Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security sweep

Browse Source
This commit is contained in:
Michael Freno
2026-05-29 09:03:47 -04:00
parent 469c28fa64
commit 3b29de3234
60 changed files with 7148 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
tasks/security-fixes/11-fix-browser-ext-superjson-cve.md Normal file
View File

@@ -0,0 +1,47 @@
# 11. Fix browser extension vulnerable dependency (superjson CVE-2022-23631)
meta:
id: security-fixes-11
feature: security-fixes
priority: P2
depends_on: []
tags: [dependency-update, tests-required, medium-severity]
objective:
- Update the browser extension's superjson dependency to patch CVE-2022-23631 (prototype pollution → RCE)
deliverables:
- Updated `browser-ext/package.json` with superjson pinned to >=2.2.6
- Updated lock file
- Verification that the extension still functions correctly with the updated dependency
steps:
1. Examine `browser-ext/package.json:18` — current declaration is `"superjson": "^2.2.1"`
2. Update the dependency to `"superjson": "^2.2.6"` (or latest stable version)
3. Run `pnpm install` in the browser-ext directory to update the lock file
4. Verify that `browser-ext/src/lib/api-client.ts` (tRPC client using superjson) still works with the updated version
5. Check for any breaking changes in the superjson changelog between 2.2.1 and the target version
6. Run the browser extension build to confirm no compilation errors
tests:
- Unit: tRPC client serialization/deserialization works with the updated superjson version
- Integration: Browser extension can successfully communicate with the tRPC API
- Build: `pnpm build` in the browser-ext directory completes without errors
acceptance_criteria:
- `browser-ext/package.json` declares `superjson >= 2.2.6`
- Lock file reflects the updated version (no 2.2.12.2.5 range resolved)
- Browser extension builds successfully
- tRPC client communication works correctly with the updated dependency
- No prototype pollution vulnerability remains (CVE-2022-23631 is fixed in >=2.2.6)
validation:
- `cd browser-ext && pnpm install && pnpm build` — succeeds without errors
- `pnpm list superjson` — shows version >= 2.2.6
- Run the browser extension and verify API communication works
notes:
- Finding p8-011: CVE-2022-23631 (CVSS 10.0) affects superjson 2.2.12.2.5
- The web server is NOT affected (does not use superjson)
- This is a quick fix — primarily a dependency version bump
- The caret range `^2.2.1` allows 2.2.12.2.5; changing to `^2.2.6` ensures only patched versions are installed