You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Follow-up wave — direct bumps on the Node 22 baseline (2026-06-20)
468
+
469
+
The four deferred direct-dependency bumps that required the Node 22 runtime (or a major parent bump) as a prerequisite, now actioned together. Each clears a consumer-facing or build-context alert that the in-range relock could not reach; this resolves the interim PARTIAL on `uuid` from §A (its direct lines now all sit on the patched major; the residual `8.3.2`/`9.0.0` copies are transitive-only — pinned by `pg-boss`, `typeorm-extension` and the Trezor stack — and stay tracked).
470
+
471
+
| Package | Version (→ updated) | Status (severity) | Scope | License | Provenance / publisher |
472
+
|---|---|---|---|---|---|
473
+
|`uuid`| direct 10.0.0 → **11.1.1** (transitive 8.3.2, 9.0.0 remain) | CLOSED direct · PARTIAL transitive (medium) | direct · prod · consumer:yes| MIT | signed + SLSA; publisher `ctavan` → GitHub Actions OIDC (provenance adoption, benign) |
474
+
|`ip-address`| 9.0.5 → **10.2.0**| CLOSED (medium) | direct · prod · consumer:yes| MIT | signed; publisher `beaugunderson` unchanged |
|`express-openapi-validator`| 4.13.8 → **5.6.2**| CLOSED (high) | direct · prod · consumer:yes| MIT | signed; publisher `cdimascio` unchanged |
477
+
|`multer`| 1.4.5-lts.2 → **2.2.0**| CLOSED (high) | transitive (via `express-openapi-validator`) · prod · consumer:yes| MIT | signed; publisher `linusu` → `ulisesgascon` — **human→human**, a known maintenance handoff to the Express/OpenJS maintainer; benign |
478
+
479
+
### Dependencies modified in this wave
480
+
481
+
Only the direct `package.json` edges this PR touches: each arrow is a package whose manifest bumps the dependency it points to (sinks coloured by advisory severity — 🟡 medium · 🟠 high). `axios` is an in-range relock (same `^1.7.4` range, new resolution). Everything downstream inherits these transitively and is **not** itself modified, so it is not shown.
-**Cross-referenced databases:** OSV.dev returns **0** records for every resolved version above (`uuid@11.1.1`, `ip-address@10.2.0`, `axios@1.18.0`, `multer@2.2.0`, `express-openapi-validator@5.6.2`). **0** of the residual transitive advisories (`uuid<11.1.1`, `ws 8.5.0`, `yaml 2.6.1`) intersect the CISA KEV catalogue (1623 entries) — none are under active exploitation, so deferral remains appropriate.
517
+
-**Production closure:**`yarn npm audit --environment production` is clean (exit 0) on this baseline — no advisory reaches a published package's production tree.
518
+
-**Regression check:** lockfile diff vs the Node 22 baseline shows only upgrades and removals consistent with these bumps (e.g. `express-openapi-validator` v5 swaps `json-schema-ref-parser`→`@apidevtools/json-schema-ref-parser` 14.x, drops `lodash.uniq`/`lodash.zipobject`/`call-me-maybe`/`concat-stream@1.x`; `multer` 1.x removed). No shared transitive was silently downgraded.
519
+
467
520
## Method & limitations
468
521
469
522
-**Vulnerability status** tests each resolved version against the advisory's vulnerable range (semver). PARTIAL = the manifest range moved to a patched version but another consumer pins an older, still-vulnerable copy — enumerated in the deferred-work issues (#1701–#1708).
0 commit comments