Summary
npm install during the Electron desktop shell work reported npm audit findings that should be tracked separately from issue #44.
Current audit summary from npm audit --json:
- 10 total vulnerabilities
- 9 moderate
- 1 high
- 0 critical
Direct dependencies affected
uuid — moderate — uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
ws — moderate — ws: Uninitialized memory disclosure
Transitive dependencies affected
fast-uri — high — path traversal / host confusion advisories
@hono/node-server — moderate — serveStatic repeated-slash middleware bypass
hono — moderate — multiple advisories affecting cookie handling, static serving, JSX SSR, cache middleware, body limit, and JWT validationbrace-expansion — moderate — numeric range DoS
express-rate-limit via ip-address — moderateip-address — moderate — XSS in HTML-emitting methods
postcss — moderate — CSS stringify XSS
qs — moderate — remotely triggerable DoS in qs.stringify
Suggested next steps
- Run
npm audit on the current branch/main to confirm the active set.
- Prefer targeted dependency upgrades for direct dependencies first:
uuid and ws.
- Investigate whether transitive findings are introduced by Electron packaging dependencies, existing app dependencies, or both.
- Avoid a blind
npm audit fix unless the resulting lockfile diff is reviewed, because it may upgrade unrelated packages.
- Re-run
npm run build and the Electron package path after any dependency updates.
Acceptance criteria
npm audit shows no high vulnerabilities.- Direct dependency advisories for
uuid and ws are resolved.
- Any remaining moderate transitive advisories are either resolved or explicitly documented with the dependency path and risk rationale.
Summary
npm installduring the Electron desktop shell work reported npm audit findings that should be tracked separately from issue #44.Current audit summary from
npm audit --json:Direct dependencies affected
uuid— moderate —uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided<11.1.1ws— moderate —ws: Uninitialized memory disclosure>=8.0.0 <8.20.1Transitive dependencies affected
fast-uri— high — path traversal / host confusion advisories@hono/node-server— moderate — serveStatic repeated-slash middleware bypasshono— moderate — multiple advisories affecting cookie handling, static serving, JSX SSR, cache middleware, body limit, and JWT validationbrace-expansion— moderate — numeric range DoSexpress-rate-limitviaip-address— moderateip-address— moderate — XSS in HTML-emitting methodspostcss— moderate — CSS stringify XSSqs— moderate — remotely triggerable DoS inqs.stringifySuggested next steps
npm auditon the current branch/main to confirm the active set.uuidandws.npm audit fixunless the resulting lockfile diff is reviewed, because it may upgrade unrelated packages.npm run buildand the Electron package path after any dependency updates.Acceptance criteria
npm auditshows no high vulnerabilities.uuidandwsare resolved.