirect; not linked
  into the binary, transitive build/test dep)

Also refreshes co-resolved modules (grpc, gjson, aws-sdk, x/crypto/sys/
text/term) and pins shannon-sdk to 4b210e0d (adds SignerContext ring
caching; retains SignWithRing so signer.go compiles unchanged).

portal-db TypeScript SDK: lockfile-only bump of js-yaml + minimatch
clears all 3 npm alerts there (3 -> 0).

Docusaurus transitive alerts handled separately.

go build ./... and go test ./... -short both pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The site deploys to https://pokt-network.github.io/path/ (project
Pages, no custom domain / CNAME configured), but the config declared
url=https://grove.city and baseUrl="/". With baseUrl "/", every asset
was emitted as /assets/... which resolves to the domain root on
github.io and 404s -> the site rendered unstyled/broken. It has been
misconfigured since the initial docs setup.

Point the config at the actual deploy target:
- url:     https://pokt-network.github.io
- baseUrl: /path/

Verified with a full `yarn build`: emitted HTML now references
/path/assets/... which returns 200 at the live URL.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Resolve all outstanding Dependabot alerts on docusaurus/yarn.lock
(1 critical, 3 high, plus mediums/lows) via a resolutions block, and
migrate the docs workspace from Yarn Classic (v1) to Yarn 4 (Berry) so
the lockfile can carry the pinned transitive versions deterministically.

Alerts cleared (transitive, docs build tooling only — not in the
production gateway binary):

- shell-quote 1.8.3 -> 1.9.0    (CRITICAL, GHSA-w7jw-789q-3m8p)
- ws          <8.21 -> 8.21.0   (HIGH, GHSA-96hv-2xvq-fx4p)
- undici    6.19.5 -> 6.27.0     (HIGH, GHSA-vxpw-j846-p89q)
- qs, joi, launch-editor, serialize-javascript, http-proxy-middleware,
  dompurify, webpack-dev-server, uuid, js-yaml (4.1.0 -> 4.3.0; 3.x
  consumer gray-matter lands on patched 3.15.0)

Yarn 4 migration:
- package.json: add packageManager + resolutions
- .yarnrc.yml: nodeLinker: node-modules (Yarn 4 defaults to PnP, which
  Docusaurus does not support)
- yarn.lock converted to Berry format (__metadata v8)
- .gitignore: ignore .yarn/* and .pnp.*
- CI (upload-pages-artifact.yml): `corepack enable` before setup-node in
  both jobs — the runner's bundled Yarn is Classic and cannot read a
  Berry lockfile.

js-yaml is intentionally NOT globally forced to 4.x: gray-matter (a
Docusaurus core dep) calls the removed js-yaml.safeLoad and requires the
3.x line, which resolves to the patched 3.15.0.

Verified: `yarn install` + `yarn build` succeed; static site generates.

Residual: @ai-sdk/provider-utils (low) has no patched release upstream.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The misspell check flagged 4 "optimise" (British spelling) hits inside
docusaurus/yarn.lock — third-party dependency metadata strings we don't
control and shouldn't spell-check. Exclude yarn.lock / package-lock.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@oten91 oten91 merged commit d90468a into main Jul 7, 2026
10 of 14 checks passed
@oten91 oten91 deleted the security/audit-critical-fixes branch July 7, 2026 21:53
oten91 added a commit that referenced this pull request Jul 7, 2026
## Summary

Follow-up to #518. That PR only pinned the ~13 packages visible on the
**first page** of the Dependabot API (the call was unpaginated,
30/page). A full paginated scan showed **48 open alerts**, all in
`docusaurus/yarn.lock` — 0 critical, docs build tooling only, **not in
the production gateway binary** (go.mod and portal-db are clean).

This clears the rest via `resolutions`.

## Approach

Multi-major packages (several majors coexist in the tree) use
**descriptor-scoped resolution keys** so each major is bumped to its own
patched line — a global override would force older-major consumers
across a major boundary and break them:

| package | fix |
|---------|-----|
| glob | 10.x → 10.5.0 (7.x untouched, not in vuln range) |
| minimatch | 3.x/5.x/9.x → 3.1.4 / 5.1.8 / 9.0.7 |
| ajv | 6.x/8.x → 6.14.0 / 8.18.0 |
| brace-expansion | 1.x/2.x → 1.1.13 / 2.0.3 |
| picomatch | 2.x → 2.3.2 (4.x safe) |
| mdast-util-to-hast | 13.x → 13.2.1 (12.x safe) |
| mermaid | 11.x → 11.15.0 |

Single-major globals: `lodash`, `lodash-es`, `immutable`, `svgo`,
`postcss`, `fast-uri`, `follow-redirects`, `diff`,
`@babel/plugin-transform-modules-systemjs`, `yaml`.

## Known residuals (all docs-only, documented in the commit)

- **mermaid 9.4.3 (HIGH)** — pulled by `remark-mermaid-plugin@1.0.2`,
imported in `src/components/RemoteMarkdown.jsx`. The plugin is abandoned
(last publish 2022, pinned to mermaid `^9.1.5`); forcing mermaid 10/11
under it risks breaking runtime diagram rendering (mermaid 10 = ESM +
API change). **Proper fix = rework `RemoteMarkdown` to drop the dead
plugin** — a separate, feature-level change. Low real exploitability:
client-side, author-controlled `src`.
- **webpack (LOW)** — the patched line (≥5.104) breaks docusaurus
3.9.1's ProgressPlugin schema. Pinned to the tested `5.99.9`. Clearing
it needs a docusaurus bump.
- **@ai-sdk/provider-utils (LOW)** — no upstream patch published.

## Verification

- `yarn install` + `yarn build` succeed; static site generates
- Every fixed package confirmed resolving to ≥ its patched version in
the lockfile

Net: 48 open → 3 residual (1 high needing a component rework, 2 low with
no clean fix).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant