# 11. Fix browser extension vulnerable dependency (superjson CVE-2022-23631)

meta:
  id: security-fixes-11
  feature: security-fixes
  priority: P2
  depends_on: []
  tags: [dependency-update, tests-required, medium-severity]

objective:
- Update the browser extension's superjson dependency to patch CVE-2022-23631 (prototype pollution → RCE)

deliverables:
- Updated `browser-ext/package.json` with superjson pinned to >=2.2.6
- Updated lock file
- Verification that the extension still functions correctly with the updated dependency

steps:
1. Examine `browser-ext/package.json:18` — current declaration is `"superjson": "^2.2.1"`
2. Update the dependency to `"superjson": "^2.2.6"` (or latest stable version)
3. Run `pnpm install` in the browser-ext directory to update the lock file
4. Verify that `browser-ext/src/lib/api-client.ts` (tRPC client using superjson) still works with the updated version
5. Check for any breaking changes in the superjson changelog between 2.2.1 and the target version
6. Run the browser extension build to confirm no compilation errors

tests:
- Unit: tRPC client serialization/deserialization works with the updated superjson version
- Integration: Browser extension can successfully communicate with the tRPC API
- Build: `pnpm build` in the browser-ext directory completes without errors

acceptance_criteria:
- `browser-ext/package.json` declares `superjson >= 2.2.6`
- Lock file reflects the updated version (no 2.2.1–2.2.5 range resolved)
- Browser extension builds successfully
- tRPC client communication works correctly with the updated dependency
- No prototype pollution vulnerability remains (CVE-2022-23631 is fixed in >=2.2.6)

validation:
- `cd browser-ext && pnpm install && pnpm build` — succeeds without errors
- `pnpm list superjson` — shows version >= 2.2.6
- Run the browser extension and verify API communication works

notes:
- Finding p8-011: CVE-2022-23631 (CVSS 10.0) affects superjson 2.2.1–2.2.5
- The web server is NOT affected (does not use superjson)
- This is a quick fix — primarily a dependency version bump
- The caret range `^2.2.1` allows 2.2.1–2.2.5; changing to `^2.2.6` ensures only patched versions are installed