security: remediate npm CVE findings (re-scan of synced fork)#2
security: remediate npm CVE findings (re-scan of synced fork)#2gabehamilton wants to merge 1 commit into
Conversation
Re-scan of difflabai/ironclaw@main (now synced to nearai/ironclaw) found 26 findings. This clears all 13 npm findings (7 of 11 highs): - react-router 7.9.1 -> ^7.15.0 (resolves 7.18.0): exact pin bumped within the same major; clears 6 highs + mediums. - ws -> ^8.21.0, postcss -> ^8.5.10: transitive, forced via same-major overrides. Cargo findings (pyo3, rustls-webpki, jsonwebtoken, libyml, tokio-tar, ...) need breaking 0.x bumps or have no published fix and are left for follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates dependencies across multiple packages, including upgrading react-router in the frontend static assets and adding dependency overrides for ws and postcss in the architecture video documentation package. The reviewer suggests pinning react-router to an exact version (7.18.0) in package.json instead of using a caret range to maintain consistency with other pinned dependencies and ensure deterministic builds.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "react-dom": "19.1.0", | ||
| "react-hook-form": "7.62.0", | ||
| "react-router": "7.9.1" | ||
| "react-router": "^7.15.0" |
There was a problem hiding this comment.
To maintain consistency with the rest of the dependencies in this package.json (which are all strictly pinned to exact versions), please pin react-router to the exact version resolved in the lockfile (7.18.0) instead of using a caret range (^7.15.0). This ensures deterministic builds and prevents unexpected updates.
| "react-router": "^7.15.0" | |
| "react-router": "7.18.0" |
1 participant
Security: dependency remediation (Vuln Ops Grade F — re-scan of synced fork)
Follow-up to the upstream sync (
difflabai/ironclawwas fast-forwarded tonearai/ironclaw@main, which cleared the previous wasmtime critical). A fresh Vuln Ops Trivy re-scan of the synced tree (rundd8ced1d) found 26 findings (0 critical, 11 high). This PR clears the npm side minimally and safely.Remediated — all 13 npm findings (7 of 11 highs)
react-routerreact-routerreact-routerreact-routerreact-routerreact-routerwspostcssreact-routerreact-routerreact-routerreact-routerwsHow:
react-routerwas an exact pin (7.9.1); bumped to^7.15.0(resolves to 7.18.0, same major) — clears all 6 react-router highs + mediums.ws(→ 8.21.0) andpostcss(→ 8.5.15) are transitive, forced via same-majoroverrides(minor/patch, non-breaking). Lockfiles regenerated withnpm install --package-lock-only/npm audit fix; no source changed.Not remediated — cargo findings needing deliberate, build-verified work
Left for follow-up because each is a breaking bump or has no published fix (no lockfile-only path):
jsonwebtoken9.3.1 (medium, CVE-2026-25537) — needs 10.3.0 (breaking)libsql-sqlite3-parser0.13.0 (low, CVE-2025-47736) — no published fixlibyml0.0.5 (high, GHSA-gfxp-f68g-8x78) — no published fixlru0.12.5 (low, GHSA-rhfx-m35p-ff5j) — needs 0.16.3 (breaking)pyo30.28.3 (high, GHSA-36hh-v3qg-5jq4) — needs 0.29.0 (breaking)pyo30.28.3 (medium, GHSA-chgr-c6px-7xpp) — needs 0.29.0 (breaking)rand0.8.5 (low, GHSA-cq8v-f236-94qc) — needs 0.8.6 (breaking)rustls-webpki0.102.8 (high, GHSA-82j2-j2ch-gfr8) — needs 0.104.0-alpha.7 (breaking)rustls-webpki0.102.8 (medium, GHSA-pwjx-qhcg-rvj4) — needs 0.104.0-alpha.5 (breaking)rustls-webpki0.102.8 (low, GHSA-965h-392x-2mh5) — needs 0.104.0-alpha.6 (breaking)rustls-webpki0.102.8 (low, GHSA-xgp8-3hg3-c2mh) — needs 0.104.0-alpha.6 (breaking)serde_yml0.0.12 (medium, GHSA-hhw4-xg65-fp2x) — no published fixtokio-tar0.3.1 (high, CVE-2025-62518) — no published fixNotably
tokio-tar(CVE-2025-62518) andlibyml/serde_ymlare effectively unmaintained — the real fix is migrating to maintained replacements (e.g.astral-tokio-tar), which is a code change, not a version bump.🤖 Generated with Claude Code