Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

fix(server): clear Trivy npm dependency vulnerabilities

GitHub issue · Closed

Metadata
Source
tuist/tuist #11303
Updated
Jun 24, 2026
Details

What changed

Bumped the pinned pnpm.overrides in server/package.json (and added overrides for the transitive form-data and @opentelemetry/core) to the fixed versions, regenerating server/pnpm-lock.yaml:

Package From To Advisories cleared
dompurify 3.4.0 3.4.10 CVE-2026-49458, CVE-2026-49459, CVE-2026-49978, GHSA-76mc-f452-cxcm, GHSA-gvmj-g25r-r7wr, GHSA-vxr8-fq34-vvx9, GHSA-x4vx-rjvf-j5p4
protobufjs 7.5.8 7.6.4 CVE-2026-48712, CVE-2026-54269
form-data (transitive) 4.0.5 4.0.6 CVE-2026-12143 (HIGH)
@opentelemetry/core (transitive) 2.2.0 2.8.0 CVE-2026-54285

Why

The trivy fs scan in server/mise/tasks/security.sh runs with no severity filter and no --ignore-unfixed:

trivy fs --exit-code 1 --skip-files "mix.exs,mix.lock" --skip-dirs "priv/static,node_modules,deps,_build" ./

so it fails on every known CVE in server/pnpm-lock.yaml, regardless of severity or whether the project actually exercises the vulnerable path. Trivy refreshes its vulnerability DB on each CI run, so a batch of recently disclosed npm advisories started failing the Security job on main (12 findings) without any related code change. This is independent of the PR that surfaced it (#11298); the failure reproduces on main.

Why these versions / this approach

The repo already pins security-sensitive transitive packages through pnpm.overrides (axios, ajv, dompurify, protobufjs, etc.), so the established fix is to advance the override to the patched version rather than ignore the finding. form-data and @opentelemetry/core were not previously overridden, so new override entries were added.

  • All bumps stay within the same major version, so the bundled consumers (@scalar/api-reference, typesense, the OTLP transformer) are unaffected.
  • dompurify’s worst advisory (GHSA-x4vx-rjvf-j5p4) has vulnerable range <= 3.4.6; 3.4.10 is outside it.
  • @opentelemetry/core 2.8.0 is required because the current Trivy DB lists CVE-2026-54285 as fixed only in 2.8.0 (the earlier 2.6.1 patch claim was revised). The bump also dedupes the two @opentelemetry/core copies in the lockfile to a single tree entry.

Why not .trivyignore

The root .trivyignore is only wired into the Docker image scan (trivy image --ignorefile "$GITHUB_WORKSPACE/.trivyignore"); the trivy fs scan in security.sh reads .trivyignore from its cwd (server/), where none exists. These are all fixed upstream, so patching is preferable to suppressing.

Validation

  • trivy fs --exit-code 1 --skip-files mix.exs,mix.lock --skip-dirs priv/static,node_modules,deps,_build ./ now exits 0 (was exit 1 with 12 findings; verified locally against a freshly downloaded Trivy DB).
  • aube install resolves cleanly with all peer dependencies satisfied; lockfile shows single resolved versions: dompurify@3.4.10, protobufjs@7.6.4, form-data@4.0.6, @opentelemetry/core@2.8.0.

🤖 Generated with Claude Code

Comments
TA
tuist-atlas[bot] Jun 17, 2026

The changes addressing the Trivy npm dependency vulnerabilities are now available in version server@1.212.2. Update to this version to apply the fixes for dompurify, protobufjs, form-data, and @opentelemetry/core.