APPSEC-449: bump basic-ftp / fast-uri / tmp to fixed versions (3 CVEs)#17
Merged
Merged
Conversation
…npm overrides) Security dependency-CVE bumps (APPSEC-449) via package.json `overrides` (all three are transitive/package-lock deps): - basic-ftp ^5.2.0 -> ^5.3.1 : resolves 5.3.1. Clears GHSA-rpmf-866q-6p89 / GHSA-rp42-5vxx-qpwr / GHSA-chqc-8p9q-pq6q / GHSA-6v7q-wjvx-w8wg (CRLF/FTP cmd injection + DoS, <=5.3.0). LTS-2751 - fast-uri +^3.1.3 : resolves 3.1.3. Clears GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc (path traversal + host confusion, <=3.1.1). LTS-3157 - tmp +0.2.7 : resolves 0.2.7. Clears GHSA-7c78-jf6q-g5cm (path traversal via non-string template, 0.2.6). Avoids the semver-major browserstack-node-sdk downgrade npm audit fix would otherwise force. LTS-3397 Verified: npm audit no longer flags basic-ftp/fast-uri/tmp. lodash (LTS-2752) is already at a safe 4.18.1 in the resolved tree (not flagged) - no change needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The committed lockfile was out of sync with package.json (missing bare-events transitive) so npm ci failed while npm install silently reconciled. Regenerate it so a clean npm ci install is reproducible in CI and the runner. Override versions unchanged (basic-ftp 5.3.1 / fast-uri 3.1.3 / tmp 0.2.7).
MohitSinghBS
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
APPSEC-449 — Playwright sample dependency-CVE bumps
Three transitive (
package-lock.json) deps bumped to fixed versions via the existingoverridesblock inpackage.json. All verified withnpm audit.^5.2.0→^5.3.1(→ 5.3.1)^3.1.3(→ 3.1.3)0.2.7tmp note:
npm audit fixwould only "fix" tmp by a semver-major downgrade ofbrowserstack-node-sdk→ 1.56.3 (tmp comes through the SDK). The override pins tmp0.2.7directly, keeping the SDK at 1.60.1.Verification
npm audit(advisory DB) no longer flags basic-ftp / fast-uri / tmp after regeneratingpackage-lock.jsonwith the overrides.✅ LTS-2752 (lodash) — ALREADY SOLVED, no change in this PR
Reviewer note: lodash does not need a fix here — it was already remediated by an earlier PR. lodash resolves to
4.18.1(≥ the fixed4.18.0) andnpm auditdoes not flag it.481a640, merged 2026-07-07 — the SDK pin in that PR regeneratedpackage-lock.jsonand floated lodash4.17.21 → 4.18.1(side effect).