Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/security-fixes/11-fix-browser-ext-superjson-cve.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

48 lines
2.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 11. Fix browser extension vulnerable dependency (superjson CVE-2022-23631)
meta:
id: security-fixes-11
feature: security-fixes
priority: P2
depends_on: []
tags: [dependency-update, tests-required, medium-severity]
objective:
- Update the browser extension's superjson dependency to patch CVE-2022-23631 (prototype pollution → RCE)
deliverables:
- Updated `browser-ext/package.json` with superjson pinned to >=2.2.6
- Updated lock file
- Verification that the extension still functions correctly with the updated dependency
steps:
1. Examine `browser-ext/package.json:18` — current declaration is `"superjson": "^2.2.1"`
2. Update the dependency to `"superjson": "^2.2.6"` (or latest stable version)
3. Run `pnpm install` in the browser-ext directory to update the lock file
4. Verify that `browser-ext/src/lib/api-client.ts` (tRPC client using superjson) still works with the updated version
5. Check for any breaking changes in the superjson changelog between 2.2.1 and the target version
6. Run the browser extension build to confirm no compilation errors
tests:
- Unit: tRPC client serialization/deserialization works with the updated superjson version
- Integration: Browser extension can successfully communicate with the tRPC API
- Build: `pnpm build` in the browser-ext directory completes without errors
acceptance_criteria:
- `browser-ext/package.json` declares `superjson >= 2.2.6`
- Lock file reflects the updated version (no 2.2.12.2.5 range resolved)
- Browser extension builds successfully
- tRPC client communication works correctly with the updated dependency
- No prototype pollution vulnerability remains (CVE-2022-23631 is fixed in >=2.2.6)
validation:
- `cd browser-ext && pnpm install && pnpm build` — succeeds without errors
- `pnpm list superjson` — shows version >= 2.2.6
- Run the browser extension and verify API communication works
notes:
- Finding p8-011: CVE-2022-23631 (CVSS 10.0) affects superjson 2.2.12.2.5
- The web server is NOT affected (does not use superjson)
- This is a quick fix — primarily a dependency version bump
- The caret range `^2.2.1` allows 2.2.12.2.5; changing to `^2.2.6` ensures only patched versions are installed
Reference in New Issue View Git Blame Copy Permalink