> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # Dependabot Vulnerabilities Resolution Plan > Remediation batch aligned with DEPENDABOT_ALERTS_BASELINE_2026-04-09.md (archived snapshot): ## Current status (2026-04-09) Remediation batch aligned with [DEPENDABOT\_ALERTS\_BASELINE\_2026-04-09.md](../archive/security/DEPENDABOT_ALERTS_BASELINE_2026-04-09.md) (archived snapshot): * **Root:** `vite` bumped to **^8.0.5** (lockfile resolves e.g. 8.0.8); `defu` pinned via **`overrides.defu: ^6.1.5`**; `vite-plugin-pwa` override uses **`vite: ^8.0.5`**. `npm audit` → **0** vulnerabilities. * **`packages/docs`:** `markdownlint-cli` bumped; **`overrides`** added/updated for lodash, lodash-es, node-forge, brace-expansion, serialize-javascript (≥7.0.5), smol-toml, express→path-to-regexp, picomatch (with `tinyglobby` nested for 4.x). `npm audit` in `packages/docs` → **0** vulnerabilities. * **Verification:** `npm run typecheck` and `npm run build` succeed at repo root. Full `npm run validate` may still fail if Biome `format:check` has unrelated drift. Docusaurus `npm run build` may still fail on **pre-existing broken links** (see prior docs audit notes)—not introduced by dependency changes. * **GitHub Dependabot alerts:** Re-check **after merge to default branch** with `gh api "/repos/OWNER/REPO/dependabot/alerts?state=open&per_page=100" --jq length` (expect **0** when GitHub rescans the default branch). *** **Historical snapshot — Date:** 2026-02-25\ **Status (historical):** In Progress\ **Total Vulnerabilities (historical):** 38 (Dependabot) / 4 (npm audit - unique vulnerabilities) ## Executive Summary GitHub Dependabot has reported 38 vulnerabilities on the repository's default branch. The npm audit tool shows 4 unique vulnerabilities (2 high, 2 moderate) that need to be addressed. The discrepancy in numbers is because Dependabot counts each instance of a vulnerability across the dependency tree, while npm audit groups them by unique vulnerability. ## Vulnerabilities Identified ### High Severity (2 unique, multiple instances) #### 1. jsPDF (Direct Dependency) * **Current Version:** 4.1.0 * **Required Version:** ≥4.2.0 * **Vulnerabilities:** * GHSA-p5xg-68wr-hm3m: PDF Injection in AcroForm module allows Arbitrary JavaScript Execution * GHSA-9vjf-qc39-jprp: PDF Object Injection via Unsanitized Input in addJS Method * GHSA-67pg-wm7f-q7fj: Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions * **CVSS Score:** 8.1 (High) * **Fix:** Update `jspdf` in `package.json` from `^4.0.0` to `^4.2.0` #### 2. minimatch (Transitive Dependencies) * **Affected Versions:** ≤3.1.2 || 5.0.0-5.1.6 || 9.0.0-9.0.5 || 10.0.0-10.2.0 * **Required Versions:** ≥3.1.3 || ≥5.1.7 || ≥9.0.6 || ≥10.2.1 * **Vulnerability:** GHSA-3ppc-4f35-3m26: ReDoS via repeated wildcards with non-matching literal in pattern * **Instances Found:** * minimatch\@3.1.2 (multiple instances via eslint, glob, @eslint/eslintrc, etc.) * minimatch\@5.1.6 (via filelist, readdir-glob) * minimatch\@9.0.5 (via @typescript-eslint/typescript-estree, @sentry/bundler-plugin-core) * minimatch\@10.1.1 (via glob) * **Fix:** Run `npm audit fix` to update transitive dependencies ### Moderate Severity (2 unique, multiple instances) #### 3. ajv (Transitive Dependencies) * **Affected Versions:** \<6.14.0 || ≥7.0.0-alpha.0 \<8.18.0 * **Required Versions:** ≥6.14.0 || ≥8.18.0 * **Vulnerability:** GHSA-2g4f-4pwh-qvx6: ReDoS when using `$data` option * **Instances Found:** * ajv\@6.12.6 (via @eslint/eslintrc, eslint) * ajv\@8.17.1 (via workbox-build) * **Fix:** Run `npm audit fix` to update transitive dependencies #### 4. markdown-it (Transitive Dependency) * **Current Version:** 14.1.0 * **Required Version:** ≥14.1.1 * **Vulnerability:** GHSA-38c4-r59v-3vqw: Regular Expression Denial of Service (ReDoS) * **CVSS Score:** 5.3 (Moderate) * **Dependency Path:** prosemirror-markdown → markdown-it * **Fix:** Run `npm audit fix` to update transitive dependency ## Resolution Plan ### Phase 1: Direct Dependency Updates (Manual) 1. **Update jsPDF** ```bash theme={null} npm install jspdf@^4.2.0 ``` * This is a direct dependency, so manual update is required * Verify no breaking changes in jsPDF 4.2.0 release notes * Test PDF generation functionality after update ### Phase 2: Transitive Dependency Updates (Automated) 2. **Run npm audit fix** ```bash theme={null} npm audit fix ``` * This will automatically update vulnerable transitive dependencies * Updates minimatch, ajv, and markdown-it to secure versions * May add new packages (balanced-match, brace-expansion) as dependencies 3. **Verify fixes applied** ```bash theme={null} npm audit ``` * Should show 0 vulnerabilities after fixes * If vulnerabilities remain, document which ones and why ### Phase 3: Testing & Validation 4. **Run full test suite** ```bash theme={null} npm run validate ``` * Ensures no breaking changes from dependency updates * Includes format check, typecheck, lint, and build 5. **Run unit and integration tests** ```bash theme={null} npm run test npm run test:integration ``` 6. **Test PDF generation functionality** * Verify jsPDF 4.2.0 works correctly with existing code * Test form-to-PDF features (if applicable) * Check for any API changes in jsPDF 7. **Run E2E smoke tests** ```bash theme={null} npm run test:e2e:smoke ``` ### Phase 4: Documentation & Monitoring 8. **Update package-lock.json** * Ensure `package-lock.json` is committed with updates * Verify all changes are tracked in git 9. **Monitor for new vulnerabilities** * Ensure Dependabot alerts are enabled: see [DEPENDABOT\_SETUP.md](DEPENDABOT_SETUP.md). * This repo uses [.github/dependabot.yml](../../.github/dependabot.yml) for version and security update PRs. * Consider adding `npm audit` to CI pipeline as a check. ## Implementation Steps ### Step 1: Create feature branch ```bash theme={null} git checkout -b cursor/dependabot-vulnerabilities-review-ad2a ``` ### Step 2: Update jsPDF (Direct dependency) ```bash theme={null} npm install jspdf@^4.2.0 ``` ### Step 3: Run automated fixes ```bash theme={null} npm audit fix ``` ### Step 4: Verify no remaining vulnerabilities ```bash theme={null} npm audit ``` ### Step 5: Test the application ```bash theme={null} npm run validate npm run test npm run test:integration ``` ### Step 6: Commit changes ```bash theme={null} git add package.json package-lock.json git commit -m "security: fix Dependabot vulnerabilities - Update jspdf 4.1.0 → 4.2.0 (fixes 3 high severity PDF injection vulnerabilities) - Update minimatch to secure versions (fixes ReDoS vulnerabilities) - Update ajv to secure versions (fixes ReDoS vulnerability) - Update markdown-it 14.1.0 → 14.1.1 (fixes ReDoS vulnerability) Resolves 38 Dependabot alerts (4 unique vulnerabilities)" ``` ### Step 7: Push and create PR ```bash theme={null} git push -u origin cursor/dependabot-vulnerabilities-review-ad2a ``` ## Risk Assessment ### Low Risk * **ajv, markdown-it, minimatch updates:** These are transitive dependencies with patch/minor version updates. Low risk of breaking changes. ### Medium Risk * **jsPDF 4.1.0 → 4.2.0:** Patch version update, but PDF generation is critical functionality. Requires thorough testing. ### Mitigation * All updates are patch/minor versions (semver compatible) * Run full test suite before merging * Test PDF generation functionality specifically * Monitor for any runtime issues after deployment ## Verification Checklist * [ ] jsPDF updated to ≥4.2.0 * [ ] `npm audit` shows 0 vulnerabilities * [ ] All tests pass (`npm run validate`) * [ ] Unit tests pass * [ ] Integration tests pass * [ ] E2E smoke tests pass * [ ] PDF generation tested and working * [ ] No breaking changes identified * [ ] package-lock.json committed * [ ] Changes reviewed and approved ## Long-term Recommendations 1. **Add npm audit to CI pipeline** * Add `npm audit --audit-level=moderate` as a CI check * Fail builds on high/critical vulnerabilities 2. **Enable Dependabot version and security updates** * This repo uses [.github/dependabot.yml](../../.github/dependabot.yml) for weekly version updates and security update PRs. * Enable **Dependabot alerts** and **Dependabot security updates** in GitHub: Repo **Settings** → **Security** → **Code security and analysis**. See [DEPENDABOT\_SETUP.md](DEPENDABOT_SETUP.md). * Review and merge security updates promptly. 3. **Regular dependency audits** * Schedule monthly dependency reviews * Use `npm outdated` to identify stale dependencies 4. **Dependency pinning strategy** * Consider pinning critical dependencies to exact versions * Use `npm audit fix` regularly in development workflow ## References * [jsPDF Security Advisories](https://github.com/advisories?query=jsPDF) * [npm audit documentation](https://docs.npmjs.com/cli/v10/commands/npm-audit) * [Dependabot documentation](https://docs.github.com/en/code-security/dependabot) * [GitHub Security Advisories](https://github.com/advisories) ## Notes * The 38 vulnerabilities reported by Dependabot represent multiple instances of the same 4 unique vulnerabilities across the dependency tree * All vulnerabilities have fixes available via `npm audit fix` or manual package updates * No critical severity vulnerabilities were found * All fixes are backward-compatible (patch/minor updates)