From ed29779b20cccb896bd36b91b081fe64dba55f29 Mon Sep 17 00:00:00 2001 From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com> Date: Sun, 28 Jun 2026 20:56:21 -0400 Subject: [PATCH] =?UTF-8?q?fix(deps):=20bump=20jsonld=208=E2=86=929=20to?= =?UTF-8?q?=20clear=20the=20undici=20high=20advisory=20(dogfood=20the=20vu?= =?UTF-8?q?ln=20gate)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The kit's own vuln gate (#7) flagged 1 high advisory in production deps: undici's unbounded-decompression-chain (pulled transitively via jsonld@8). The fix is jsonld@9 (semver-major). Verified the SHACL gate — the kit's only jsonld consumer — still conforms (test/run.mjs: 14 passed, 0 failed), and the vuln gate over the kit now reports 0 known critical/high in production deps. Co-Authored-By: Claude Opus 4.8 (1M context) --- package-lock.json | 174 ++++++++++++---------------------------------- package.json | 2 +- 2 files changed, 45 insertions(+), 131 deletions(-) diff --git a/package-lock.json b/package-lock.json index bc6a367..bac76af 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,7 @@ "@mozilla/readability": "^0.5.0", "@zazuko/env-node": "^2.1.5", "axe-core": "^4.10.0", - "jsonld": "^8.3.2", + "jsonld": "^9.0.0", "linkedom": "^0.18.0", "n3": "^1.17.3", "rdf-validate-shacl": "^0.5.10", @@ -32,7 +32,8 @@ "ck-seo-gate": "gates/seo-gate.mjs", "ck-shacl-runner": "gates/shacl-runner.mjs", "ck-structure-audit": "integrity/structure-audit/audit.mjs", - "ck-verify-site": "integrity/verify-site.mjs" + "ck-verify-site": "integrity/verify-site.mjs", + "ck-vuln-gate": "gates/vuln-gate.mjs" } }, "node_modules/@bergos/jsonparse": { @@ -48,26 +49,16 @@ } }, "node_modules/@digitalbazaar/http-client": { - "version": "3.4.1", - "resolved": "https://registry.npmjs.org/@digitalbazaar/http-client/-/http-client-3.4.1.tgz", - "integrity": "sha512-Ahk1N+s7urkgj7WvvUND5f8GiWEPfUw0D41hdElaqLgu8wZScI8gdI0q+qWw5N1d35x7GCRH2uk9mi+Uzo9M3g==", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/@digitalbazaar/http-client/-/http-client-4.3.0.tgz", + "integrity": "sha512-6lMpxpt9BOmqHKGs9Xm6DP4LlZTBFer/ZjHvP3FcW3IaUWYIWC7dw5RFZnvw4fP57kAVcm1dp3IF+Y50qhBvAw==", "license": "BSD-3-Clause", "dependencies": { - "ky": "^0.33.3", - "ky-universal": "^0.11.0", - "undici": "^5.21.2" + "ky": "^1.14.2", + "undici": "^6.23.0" }, "engines": { - "node": ">=14.0" - } - }, - "node_modules/@fastify/busboy": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz", - "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==", - "license": "MIT", - "engines": { - "node": ">=14" + "node": ">=18.0" } }, "node_modules/@gar/promise-retry": { @@ -251,76 +242,6 @@ "stream-chunks": "^1.0.0" } }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/@digitalbazaar/http-client": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/@digitalbazaar/http-client/-/http-client-4.3.0.tgz", - "integrity": "sha512-6lMpxpt9BOmqHKGs9Xm6DP4LlZTBFer/ZjHvP3FcW3IaUWYIWC7dw5RFZnvw4fP57kAVcm1dp3IF+Y50qhBvAw==", - "license": "BSD-3-Clause", - "dependencies": { - "ky": "^1.14.2", - "undici": "^6.23.0" - }, - "engines": { - "node": ">=18.0" - } - }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/canonicalize": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/canonicalize/-/canonicalize-2.1.0.tgz", - "integrity": "sha512-F705O3xrsUtgt98j7leetNhTWPe+5S72rlL5O4jA1pKqBVQ/dT1O1D6PFxmSXvc0SUOinWS57DKx0I3CHrXJHQ==", - "license": "Apache-2.0", - "bin": { - "canonicalize": "bin/canonicalize.js" - } - }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/jsonld": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/jsonld/-/jsonld-9.0.0.tgz", - "integrity": "sha512-pjMIdkXfC1T2wrX9B9i2uXhGdyCmgec3qgMht+TDj+S0qX3bjWMQUfL7NeqEhuRTi8G5ESzmL9uGlST7nzSEWg==", - "license": "BSD-3-Clause", - "dependencies": { - "@digitalbazaar/http-client": "^4.2.0", - "canonicalize": "^2.1.0", - "lru-cache": "^6.0.0", - "rdf-canonize": "^5.0.0" - }, - "engines": { - "node": ">=18" - } - }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/ky": { - "version": "1.14.3", - "resolved": "https://registry.npmjs.org/ky/-/ky-1.14.3.tgz", - "integrity": "sha512-9zy9lkjac+TR1c2tG+mkNSVlyOpInnWdSMiue4F+kq8TwJSgv6o8jhLRg8Ho6SnZ9wOYUq/yozts9qQCfk7bIw==", - "license": "MIT", - "engines": { - "node": ">=18" - }, - "funding": { - "url": "https://github.com/sindresorhus/ky?sponsor=1" - } - }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/rdf-canonize": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/rdf-canonize/-/rdf-canonize-5.0.0.tgz", - "integrity": "sha512-g8OUrgMXAR9ys/ZuJVfBr05sPPoMA7nHIVs8VEvg9QwM5W4GR2qSFEEHjsyHF1eWlBaf8Ev40WNjQFQ+nJTO3w==", - "license": "BSD-3-Clause", - "dependencies": { - "setimmediate": "^1.0.5" - }, - "engines": { - "node": ">=18" - } - }, - "node_modules/@rdfjs/serializer-jsonld-ext/node_modules/undici": { - "version": "6.27.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz", - "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==", - "license": "MIT", - "engines": { - "node": ">=18.17" - } - }, "node_modules/@rdfjs/serializer-ntriples": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/@rdfjs/serializer-ntriples/-/serializer-ntriples-2.0.1.tgz", @@ -1392,18 +1313,18 @@ } }, "node_modules/jsonld": { - "version": "8.3.3", - "resolved": "https://registry.npmjs.org/jsonld/-/jsonld-8.3.3.tgz", - "integrity": "sha512-9YcilrF+dLfg9NTEof/mJLMtbdX1RJ8dbWtJgE00cMOIohb1lIyJl710vFiTaiHTl6ZYODJuBd32xFvUhmv3kg==", + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/jsonld/-/jsonld-9.0.0.tgz", + "integrity": "sha512-pjMIdkXfC1T2wrX9B9i2uXhGdyCmgec3qgMht+TDj+S0qX3bjWMQUfL7NeqEhuRTi8G5ESzmL9uGlST7nzSEWg==", "license": "BSD-3-Clause", "dependencies": { - "@digitalbazaar/http-client": "^3.4.1", - "canonicalize": "^1.0.1", + "@digitalbazaar/http-client": "^4.2.0", + "canonicalize": "^2.1.0", "lru-cache": "^6.0.0", - "rdf-canonize": "^3.4.0" + "rdf-canonize": "^5.0.0" }, "engines": { - "node": ">=14" + "node": ">=18" } }, "node_modules/jsonld-context-parser": { @@ -1461,41 +1382,37 @@ "url": "https://github.com/sponsors/rubensworks/" } }, - "node_modules/ky": { - "version": "0.33.3", - "resolved": "https://registry.npmjs.org/ky/-/ky-0.33.3.tgz", - "integrity": "sha512-CasD9OCEQSFIam2U8efFK81Yeg8vNMTBUqtMOHlrcWQHqUX3HeCl9Dr31u4toV7emlH8Mymk5+9p0lL6mKb/Xw==", - "license": "MIT", - "engines": { - "node": ">=14.16" - }, - "funding": { - "url": "https://github.com/sindresorhus/ky?sponsor=1" + "node_modules/jsonld/node_modules/canonicalize": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/canonicalize/-/canonicalize-2.1.0.tgz", + "integrity": "sha512-F705O3xrsUtgt98j7leetNhTWPe+5S72rlL5O4jA1pKqBVQ/dT1O1D6PFxmSXvc0SUOinWS57DKx0I3CHrXJHQ==", + "license": "Apache-2.0", + "bin": { + "canonicalize": "bin/canonicalize.js" } }, - "node_modules/ky-universal": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/ky-universal/-/ky-universal-0.11.0.tgz", - "integrity": "sha512-65KyweaWvk+uKKkCrfAf+xqN2/epw1IJDtlyCPxYffFCMR8u1sp2U65NtWpnozYfZxQ6IUzIlvUcw+hQ82U2Xw==", - "license": "MIT", + "node_modules/jsonld/node_modules/rdf-canonize": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/rdf-canonize/-/rdf-canonize-5.0.0.tgz", + "integrity": "sha512-g8OUrgMXAR9ys/ZuJVfBr05sPPoMA7nHIVs8VEvg9QwM5W4GR2qSFEEHjsyHF1eWlBaf8Ev40WNjQFQ+nJTO3w==", + "license": "BSD-3-Clause", "dependencies": { - "abort-controller": "^3.0.0", - "node-fetch": "^3.2.10" + "setimmediate": "^1.0.5" }, "engines": { - "node": ">=14.16" + "node": ">=18" + } + }, + "node_modules/ky": { + "version": "1.14.3", + "resolved": "https://registry.npmjs.org/ky/-/ky-1.14.3.tgz", + "integrity": "sha512-9zy9lkjac+TR1c2tG+mkNSVlyOpInnWdSMiue4F+kq8TwJSgv6o8jhLRg8Ho6SnZ9wOYUq/yozts9qQCfk7bIw==", + "license": "MIT", + "engines": { + "node": ">=18" }, "funding": { - "url": "https://github.com/sindresorhus/ky-universal?sponsor=1" - }, - "peerDependencies": { - "ky": ">=0.31.4", - "web-streams-polyfill": ">=3.2.1" - }, - "peerDependenciesMeta": { - "web-streams-polyfill": { - "optional": true - } + "url": "https://github.com/sindresorhus/ky?sponsor=1" } }, "node_modules/linkedom": { @@ -2149,15 +2066,12 @@ "license": "ISC" }, "node_modules/undici": { - "version": "5.29.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz", - "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==", + "version": "6.27.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz", + "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==", "license": "MIT", - "dependencies": { - "@fastify/busboy": "^2.0.0" - }, "engines": { - "node": ">=14.0" + "node": ">=18.17" } }, "node_modules/undici-types": { diff --git a/package.json b/package.json index ce1900f..4e2a374 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,7 @@ "@mozilla/readability": "^0.5.0", "@zazuko/env-node": "^2.1.5", "axe-core": "^4.10.0", - "jsonld": "^8.3.2", + "jsonld": "^9.0.0", "linkedom": "^0.18.0", "n3": "^1.17.3", "rdf-validate-shacl": "^0.5.10",