From ad4041e51a39b0ee2cdbdd19cc6f37d1a18a7cbe Mon Sep 17 00:00:00 2001 From: James George <25279263+jamesgeorge007@users.noreply.github.com> Date: Sun, 29 Mar 2026 19:12:05 +0530 Subject: [PATCH] chore: address remaining production audit findings Bump handlebars to 4.7.9, @apollo/server to 5.5.0, and nodemailer to 8.0.4 in the backend. Add narrow pnpm overrides for path-to-regexp (8.4.0) and dompurify (3.3.3). Move unplugin-icons to devDependencies in sh-admin to keep dev-only transitive packages out of the production audit. --- package.json | 2 + packages/hoppscotch-backend/package.json | 6 +- packages/hoppscotch-sh-admin/package.json | 2 +- pnpm-lock.yaml | 91 +++++++++++------------ 4 files changed, 49 insertions(+), 52 deletions(-) diff --git a/package.json b/package.json index b3e16d2e..db7859b3 100644 --- a/package.json +++ b/package.json @@ -40,6 +40,7 @@ "apiconnect-wsdl": "2.0.36", "body-parser": "2.2.1", "cross-spawn": "7.0.6", + "dompurify@>=3.0.0 <3.3.3": "3.3.3", "effect@3.18.4": "3.20.0", "execa@<2.0.0": "2.0.0", "flatted@>=3.0.0 <3.4.2": "3.4.2", @@ -53,6 +54,7 @@ "minimatch@>=3.0.0 <3.1.3": "3.1.5", "minimatch@>=4.0.0 <4.2.5": "4.2.5", "minimatch@>=5.0.0 <10.2.3": "10.2.3", + "path-to-regexp@>=8.0.0 <8.4.0": "8.4.0", "preview-email@>=3.0.0 <3.1.1": "3.1.1", "rollup@>=4.0.0 <4.59.0": "4.59.0", "serialize-javascript@>=7.0.0 <7.0.3": "7.0.3", diff --git a/packages/hoppscotch-backend/package.json b/packages/hoppscotch-backend/package.json index 905c5f26..4f2d0258 100644 --- a/packages/hoppscotch-backend/package.json +++ b/packages/hoppscotch-backend/package.json @@ -31,7 +31,7 @@ "do-test": "pnpm run test" }, "dependencies": { - "@apollo/server": "5.4.0", + "@apollo/server": "5.5.0", "@as-integrations/express5": "1.1.2", "@nestjs-modules/mailer": "2.0.2", "@nestjs/apollo": "13.2.4", @@ -62,10 +62,10 @@ "graphql-query-complexity": "1.1.0", "graphql-redis-subscriptions": "2.7.0", "graphql-subscriptions": "3.0.0", - "handlebars": "4.7.8", + "handlebars": "4.7.9", "io-ts": "2.2.22", "morgan": "1.10.1", - "nodemailer": "8.0.3", + "nodemailer": "8.0.4", "passport": "0.7.0", "passport-github2": "0.1.12", "passport-google-oauth20": "2.0.0", diff --git a/packages/hoppscotch-sh-admin/package.json b/packages/hoppscotch-sh-admin/package.json index f0d2912b..4eb1d48d 100644 --- a/packages/hoppscotch-sh-admin/package.json +++ b/packages/hoppscotch-sh-admin/package.json @@ -37,7 +37,6 @@ "tailwindcss": "3.4.16", "tippy.js": "6.3.7", "ts-node-dev": "2.0.0", - "unplugin-icons": "22.5.0", "unplugin-vue-components": "30.0.0", "vue": "3.5.31", "vue-i18n": "11.3.0", @@ -68,6 +67,7 @@ "ts-node": "10.9.2", "typescript": "5.9.3", "unplugin-fonts": "1.4.0", + "unplugin-icons": "22.5.0", "vite": "7.3.1", "vite-plugin-pages": "0.33.2", "vite-plugin-vue-layouts": "0.11.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 935b8b81..5b5de2f1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -10,6 +10,7 @@ overrides: apiconnect-wsdl: 2.0.36 body-parser: 2.2.1 cross-spawn: 7.0.6 + dompurify@>=3.0.0 <3.3.3: 3.3.3 effect@3.18.4: 3.20.0 execa@<2.0.0: 2.0.0 flatted@>=3.0.0 <3.4.2: 3.4.2 @@ -23,6 +24,7 @@ overrides: minimatch@>=3.0.0 <3.1.3: 3.1.5 minimatch@>=4.0.0 <4.2.5: 4.2.5 minimatch@>=5.0.0 <10.2.3: 10.2.3 + path-to-regexp@>=8.0.0 <8.4.0: 8.4.0 preview-email@>=3.0.0 <3.1.1: 3.1.1 rollup@>=4.0.0 <4.59.0: 4.59.0 serialize-javascript@>=7.0.0 <7.0.3: 7.0.3 @@ -182,17 +184,17 @@ importers: packages/hoppscotch-backend: dependencies: '@apollo/server': - specifier: 5.4.0 - version: 5.4.0(graphql@16.13.1) + specifier: 5.5.0 + version: 5.5.0(graphql@16.13.1) '@as-integrations/express5': specifier: 1.1.2 - version: 1.1.2(@apollo/server@5.4.0(graphql@16.13.1))(express@5.2.1) + version: 1.1.2(@apollo/server@5.5.0(graphql@16.13.1))(express@5.2.1) '@nestjs-modules/mailer': specifier: 2.0.2 - version: 2.0.2(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(nodemailer@8.0.3)(terser@5.46.1)(typescript@5.9.3) + version: 2.0.2(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(nodemailer@8.0.4)(terser@5.46.1)(typescript@5.9.3) '@nestjs/apollo': specifier: 13.2.4 - version: 13.2.4(@apollo/server@5.4.0(graphql@16.13.1))(@as-integrations/express5@1.1.2(@apollo/server@5.4.0(graphql@16.13.1))(express@5.2.1))(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(@nestjs/graphql@13.2.4(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(class-transformer@0.5.1)(class-validator@0.15.1)(graphql@16.13.1)(reflect-metadata@0.2.2))(graphql@16.13.1) + version: 13.2.4(@apollo/server@5.5.0(graphql@16.13.1))(@as-integrations/express5@1.1.2(@apollo/server@5.5.0(graphql@16.13.1))(express@5.2.1))(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(@nestjs/graphql@13.2.4(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(class-transformer@0.5.1)(class-validator@0.15.1)(graphql@16.13.1)(reflect-metadata@0.2.2))(graphql@16.13.1) '@nestjs/common': specifier: 11.1.17 version: 11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2) @@ -275,8 +277,8 @@ importers: specifier: 3.0.0 version: 3.0.0(graphql@16.13.1) handlebars: - specifier: 4.7.8 - version: 4.7.8 + specifier: 4.7.9 + version: 4.7.9 io-ts: specifier: 2.2.22 version: 2.2.22(fp-ts@2.16.11) @@ -284,8 +286,8 @@ importers: specifier: 1.10.1 version: 1.10.1 nodemailer: - specifier: 8.0.3 - version: 8.0.3 + specifier: 8.0.4 + version: 8.0.4 passport: specifier: 0.7.0 version: 0.7.0 @@ -1671,9 +1673,6 @@ importers: ts-node-dev: specifier: 2.0.0 version: 2.0.0(@types/node@25.5.0)(typescript@5.9.3) - unplugin-icons: - specifier: 22.5.0 - version: 22.5.0(@vue/compiler-sfc@3.5.31)(svelte@3.59.2)(vue-template-compiler@2.7.16) unplugin-vue-components: specifier: 30.0.0 version: 30.0.0(@babel/parser@7.29.2)(vue@3.5.31(typescript@5.9.3)) @@ -1759,6 +1758,9 @@ importers: unplugin-fonts: specifier: 1.4.0 version: 1.4.0(vite@7.3.1(@types/node@25.5.0)(jiti@2.6.1)(sass@1.98.0)(terser@5.46.1)(yaml@2.8.3)) + unplugin-icons: + specifier: 22.5.0 + version: 22.5.0(@vue/compiler-sfc@3.5.31)(svelte@3.59.2)(vue-template-compiler@2.7.16) vite: specifier: 7.3.1 version: 7.3.1(@types/node@25.5.0)(jiti@2.6.1)(sass@1.98.0)(terser@5.46.1)(yaml@2.8.3) @@ -1887,8 +1889,8 @@ packages: peerDependencies: '@apollo/server': ^4.0.0 - '@apollo/server@5.4.0': - resolution: {integrity: sha512-E0/2C5Rqp7bWCjaDh4NzYuEPDZ+dltTf2c0FI6GCKJA6GBetVferX3h1//1rS4+NxD36wrJsGGJK+xyT/M3ysg==} + '@apollo/server@5.5.0': + resolution: {integrity: sha512-vWtodBOK/SZwBTJzItECOmLfL8E8pn/IdvP7pnxN5g2tny9iW4+9sxdajE798wV1H2+PYp/rRcl/soSHIBKMPw==} engines: {node: '>=20'} peerDependencies: graphql: ^16.11.0 @@ -7209,9 +7211,6 @@ packages: resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} engines: {node: '>= 4'} - dompurify@3.2.7: - resolution: {integrity: sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==} - dompurify@3.3.3: resolution: {integrity: sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==} @@ -8208,8 +8207,8 @@ packages: resolution: {integrity: sha512-gGgrVCoDKlIZ8fIqXBBb0pPKqDgki0Z/FSKNiQzSGj2uEYHr1tq5wmBegGwJx6QB5S5cM0khSBpi/JFHMCvsmQ==} engines: {node: ^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0} - handlebars@4.7.8: - resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==} + handlebars@4.7.9: + resolution: {integrity: sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==} engines: {node: '>=0.4.7'} hasBin: true @@ -9683,8 +9682,8 @@ packages: resolution: {integrity: sha512-PNDFSJdP+KFgdsG3ZzMXCgquO7I6McjY2vlqILjtJd0hy8wEvtugS9xKRF2NWlPNGxvLCXlTNIae4serI7dinw==} engines: {node: '>=6.0.0'} - nodemailer@8.0.3: - resolution: {integrity: sha512-JQNBqvK+bj3NMhUFR3wmCl3SYcOeMotDiwDBvIoCuQdF0PvlIY0BH+FJ2CG7u4cXKPChplE78oowlH/Otsc4ZQ==} + nodemailer@8.0.4: + resolution: {integrity: sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==} engines: {node: '>=6.0.0'} normalize-package-data@2.5.0: @@ -10014,8 +10013,8 @@ packages: resolution: {integrity: sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==} engines: {node: 18 || 20 || >=22} - path-to-regexp@8.3.0: - resolution: {integrity: sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==} + path-to-regexp@8.4.0: + resolution: {integrity: sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==} path-type@3.0.0: resolution: {integrity: sha512-T2ZUsdZFHgA3u4e5PfPbjd7HDDpxPnQb5jN0SrDsjNSuVXHJqtwTnWqG0B1jZrgmJ/7lj1EmVIByWt1gxGkWvg==} @@ -12937,12 +12936,12 @@ snapshots: '@apollo/utils.logger': 3.0.0 graphql: 16.13.1 - '@apollo/server-plugin-landing-page-graphql-playground@4.0.1(@apollo/server@5.4.0(graphql@16.13.1))': + '@apollo/server-plugin-landing-page-graphql-playground@4.0.1(@apollo/server@5.5.0(graphql@16.13.1))': dependencies: - '@apollo/server': 5.4.0(graphql@16.13.1) + '@apollo/server': 5.5.0(graphql@16.13.1) '@apollographql/graphql-playground-html': 1.6.29 - '@apollo/server@5.4.0(graphql@16.13.1)': + '@apollo/server@5.5.0(graphql@16.13.1)': dependencies: '@apollo/cache-control-types': 1.0.3(graphql@16.13.1) '@apollo/server-gateway-interface': 2.0.0(graphql@16.13.1) @@ -13063,9 +13062,9 @@ snapshots: transitivePeerDependencies: - encoding - '@as-integrations/express5@1.1.2(@apollo/server@5.4.0(graphql@16.13.1))(express@5.2.1)': + '@as-integrations/express5@1.1.2(@apollo/server@5.5.0(graphql@16.13.1))(express@5.2.1)': dependencies: - '@apollo/server': 5.4.0(graphql@16.13.1) + '@apollo/server': 5.5.0(graphql@16.13.1) express: 5.2.1 '@asamuzakjp/css-color@4.1.2': @@ -16180,19 +16179,19 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@nestjs-modules/mailer@2.0.2(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(nodemailer@8.0.3)(terser@5.46.1)(typescript@5.9.3)': + '@nestjs-modules/mailer@2.0.2(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(nodemailer@8.0.4)(terser@5.46.1)(typescript@5.9.3)': dependencies: '@css-inline/css-inline': 0.14.1 '@nestjs/common': 11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2) '@nestjs/core': 11.1.17(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/platform-express@11.1.17)(reflect-metadata@0.2.2)(rxjs@7.8.2) glob: 10.5.0 - nodemailer: 8.0.3 + nodemailer: 8.0.4 optionalDependencies: '@types/ejs': 3.1.5 '@types/mjml': 4.7.4 '@types/pug': 2.0.10 ejs: 3.1.10 - handlebars: 4.7.8 + handlebars: 4.7.9 liquidjs: 10.25.0 mjml: 5.0.0-alpha.4(terser@5.46.1)(typescript@5.9.3) preview-email: 3.1.1 @@ -16207,10 +16206,10 @@ snapshots: - typescript - uncss - '@nestjs/apollo@13.2.4(@apollo/server@5.4.0(graphql@16.13.1))(@as-integrations/express5@1.1.2(@apollo/server@5.4.0(graphql@16.13.1))(express@5.2.1))(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(@nestjs/graphql@13.2.4(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(class-transformer@0.5.1)(class-validator@0.15.1)(graphql@16.13.1)(reflect-metadata@0.2.2))(graphql@16.13.1)': + '@nestjs/apollo@13.2.4(@apollo/server@5.5.0(graphql@16.13.1))(@as-integrations/express5@1.1.2(@apollo/server@5.5.0(graphql@16.13.1))(express@5.2.1))(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(@nestjs/graphql@13.2.4(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(class-transformer@0.5.1)(class-validator@0.15.1)(graphql@16.13.1)(reflect-metadata@0.2.2))(graphql@16.13.1)': dependencies: - '@apollo/server': 5.4.0(graphql@16.13.1) - '@apollo/server-plugin-landing-page-graphql-playground': 4.0.1(@apollo/server@5.4.0(graphql@16.13.1)) + '@apollo/server': 5.5.0(graphql@16.13.1) + '@apollo/server-plugin-landing-page-graphql-playground': 4.0.1(@apollo/server@5.5.0(graphql@16.13.1)) '@nestjs/common': 11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2) '@nestjs/core': 11.1.17(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/platform-express@11.1.17)(reflect-metadata@0.2.2)(rxjs@7.8.2) '@nestjs/graphql': 13.2.4(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.17)(class-transformer@0.5.1)(class-validator@0.15.1)(graphql@16.13.1)(reflect-metadata@0.2.2) @@ -16219,7 +16218,7 @@ snapshots: lodash.omit: 4.5.0 tslib: 2.8.1 optionalDependencies: - '@as-integrations/express5': 1.1.2(@apollo/server@5.4.0(graphql@16.13.1))(express@5.2.1) + '@as-integrations/express5': 1.1.2(@apollo/server@5.5.0(graphql@16.13.1))(express@5.2.1) '@nestjs/cli@11.0.16(@types/node@25.5.0)': dependencies: @@ -16276,7 +16275,7 @@ snapshots: '@nuxt/opencollective': 0.4.1 fast-safe-stringify: 2.1.1 iterare: 1.2.1 - path-to-regexp: 8.3.0 + path-to-regexp: 8.4.0 reflect-metadata: 0.2.2 rxjs: 7.8.2 tslib: 2.8.1 @@ -16338,7 +16337,7 @@ snapshots: cors: 2.8.6 express: 5.2.1 multer: 2.1.1 - path-to-regexp: 8.3.0 + path-to-regexp: 8.4.0 tslib: 2.8.1 transitivePeerDependencies: - supports-color @@ -16368,7 +16367,7 @@ snapshots: '@nestjs/mapped-types': 2.1.0(@nestjs/common@11.1.17(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2) js-yaml: 4.1.1 lodash: 4.17.23 - path-to-regexp: 8.3.0 + path-to-regexp: 8.4.0 reflect-metadata: 0.2.2 swagger-ui-dist: 5.31.0 optionalDependencies: @@ -19211,10 +19210,6 @@ snapshots: domelementtype: 2.3.0 optional: true - dompurify@3.2.7: - optionalDependencies: - '@types/trusted-types': 2.0.7 - dompurify@3.3.3: optionalDependencies: '@types/trusted-types': 2.0.7 @@ -20533,7 +20528,7 @@ snapshots: graphql@16.13.1: {} - handlebars@4.7.8: + handlebars@4.7.9: dependencies: minimist: 1.2.8 neo-async: 2.6.2 @@ -22516,7 +22511,7 @@ snapshots: monaco-editor@0.55.1: dependencies: - dompurify: 3.2.7 + dompurify: 3.3.3 marked: 14.0.0 morgan@1.10.1: @@ -22627,7 +22622,7 @@ snapshots: nodemailer@7.0.13: optional: true - nodemailer@8.0.3: {} + nodemailer@8.0.4: {} normalize-package-data@2.5.0: dependencies: @@ -22993,7 +22988,7 @@ snapshots: lru-cache: 11.2.7 minipass: 7.1.3 - path-to-regexp@8.3.0: {} + path-to-regexp@8.4.0: {} path-type@3.0.0: dependencies: @@ -23911,7 +23906,7 @@ snapshots: depd: 2.0.0 is-promise: 4.0.0 parseurl: 1.3.3 - path-to-regexp: 8.3.0 + path-to-regexp: 8.4.0 transitivePeerDependencies: - supports-color @@ -24796,7 +24791,7 @@ snapshots: dependencies: bs-logger: 0.2.6 fast-json-stable-stringify: 2.1.0 - handlebars: 4.7.8 + handlebars: 4.7.9 jest: 30.3.0(@types/node@25.5.0)(ts-node@10.9.2(@types/node@25.5.0)(typescript@5.9.3)) json5: 2.2.3 lodash.memoize: 4.1.2