Skip to content

fix: patch critical vulnerabilities (simple-git, property-expr, minimist, form-data) #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aman-wednesdaysol wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: patch critical vulnerabilities (simple-git, property-expr, minimist, form-data) #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1426f65
fix: patch critical vulnerabilities (simple-git, property-expr, minim…
Feb 17, 2026
eb51be0
fixed(deps): coveralls in devdeps instead of deps
Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions docs/adr/2026-02-17-fix-critical-vulnerabilities.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Critical Vulnerabilities Mitigation Log

This document lists all **critical severity vulnerabilities** in the project and the steps taken to mitigate them.

---

## 1. Remote Code Execution in `simple-git`

- **Package:** simple-git
- **Current Version:** <3.16.0
- **Patched Version:** >=3.16.0
- **Dependency Path:** react-floki > lint-staged > g-status > simple-git
- **CVE / Advisory:** [NPM Advisory 1103707](https://www.npmjs.com/advisories/1103707)
- **Description:** Remote Code Execution (RCE) vulnerability allowing malicious commands to execute if untrusted input reaches `simple-git`.
- **Mitigation:** Upgrade `simple-git` to version >=3.16.0 via Yarn resolutions or direct dependency update.

---

## 2. Prototype Pollution in `property-expr`

- **Package:** property-expr
- **Current Version:** <2.0.3
- **Patched Version:** >=2.0.3
- **Dependency Path:** react-floki > lint-staged > yup > property-expr
- **CVE / Advisory:** [NPM Advisory 1089042](https://www.npmjs.com/advisories/1089042)
- **Description:** Prototype pollution vulnerability allowing attackers to modify object prototypes, potentially leading to arbitrary code execution.
- **Mitigation:** Upgrade `property-expr` to version >=2.0.3 via Yarn resolutions.

---

## 3. Prototype Pollution in `minimist`

- **Package:** minimist
- **Current Version:** <1.2.6
- **Patched Version:** >=1.2.6
- **Dependency Path:** react-floki > minimist
- **CVE / Advisory:** [NPM Advisory 1097678](https://www.npmjs.com/advisories/1097678)
- **Description:** Prototype pollution vulnerability in argument parsing. May allow attackers to override object properties.
- **Mitigation:** Upgrade `minimist` to version >=1.2.6 via Yarn resolutions.

---

## 4. Unsafe Random Function in `form-data` (coveralls path)

- **Package:** form-data
- **Current Version:** <2.5.4
- **Patched Version:** >=2.5.4
- **Dependency Path:** coveralls > request > form-data
- **CVE / Advisory:** [NPM Advisory 1109540](https://www.npmjs.com/advisories/1109540)
- **Description:** `form-data` uses an unsafe random function for generating multipart boundaries, potentially allowing collisions or predictable boundaries.
- **Mitigation:** Upgrade `form-data` to version >=2.5.4 via Yarn resolutions.

---

## 5. Unsafe Random Function in `form-data` (react-floki path)

- **Package:** form-data
- **Current Version:** <2.5.4
- **Patched Version:** >=2.5.4
- **Dependency Path:** react-floki > coveralls > request > form-data
- **CVE / Advisory:** [NPM Advisory 1109540](https://www.npmjs.com/advisories/1109540)
- **Description:** Same as above; appears via a different dependency path.
- **Mitigation:** Upgrade `form-data` to version >=2.5.4 via Yarn resolutions.

---

## Summary of Actions

- Added **Yarn resolutions** for all critical packages:

```json
{
"resolutions": {
"simple-git": ">=3.16.0",
"property-expr": ">=2.0.3",
"minimist": ">=1.2.6",
"form-data": ">=2.5.4"
}
}
21 changes: 17 additions & 4 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,14 @@
"@formatjs/intl-utils": "^3.8.4",
"@webcomponents/shadydom": "^1.11.0",
"antd": "^5.20.5",
"apisauce": "^2.1.6",
"apisauce": "^3.2.2",
"axios": "^1.13.5",
"env-cmd": "^10.1.0",
"hoist-non-react-statics": "^3.3.2",
"immer": "^9.0.21",
"invariant": "^2.2.4",
"lodash": "^4.17.21",
"next": "14.2.8",
"next": "14.2.35",
"next-images": "^1.8.5",
"next-redux-wrapper": "^8.1.0",
"prop-types": "^15.8.1",
Expand All @@ -68,6 +69,7 @@
"styled-components": "^6.1.13"
},
"devDependencies": {
"coveralls": "^3.1.1",
"@babel/core": "7.25.2",
"@babel/preset-env": "^7.25.4",
"@babel/preset-react": "^7.24.7",
Expand All @@ -87,7 +89,7 @@
"babel-jest": "^29.7.0",
"babel-plugin-styled-components": "^2.1.4",
"eslint": "^9.9.1",
"eslint-config-next": "14.2.8",
"eslint-config-next": "^16.1.6",
"eslint-config-prettier": "^9.1.0",
"eslint-config-prettier-standard": "^4.0.1",
"eslint-config-standard": "^17.1.0",
Expand All @@ -103,7 +105,7 @@
"jest-cli": "29.7.0",
"jest-environment-jsdom": "^29.7.0",
"jest-styled-components": "^7.2.0",
"lint-staged": "^15.2.10",
"lint-staged": "^16.2.7",
"next-transpile-modules": "^10.0.1",
"postcss": "8.4.45",
"postcss-scss": "4.0.9",
Expand All @@ -118,5 +120,16 @@
"stylelint-config-recommended": "^14.0.1",
"stylelint-config-standard-scss": "^13.1.0",
"stylelint-config-styled-components": "^0.1.1"
},
"resolutions": {
"simple-git": ">=3.16.0",
"property-expr": ">=2.0.3",
"minimist": ">=1.2.6",
"form-data": ">=2.5.4",
"next": ">=15.0.8",
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n package.json | sed -n '50,60p; 120,135p'

Repository: wednesday-solutions/nextjs-template

Length of output: 986

🌐 Web query:

Next.js 15 breaking changes from Next.js 14

💡 Result:

Key breaking changes in Next.js 15 vs 14 (per the official upgrade guide / release notes):

  • React 19 is now required (minimum react + react-dom is 19). Also note React 19 form-hook API shifts (e.g., useFormStateuseActionState). [1]
  • Async Request APIs (Dynamic APIs) are now async: you must await cookies(), headers(), draftMode(), and also params / searchParams in the listed App Router entry points (e.g., page.js, layout.js, route handlers, metadata image routes). [1][2]
  • runtime: 'experimental-edge' now errors; use runtime: 'edge' instead. [1]
  • Caching behavior changed (opt-in caching):
    • fetch() is no longer cached by default (explicitly set cache: 'force-cache' or export const fetchCache = 'default-cache'). [1]
    • GET Route Handlers are no longer cached by default (opt into caching via route config like export const dynamic = 'force-static'). [1]
    • Client-side navigation: page segments are no longer reused from the client-side router cache by default (opt in via staleTimes). [1]
  • @next/font package removed; migrate imports to built-in next/font. [1]
  • Config renames (experimental → stable):
    • experimental.bundlePagesExternalsbundlePagesRouterDependencies. [1]
    • experimental.serverComponentsExternalPackagesserverExternalPackages. [1]
  • Vercel Speed Insights auto-instrumentation removed (you must integrate separately if you use it). [1]
  • NextRequest.geo and NextRequest.ip removed (use hosting-provider equivalents; Vercel suggests @vercel/functions). [1]

Sources:
[1] Next.js “Upgrading: Version 15” guide (last updated Feb 11, 2026)
[2] Next.js “Next.js 15” release post (Async Request APIs breaking change)

🏁 Script executed:

#!/bin/bash
# Check if these specific versions exist in npm registry
# Query npm for next.js 14.2.35 and other versions
npm view next@14.2.35 version 2>/dev/null || echo "next@14.2.35 NOT FOUND"
npm view next@15.0.8 version 2>/dev/null || echo "next@15.0.8 NOT FOUND"
npm view json@10.0.0 version 2>/dev/null || echo "json@10.0.0 NOT FOUND"
npm view lint-staged@16.2.7 version 2>/dev/null || echo "lint-staged@16.2.7 NOT FOUND"
npm view eslint-config-next@16.1.6 version 2>/dev/null || echo "eslint-config-next@16.1.6 NOT FOUND"

Repository: wednesday-solutions/nextjs-template

Length of output: 114

🌐 Web query:

npm package "json" 10.0.0 what is this package

💡 Result:

json@10.0.0 is a command-line tool (and optional Node module) for working with JSON—pretty-printing, extracting values (e.g. json foo.bar), filtering/editing JSON via expressions (-e, -c), streaming mode, validation, and in-place file editing. It’s implemented as a single-file Node.js script with no external dependencies (beyond Node itself). [1]

Security note: versions < 11.0.0 are reported vulnerable to arbitrary code injection via the -d argument; upgrading to 11.0.0+ is recommended. [2]

Sources: [1] npm package page for json@10.0.0 https://www.npmjs.com/package/json/v/10.0.0, [2] Snyk advisory page for json@10.0.0 https://security.snyk.io/package/npm/json/10.0.0

next resolution >=15.0.8 conflicts with the next dependency pinned at 14.2.35 (line 57).

Yarn resolutions override all dependency versions globally. This forces a major version upgrade to Next.js 15, which introduces significant breaking changes: React 19 becomes required, async Request APIs (cookies(), headers(), params, searchParams) must now be awaited throughout the codebase, fetch() and GET Route Handlers are no longer cached by default, and several APIs (@next/font, NextRequest.geo, NextRequest.ip) are removed. This contradicts the PR's goal of patching critical vulnerabilities without breaking changes.

Additionally, the json resolution at line 130 pins to >=10.0.0, but versions below 11.0.0 are vulnerable to arbitrary code injection. Update to ">=11.0.0" to actually fix the vulnerability.

Finally, lines 129–133 use 2-space indentation while lines 125–128 use 4-space indentation. Standardize to 4 spaces for consistency.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 129, The resolutions block is forcing Next.js >=15.0.8
which conflicts with the pinned dependency next: "14.2.35" and would cause a
breaking major upgrade; change the resolutions entry for "next" to match the
pinned version (or remove the resolution so the declared dependency "next" at
14.2.35 is used) and ensure you reference the resolutions key for "next"
(resolutions.next); also update the "json" resolution from ">=10.0.0" to
">=11.0.0" (resolutions.json) to actually mitigate the vulnerability; finally
normalize indentation in the resolutions block to 4 spaces for lines currently
using 2-space indentation so the file style is consistent.

"json": ">=10.0.0",
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd . && find . -name 'yarn.lock' -o -name 'package.json' | head -20

Repository: wednesday-solutions/nextjs-template

Length of output: 105

🏁 Script executed:

cat -n package.json | sed -n '120,140p'

Repository: wednesday-solutions/nextjs-template

Length of output: 598

🏁 Script executed:

if [ -f yarn.lock ]; then grep -A 2 -B 2 '"json@' yarn.lock | head -30; fi

Repository: wednesday-solutions/nextjs-template

Length of output: 61

🏁 Script executed:

grep -i '"json' yarn.lock | head -20

Repository: wednesday-solutions/nextjs-template

Length of output: 61

🏁 Script executed:

cat -n package.json | sed -n '1,123p' | grep -i json

Repository: wednesday-solutions/nextjs-template

Length of output: 101

🏁 Script executed:

# Check package.json for direct "json" dependency
cat package.json | jq '.dependencies.json, .devDependencies.json, .peerDependencies.json' 2>/dev/null || echo "Check manually"

Repository: wednesday-solutions/nextjs-template

Length of output: 93

🏁 Script executed:

# Check if there are any other json-like packages in yarn.lock
grep -o '"[^"]*json[^"]*@' yarn.lock | sort -u | head -20

Repository: wednesday-solutions/nextjs-template

Length of output: 209

🏁 Script executed:

# Check the complete resolutions section and look for context
cat -n package.json | sed -n '124,135p'

Repository: wednesday-solutions/nextjs-template

Length of output: 418

Remove the orphaned "json": ">=10.0.0" resolution — it has no effect.

No dependency in yarn.lock actually pulls in a package named json, and no direct dependency on json exists in package.json. This resolution is unused and won't affect the lock file. If this was meant to address a vulnerability in a transitive dependency, that dependency may no longer exist. If it was intended for a different package (e.g., json5), the name is incorrect. Either remove it or clarify its purpose.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 130, Remove the orphaned resolution entry "json":
">=10.0.0" from the package.json resolutions block (or replace it with the
correct package name if you intended to target a different package such as
"json5"); specifically delete the line containing "json": ">=10.0.0" (or update
the key to the intended package) so the resolutions object no longer contains an
unused/incorrect entry.

"braces": ">=3.0.3",
"cross-spawn": ">=6.0.6",
"qs": ">=6.14.1"
}
Comment on lines +124 to 134
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Inconsistent indentation in the resolutions block.

Lines 125–128 use 4-space indentation, while lines 129–133 drop to 2-space indentation. This is cosmetically inconsistent and suggests a merge or copy-paste error. It also correlates with the entries that look like scope creep (the non-critical-vuln resolutions).

Proposed fix 
   "resolutions": {
     "simple-git": ">=3.16.0",
     "property-expr": ">=2.0.3",
     "minimist": ">=1.2.6",
     "form-data": ">=2.5.4",
-  "next": ">=15.0.8",
-  "json": ">=10.0.0",
-  "braces": ">=3.0.3",
-  "cross-spawn": ">=6.0.6",
-  "qs": ">=6.14.1"
+    "next": ">=15.0.8",
+    "json": ">=10.0.0",
+    "braces": ">=3.0.3",
+    "cross-spawn": ">=6.0.6",
+    "qs": ">=6.14.1"
   }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 124 - 134, In the package.json "resolutions" block
there is inconsistent indentation and a stray trailing comma after the
"form-data" entry; normalize the block to use consistent 2-space indentation for
all keys (e.g., "simple-git", "property-expr", "minimist", "form-data", "next",
"json", "braces", "cross-spawn", "qs") and remove the trailing comma after the
"form-data" value so the JSON is valid and styling is consistent.

}
Loading