Skip to content

Security: patch convict + @clerk/shared criticals#47

Merged
sbaker merged 2 commits into
mainfrom
security/critical-convict-clerk
Apr 23, 2026
Merged

Security: patch convict + @clerk/shared criticals#47
sbaker merged 2 commits into
mainfrom
security/critical-convict-clerk

Conversation

@sbaker
Copy link
Copy Markdown
Member

@sbaker sbaker commented Apr 21, 2026

Summary

Closes the two CRITICAL severity alerts surfaced by npm audit across the workspace via narrow overrides in backend/package.json and frontend/package.json.

Package Path From To Advisory
convict backend (transitive via cohere-ai) 6.2.4 ^6.2.5 GHSA — Convict has Prototype Pollution via startsWith()
@clerk/shared frontend (transitive via @clerk/clerk-react) 3.47.2 ^3.47.4 Clerk advisory — Middleware-based route protection bypass

Both are patch-level bumps within existing caretscohere-ai already declares convict: ^6.2.4 and @clerk/clerk-react declares @clerk/shared: ^3.47.2, so the override just floors the resolution to the patched version.

Why overrides instead of bumping the parent

  • Bumping cohere-ai 7 → 8 is a major (likely breaking SDK surface).
  • Bumping the Clerk parent SDKs would do nothing — they already accept the patched version; the lockfile was just stale.

Test plan

  • npm install succeeds in both packages
  • npm ls convictconvict@6.2.5
  • npm ls @clerk/shared@clerk/shared@3.47.4
  • backend npm audit: 19 → 18 alerts (critical convict closed)
  • frontend npm audit: 18 → 17 alerts (critical clerk closed)
  • Reviewer: full npm run build in CI (worktree had no node_modules pre-installed; both bumps are too narrow to plausibly break anything but worth a clean CI run)

Note on legacy-peer-deps

Frontend npm install requires --legacy-peer-deps due to a pre-existing peer conflict around tiptap-markdown@0.8.10 vs @tiptap/core@3.20.4. Unrelated to this PR; calling out so the next reviewer doesn't get spooked.

Coming next (separate PRs)

  • PR 2: universal bundled bumps + transitive overrides across all 6 packages (axios pin, yaml, lodash/picomatch/path-to-regexp etc.)
  • PR 3: backend direct-dep bumps (undici, socket.io-parser, tar, fast-xml-parser)
  • Deferred for your call: vite 6→8, vitest→4, typescript-eslint v6→v8, electron major, monaco-editor

🤖 Generated with Claude Code

@sbaker @claude
Security: patch convict (backend) and @clerk/shared (frontend) criticals
69cb3dd 
Closes 2 critical Dependabot/npm-audit alerts via npm overrides:

- backend: convict ^6.2.4 -> ^6.2.5 (transitive via cohere-ai)
  Closes prototype pollution via startsWith(). Patch-level bump
  satisfies cohere-ai's existing convict ^6.2.4 range.

- frontend: @clerk/shared ^3.47.2 -> ^3.47.4 (transitive via @clerk/clerk-react)
  Closes middleware-based route protection bypass in the Clerk
  JavaScript SDK. Patch-level bump satisfies clerk-react's
  existing @clerk/shared ^3.47.2 range.

Both fixes are minimum-impact (same minor version, security-only
patches). Direct-dep bumps were not used because the offending
packages are transitives.

Verified:
- npm install succeeds (frontend requires --legacy-peer-deps for
  pre-existing tiptap-markdown peer conflict, unrelated)
- backend npm audit: 19 -> 18 (1 critical convict closed)
- frontend npm audit: 18 -> 17 (1 critical clerk closed)
- npm ls confirms convict@6.2.5 and @clerk/shared@3.47.4

Build/test verification deferred to CI (worktree had no node_modules
pre-installed; bumps are too narrow to plausibly break anything).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sbaker sbaker mentioned this pull request Apr 22, 2026
Merged
7 tasks
sbaker added a commit that referenced this pull request Apr 23, 2026
@sbaker @claude
Security: bundled bumps + axios supply-chain pin (all 6 packages) (#48)
a6ea0ac 
* Security: patch convict (backend) and @clerk/shared (frontend) criticals

Closes 2 critical Dependabot/npm-audit alerts via npm overrides:

- backend: convict ^6.2.4 -> ^6.2.5 (transitive via cohere-ai)
  Closes prototype pollution via startsWith(). Patch-level bump
  satisfies cohere-ai's existing convict ^6.2.4 range.

- frontend: @clerk/shared ^3.47.2 -> ^3.47.4 (transitive via @clerk/clerk-react)
  Closes middleware-based route protection bypass in the Clerk
  JavaScript SDK. Patch-level bump satisfies clerk-react's
  existing @clerk/shared ^3.47.2 range.

Both fixes are minimum-impact (same minor version, security-only
patches). Direct-dep bumps were not used because the offending
packages are transitives.

Verified:
- npm install succeeds (frontend requires --legacy-peer-deps for
  pre-existing tiptap-markdown peer conflict, unrelated)
- backend npm audit: 19 -> 18 (1 critical convict closed)
- frontend npm audit: 18 -> 17 (1 critical clerk closed)
- npm ls confirms convict@6.2.5 and @clerk/shared@3.47.4

Build/test verification deferred to CI (worktree had no node_modules
pre-installed; bumps are too narrow to plausibly break anything).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Security: bundled Dependabot bumps + axios supply-chain pin (all packages)

Closes ~50 of 79 npm-audit alerts across all 6 sub-packages. The same
playbook that landed on prompd-cli (PRs #12, #13, #14) applied here.

Direct dependency bumps:
- backend axios: ^1.6.2 -> 1.15.1 (exact pin to skip compromised
  1.14.1 from 2026-03-31 supply-chain attack)
- frontend yaml: ^2.5.0 -> ^2.8.3
- frontend lodash-es: ^4.17.21 -> ^4.18.1
- packages/test yaml: ^2.7.1 -> ^2.8.3
- prompd-service yaml: ^2.3.4 -> ^2.8.3

npm overrides for stuck transitives (per-package, scope-appropriate):
- yaml ^2.8.3 (backend, frontend, scheduler)
- lodash ^4.18.1, lodash-es ^4.18.1
- picomatch ^2.3.2, brace-expansion ^2.0.3
- minimatch ^9.0.7
- follow-redirects ^1.16.0
- hono ^4.12.14, @hono/node-server ^1.19.13
- @xmldom/xmldom ^0.8.12
- tar ^7.5.13 (backend, scheduler)
- undici ^7.24.0 (backend)
- socket.io-parser ^4.2.6 (backend, frontend)
- fast-xml-parser ^5.7.1 (backend)
- dompurify ^3.4.1 (frontend)
- rollup ^4.60.2, flatted ^3.4.2 (packages/react)
- qs ^6.14.2 (prompd-service)
- axios 1.15.1 (frontend, scheduler — transitive force-pin)
- express > path-to-regexp ^0.1.13 (everywhere express 4 lives)
- router > path-to-regexp ^8.4.0 (everywhere express 5 lives)

Verified after install:
- No plain-crypto-js in any package-lock.json (compromised axios payload)
- axios resolves to 1.15.1 exact in every tree
- yaml resolves to 2.8.3 in backend (was 2.8.2)
- frontend npm test: 52/52 pass (3 suites)
- frontend tsc -b dry run: clean
- Per-package alert reduction:
  - backend: 19 -> 2 (only xlsx-via-@prompd/cli; auto-fix on CLI release)
  - frontend: 18 -> 4 (electron, esbuild, vite, picomatch — all deferred breaking)
  - packages/react: 23 -> 13 (vite/vitest/typescript-eslint majors deferred)
  - packages/scheduler: 14 -> 2 (xlsx-via-CLI; auto-fix)
  - packages/test: 2 -> 2 (xlsx-via-CLI; auto-fix)
  - prompd-service: 3 -> 0

Stacked on top of #47 (convict + @clerk criticals). When #47 merges
first, this branch rebases trivially. When this merges first, #47
will need a small overrides-block rebase.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sbaker sbaker merged commit 1ad25db into main Apr 23, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@sbaker sbaker

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbaker