Forgejo Issue #10 Security CVE Remediation

Created: 2026-05-23 13:08 America/New_York · Repo: islandflow

Issue: Forgejo #10 Beads: islandflow-3o0 Scope: dependency security updates

Summary

Addressed Forgejo issue #10 by remediating the active dependency CVEs called out in the report. This update moved direct WebSocket dependencies to patched versions and added workspace-level dependency overrides for vulnerable transitive packages. bun audit now reports No vulnerabilities found.

Changes Made

  • Upgraded ws in ingest services to ^8.21.0 in: services/ingest-equities/package.json, services/ingest-news/package.json, and services/ingest-options/package.json.
  • Added workspace-level overrides in root package.json for patched transitive packages: postcss ^8.5.15, tar ^7.5.15, and tmp ^0.2.5.
  • Regenerated bun.lock via bun install to enforce the resolved secure graph.

Context

Issue #10 documented 9 active advisories across runtime and build-time dependencies: six high-severity tar CVEs in the Electron Forge chain, one ws memory-disclosure advisory affecting ingest services, one postcss advisory in the web toolchain, and one tmp advisory in desktop packaging transitive dependencies.

This fix intentionally focused on targeted version remediation, not broad framework upgrades, to reduce behavior risk while closing the known CVE set.

Important Implementation Details

  • next@16.2.6 still declares postcss@8.4.31, so override pinning was required to force a patched resolver result.
  • The Electron Forge chain currently references tar@^6.x transitively, so override pinning was used to pull patched tar@7.5.15 and clear advisories without waiting for upstream major migration.
  • Direct ws bumps were applied at each ingest service manifest for explicit runtime dependency hygiene.

Relevant Diff Snippets

package.json · security overrides

+ "overrides": {
+   "postcss": "^8.5.15",
+   "tar": "^7.5.15",
+   "tmp": "^0.2.5"
+ }

services/ingest-*/package.json · ws bump

- "ws": "^8.18.3"
+ "ws": "^8.21.0"

Snippets are rendered client-side with Diffs (diffs.com project) and include inline fallback text for offline viewing.

Expected Impact for End-Users

No user-facing behavior changes are expected. The impact is operational and security-focused: cleaner dependency posture and reduced known vulnerability exposure across ingest runtime and desktop/web toolchain surfaces.

Validation

  • bun install completed and regenerated bun.lock.
  • bun audit passed with No vulnerabilities found.
  • bun test passed: 246 tests, 0 failures.
  • bun --cwd=apps/web run build passed (Next.js production build).
  • bun --cwd=apps/desktop run typecheck passed.

Issues, Limitations, and Mitigations

  • This remediation relies partly on dependency overrides for transitive CVEs rather than upstream package-chain updates. Mitigation: lockfile is now pinned and validated via audit in CI/local runs.
  • Override-based mitigation can drift if upstream manifests change unexpectedly. Mitigation: keep bun audit in regular release checks.
  • This pass did not perform container image package CVE expansion, matching the issue's own stated scope limitation.

Follow-up Work

  • Track Electron Forge and rebuild-chain updates to remove the tar/tmp overrides once upstream dependencies natively resolve patched versions.
  • If additional image-level CVE coverage is required, run a dedicated Docker image scan in a daemon-enabled environment and file any new issues separately.
  • No additional Beads issue was created in this turn beyond islandflow-3o0.