Skip to content

CMT-2285: add security audit report and update package dependencies#311

Open
EvgeniiStepanishin wants to merge 1 commit into
mainfrom
CMT-2285-security-audit
Open

CMT-2285: add security audit report and update package dependencies#311
EvgeniiStepanishin wants to merge 1 commit into
mainfrom
CMT-2285-security-audit

Conversation

@EvgeniiStepanishin

@EvgeniiStepanishin EvgeniiStepanishin commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Description

Ticket

Security audit of @staffbase/plugins-client-sdk dependency tree and remediation of all reported advisories via Yarn resolutions. Adds a SECURITY_AUDIT.md report documenting every advisory, its path, and the decision taken.

All 54 findings (4 High, 36 Moderate, 14 Low) were in devDependencies (build, test, and docs tooling) and all transitive. Runtime deps (loglevel, object.entries-ponyfill) had no advisories, and the published package ships only pre-built dist/, so none of these reach SDK consumers. Post-fix yarn audit reports 0 issues.

Related Issue

Motivation and Context

yarn audit surfaced 12 unique advisories across the dev toolchain (babel, rollup plugins, eslint, commitlint, jsdoc, jest tooling). Several are High severity (e.g. CVE-2026-44728 arbitrary code execution in @babel/plugin-transform-modules-systemjs, RCE in serialize-javascript). Pinning patched transitive versions removes the noise and keeps the build chain clean.

One nuance: the ajv fix had to be scoped to eslint/@eslint/eslintrc only. A global ajv resolution forced commitlint's @commitlint/config-validator (which needs ajv v8) down to v6, breaking the addKeyword API and the commit-msg hook. Scoping keeps eslint on patched ajv v6.15.0 while commitlint stays on ajv v8.20.0.

How Has This Been Tested?

  • yarn install resolves cleanly with split ajv versions (6.15.0 for eslint, 8.20.0 for commitlint)
  • yarn audit reports 0 vulnerabilities (was 54)
  • commitlint runs successfully again (commit-msg hook passes)
  • yarn lint / yarn size-limit verified working with bumped esbuild

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING part in the readme.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Test plan:

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

size-limit report 📦

Path Size
src/main.js 6.71 KB (0%)

@EvgeniiStepanishin EvgeniiStepanishin marked this pull request as ready for review June 11, 2026 06:59
@EvgeniiStepanishin EvgeniiStepanishin requested a review from a team as a code owner June 11, 2026 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aksdb aksdb Awaiting requested review from aksdb aksdb is a code owner automatically assigned from Staffbase/product-central-tech

@Sono304 Sono304 Awaiting requested review from Sono304 Sono304 is a code owner automatically assigned from Staffbase/product-central-tech

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EvgeniiStepanishin