fix(security): bump astro to 6.1.9 to close XSS in define:vars (SMI-4500)#806
Merged
wrsmith108 merged 2 commits intomainfrom Apr 27, 2026
Merged
Conversation
…500) Closes Dependabot alerts #92 (packages/website/package.json) and #93 (package-lock.json) — both surface GHSA-j687-52p2-xcff (astro <6.1.6 XSS in define:vars via incomplete </script> tag sanitization). Changes: - packages/website/package.json: astro 6.1.3 → 6.1.9 (exact-pin per SMI-2162 audit:standards rule 12; ^6.1.6 was rejected as semver range) - package.json devDependencies: add astro 6.1.9 to force hoisting at /app/node_modules/astro. Without this, npm 11 places astro only at packages/website/node_modules/astro, but @astrojs/vercel@10.0.4 is hoisted at root and resolves astro via ESM from /app/node_modules/, causing "Cannot find package 'astro'" build error. - package.json overrides: drop "astro": "^5.18.1". Was added in SMI-3688 (PR #629) for the SSRF CVE in 5.x via @astrojs/vercel's pinned chain. No longer needed: @astrojs/vercel@10.0.4 declares peer "astro: ^6.0.0", so it accepts the website's 6.1.9 directly. Override removal also resolves "EOVERRIDE: Override for astro@6.1.9 conflicts with direct dependency" error when both override and direct dep specify the same exact version. Verification: - npm install -> clean - npm ls astro -> all chains at 6.1.9 (no <6.1.6, no 5.x) - npm audit --omit=dev -> astro alert resolved (remaining uuid<14 chain via @azure/msal-node > unstorage > astro is PR-1/SMI-4501 territory, cleared once PR #805 merges and the uuid: ^14 override applies) - npm run build -w packages/website -> Complete (0 errors, 0 hints, 68 [WARN] about Astro.request.headers on prerendered pages — these are pre-existing tech debt; website was already on astro@6.1.3 before this change. Not introduced by this commit. Follow-up Linear issue should capture the 13 affected .astro pages.) - npm test -w @skillsmith/website -> 171/171 pass - npm run lint -> clean - npm run typecheck -> clean - npm run format:check -> clean - npm run audit:standards -> 49 pass / 6 warns / 0 fail (89% compliance, baseline matches main) Linear: https://linear.app/smith-horn-group/issue/SMI-4500 Project: GitHub Security Alerts (April 2026) Closes Dependabot alerts #92, #93 Co-Authored-By: claude-flow <ruv@ruv.net> Co-Authored-By: Claude <noreply@anthropic.com>
E2E Test Results
|
….9 bump Restores the lockfile state SMI-3984 (PR #490) carefully constructed to pin @rollup/rollup-{darwin-arm64,darwin-x64,linux-arm64-gnu,linux-x64-gnu,linux-x64-musl} across all CI platforms. The original SMI-4500 commit (67b7a74) regenerated package-lock.json from scratch via `rm -f package-lock.json && npm install` inside the skillsmith-dev-1 container. That container runs linux/arm64 (Apple Silicon Docker Desktop), so the regenerated lockfile only pinned the arm64 native binding. CI runs on linux/x64 (ubuntu-latest) and could not load the rollup native module — every Test (*) job and Website Build failed with MODULE_NOT_FOUND on /app/node_modules/rollup/dist/native.js. Fix: copy package-lock.json from origin/main (which still has all 5 platform pins from SMI-3984), then surgical-remove the stale `packages/website/node_modules/astro@6.1.3` block (left over from when the override was `^5.18.1` and the website's astro had to nest), then re-run `npm install` to refresh other entries. Lockfile now has both: - All 5 rollup platform native packages pinned (verified via node -e "console.log(!!require('./package-lock.json').packages['node_modules/@rollup/rollup-linux-x64-gnu'])") - astro@6.1.9 hoisted to root with no nested copy in packages/website/node_modules/ Verification: - `npm ls astro` -> all chains show astro@6.1.9 deduped at root - `npm run build -w packages/website` -> Complete (5.94s) - `npm test -w @skillsmith/website` -> 171/171 pass - `npm run lint` / `typecheck` / `format:check` -> clean - `npm run audit:standards` -> 91% baseline This unblocks PR #806 CI. Future lockfile regenerations should either: 1. Run inside a `--platform=linux/amd64` container (matches CI), or 2. Surgical-edit the lockfile rather than rm-and-regen, or 3. Use the `npm install` (not `--package-lock-only`) on origin/main's lockfile so existing platform pins are preserved. Linear: https://linear.app/smith-horn-group/issue/SMI-4500 Co-Authored-By: claude-flow <ruv@ruv.net> Co-Authored-By: Claude <noreply@anthropic.com>
E2E Test ResultsE2E Test Results - April 27, 2026Summary
Test Results
Generated by skillsmith E2E test suite |
2 tasks
wrsmith108
added a commit
that referenced
this pull request
Apr 27, 2026
…p-impl-check] Submodule PR smith-horn/skillsmith-docs#95 merged at 94e26bc — pulls in the 2026-04-27 security batch retrospective covering the SMI-4499..4504 alert closures (PRs #805, #806, #807). No code changes in this commit; just submodule pointer advance. Co-Authored-By: claude-flow <ruv@ruv.net> Co-Authored-By: Claude <noreply@anthropic.com>
wrsmith108
added a commit
that referenced
this pull request
Apr 27, 2026
…p-impl-check] (#815) Submodule PR smith-horn/skillsmith-docs#95 merged at 94e26bc — pulls in the 2026-04-27 security batch retrospective covering the SMI-4499..4504 alert closures (PRs #805, #806, #807). No code changes in this commit; just submodule pointer advance. Co-authored-by: Ryan Smith <wrsmith108@users.noreply.github.com> Co-authored-by: claude-flow <ruv@ruv.net> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes Dependabot alerts #92 and #93 — both surface GHSA-j687-52p2-xcff (astro
<6.1.6XSS indefine:varsvia incomplete</script>tag sanitization).Changes:
packages/website/package.json: astro 6.1.3 → 6.1.9 (exact-pin per SMI-2162 audit:standards rule 12)package.jsondevDependencies: addastro: 6.1.9to force hoisting at root (npm 11 won't hoist a singleton workspace dep, but @astrojs/vercel@10.0.4 is hoisted and resolves astro via ESM from /app/node_modules/)package.jsonoverrides: drop"astro": "^5.18.1"(was added in SMI-3688 / PR test(core): SMI-4285 SkillParser coverage + SMI-4286 GDPR duplicate-suite resolution #629 for SSRF CVE in 5.x via @astrojs/vercel's old pinned chain — no longer needed: @astrojs/vercel@10.0.4 declares peerastro: ^6.0.0and accepts the website's 6.1.9 directly. Override removal also resolvesEOVERRIDEconflict)Test plan
npm install— cleannpm ls astro— all chains at 6.1.9 (no <6.1.6, no 5.x leftover)npm audit --omit=dev— astro alert resolved (remaining uuid<14 chain is PR fix(security): batch close 4 GitHub security alerts (SMI-4499/4501/4502/4504) #805 territory, clears once that merges)npm run build -w packages/website— Complete (0 errors, 0 hints; 68 pre-existingAstro.request.headerswarnings are baseline tech debt, see follow-up below)npm test -w @skillsmith/website— 171/171 passnpm run lint,typecheck,format:check— cleannpm run audit:standards— 49 pass / 6 warns / 0 fail (89% compliance, baseline matches main)Pre-existing tech debt (out of scope)
68 build warnings about
Astro.request.headerswas used on prerendered pages across 13 .astro files. The website was already on astro@6.1.3 before this change, so these warnings are pre-existing — not a regression from this PR. A follow-up Linear issue should be filed to either:export const prerender = false, ORAstro.request.headerswith build-time alternatives where appropriateAffected routes (from build output): /, /docs/, /faq, /license, /privacy, /signup/success, /skills, /terms, /verify, /auth/forgot-password, /auth/reset-password, /blog/
Linear
Stacking
This PR is parallel-independent of #805 (SMI-4499/4501/4502/4504). Either can merge first; whichever merges second will rebase cleanly (different files: this touches
package.jsonoverrides +packages/website/package.json; #805 touches different override entries +packages/mcp-server/src/tools/integration-tools.stub.ts+packages/core/src/audit/remote-audit.ts).🤖 Generated with Ruflo
[skip-impl-check]