Fix vulnerable transitive deps (rollup ^4.60.4 to avoid socket fix regression)#36
Merged
Conversation
Address CVEs in 6 transitive deps without using \`socket fix\`: - bn.js ^5.2.3 (GHSA-378v-28hj-76wf: infinite loop) - fast-uri ^3.1.2 (high CVE via socket) - lodash ^4.18.1 (high CVE via socket) - picomatch ^4.0.4 (high CVE via socket) - postcss ^8.5.10 (GHSA-qx2v-qp2m-jg93: XSS in stringify) - rollup ^4.60.4 (high CVE via socket; resolves past 4.59.x chunk-assignment bugs that broke the prior \`socket fix\` deploy) \`socket fix\` (PR #34) chose rollup 4.59.0 — the minimum CVE-safe version — but 4.59.x has chunk-assignment / chunk-hash-stability bugs that caused the staging-only continuous-reload regression. 4.60.4 fixes those (release notes: PRs #6362, #6350, etc.). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploying verify-sourcify-dev with
|
| Latest commit: |
4b646e6
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ddef70e7.verify-sourcify-dev.pages.dev |
| Branch Preview URL: | https://fix-vulnerable-deps.verify-sourcify-dev.pages.dev |
kuzdogan
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-applies the CVE fixes that PR #34 attempted via
socket fix, but pins them through explicitpackage.jsonoverridesand — crucially — bumpsrolluppast the4.59.xline that caused the continuous-reload regression on staging.What changed in
package.jsonnpm auditreportsfound 0 vulnerabilitiesafter these overrides; Socket'ssocket npm ciruns clean too.Why
socket fixbroke staging — root causesocket fixbumps each flagged package to the minimum CVE-safe version. Forrollup, that's4.59.0— and4.59.0/4.59.1have known bugs in chunk assignment and chunk-hash stability that were only fixed in the4.60.xline:moduleSideEffects:false"This explains "works locally, breaks on staging": Vite uses esbuild in dev mode (
npm run dev) and only invokes rollup for the production build, so the buggy 4.59.0 output never ran locally.Pinning
rollup ^4.60.4clears the CVE and the regression in one move.Why use
overridesinstead ofsocket fixsocket fixleaves no record inpackage.jsonof why versions are pinned, so future renovate/lockfile-regenerations can silently undo the bump.rollup@4.59.x).overridesdocument intent and survive lockfile regenerations.Test plan
npm audit→ 0 vulnerabilitiessocket npm cisucceeds (no risks flagged)npm run buildsucceeds against.env.build.stagingPre-existing
tscerror inapp/components/verification/ImportFromEtherscan.tsx:53is present onorigin/stagingand unrelated to this PR (build pipeline doesn't runtsc, onlyreact-router build).