chore: #3591688 Update JS packages to address npm audit findings
Closes #3591688 (closed).
npm dependency security update — ui workspace
Updates JavaScript dependencies to address npm audit findings within existing semver ranges — no npm audit fix --force, no major upgrades. React stays at 18.3.1; cypress, astro, and vite-major are untouched.
Audit: before → after
| Severity | Before (HEAD) | After |
|---|---|---|
| Critical | 2 | 0 |
| High | 35 | 36* |
| Moderate | 14 | 10 |
| Low | 3 | 2 |
| Total | 54 | 48 |
| Root advisories | 13 | 4 |
* The high count nudged up because more transitive packages now fall under the still-deferred astro/esbuild chains (chain-counting), but 9 of 13 root advisories were eliminated — including both criticals — and zero new root advisories were introduced.
Updated (from → to)
| Package | From | To | How | Severity fixed |
|---|---|---|---|---|
react-router / react-router-dom (ui) |
6.30.3 | 6.30.4 | ui/package.json caret bump |
high + moderate (open redirect) |
shell-quote |
1.8.3 | 1.8.4 | root overrides |
critical (newline escaping) |
js-yaml |
4.1.1 | 4.2.0 | root overrides |
moderate (DoS) |
dompurify |
3.2.x | 3.4.10 | in-range npm update |
moderate (XSS) |
form-data |
4.0.x | 4.0.6 | in-range npm update |
high |
hono |
— | latest in-range | in-range npm update |
high |
ws |
— | latest in-range | in-range npm update |
high |
protobufjs |
— | latest in-range | in-range npm update |
moderate |
@babel/core |
— | latest in-range | in-range npm update |
low |
vite |
6.4.2 | 6.4.3 | in-range patch | high |
All within existing semver carets — no --force, no major bumps.
Skipped (and why)
| Package | Severity | Why skipped |
|---|---|---|
esbuild |
high | Only fix is vite@8 (major). Forcing esbuild 0.28.1 under vite@6 breaks the production build (3270 errors; 0.28 dropped destructuring-lowering for the legacy target). |
astro |
high | Fix needs astro@6 (major). |
react-router 7.x |
high | Workbench-only copy — out of scope for the UI. |
@opentelemetry/core |
moderate | @redocly/cli dev-tool transitive; OpenTelemetry suite is version-locked, no in-range fix. |
Verification
✅ 626/626 ui unit tests pass✅ productionvite:buildpasses (~6s)✅ no change to cypress (13.17.0), astro (5.18.2), or React (18.3.1)
AI usage
An AI coding agent assisted with the audit triage and drafting, per Drupal.org's policy on the use of AI when contributing. All changes were reviewed by a human.
Edited by Christian López Espínola