fix(security): update or remove vulnerable npm devDependencies (A06)
- Remove @lhci/cli, newman, pa11y-ci (used only by obsolete Makefile.old) - Redirect qa:postman, qa:lh, qa:a11y scripts to explanatory message - npm audit fix for remaining lodash vulnerability - Document Lot 6 (bypass flags verified) and Lot 8 in REMEDIATION_PROGRESS
This commit is contained in:
senke
parent
b05d7a04e3
commit
fae4588d70
3 changed files with 15 additions and 4015 deletions
|
|
@ -50,15 +50,15 @@
|
|||
"format:check": "prettier --check \"src/**/*.{ts,tsx,js,jsx,json,css,md}\"",
|
||||
"qa:smoke": "make smoke",
|
||||
"qa:e2e": "make e2e",
|
||||
"qa:postman": "make postman",
|
||||
"qa:lh": "make lighthouse",
|
||||
"qa:postman": "echo 'Postman/Newman removed (security audit A06). Use Makefile.old if needed.'",
|
||||
"qa:lh": "echo 'Lighthouse/LHCI removed (security audit A06). Use Makefile.old if needed.'",
|
||||
"qa:k6": "make load",
|
||||
"qa:visual": "make visual",
|
||||
"qa:visual:update": "make visual-update",
|
||||
"qa:backstop:ref": "make backstop-ref",
|
||||
"qa:backstop:test": "make backstop-test",
|
||||
"qa:loki": "make loki",
|
||||
"qa:a11y": "make a11y",
|
||||
"qa:a11y": "echo 'pa11y-ci removed (security audit A06). Use Makefile.old if needed.'",
|
||||
"qa:all": "make qa-all",
|
||||
"prepare": "husky",
|
||||
"storybook": "cross-env VITE_API_URL=/api/v1 VITE_USE_MSW=true VITE_STORYBOOK=true storybook dev -p 6006",
|
||||
|
|
@ -103,7 +103,6 @@
|
|||
"zustand": "^4.5.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@lhci/cli": "^0.12.0",
|
||||
"@openapitools/openapi-generator-cli": "^2.27.0",
|
||||
"@playwright/test": "^1.58.2",
|
||||
"@storybook/addon-a11y": "^8.6.15",
|
||||
|
|
@ -140,8 +139,6 @@
|
|||
"jsdom": "^24.0.0",
|
||||
"msw": "^2.11.2",
|
||||
"msw-storybook-addon": "^2.0.6",
|
||||
"newman": "^6.1.0",
|
||||
"pa11y-ci": "^3.0.1",
|
||||
"pixelmatch": "^5.3.0",
|
||||
"playwright": "^1.58.1",
|
||||
"pngjs": "^7.0.0",
|
||||
|
|
|
|||
|
|
@ -13,6 +13,15 @@
|
|||
- **Constat** : Les packages `internal/api/education/` et `internal/core/education/` étaient des répertoires vides (aucun fichier Go, aucune route enregistrée).
|
||||
- **Action** : Suppression des répertoires vides. Aucune route Education n'était exposée ; le risque identifié dans l'audit ne s'appliquait pas au code actuel.
|
||||
|
||||
### Lot 6 — Bypass flags (A05) ✅
|
||||
- **Constat** : `BYPASS_CONTENT_CREATOR_ROLE` et `CSRF_DISABLED` sont déjà rejetés en production via `validateNoBypassFlagsInProduction()`.
|
||||
- **Vérification** : `NewConfig()` appelle `ValidateForEnvironment()` qui invoque `validateNoBypassFlagsInProduction(c.Env)` au démarrage. Aucun changement nécessaire.
|
||||
|
||||
### Lot 8 — Vulnérabilités npm (A06) ✅
|
||||
- **Action** : Suppression de `@lhci/cli`, `newman`, `pa11y-ci` (devDependencies avec vulnérabilités, utilisées uniquement par Makefile.old obsolète).
|
||||
- **Scripts** : `qa:postman`, `qa:lh`, `qa:a11y` redirigés vers message explicatif.
|
||||
- **Résultat** : 25 vulnérabilités → 1 modérée restante (dépendance transitive). Risque accepté pour dev deps.
|
||||
|
||||
---
|
||||
|
||||
## Vulnérabilités npm (A06 — Phase 1) ✅
|
||||
|
|
|
|||
4012
package-lock.json
generated
4012
package-lock.json
generated
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue