11. Fix browser extension vulnerable dependency (superjson CVE-2022-23631)

meta: id: security-fixes-11 feature: security-fixes priority: P2 depends_on: [] tags: [dependency-update, tests-required, medium-severity]

objective:

Update the browser extension's superjson dependency to patch CVE-2022-23631 (prototype pollution → RCE)

deliverables:

Updated browser-ext/package.json with superjson pinned to >=2.2.6
Updated lock file
Verification that the extension still functions correctly with the updated dependency

steps:

Examine browser-ext/package.json:18 — current declaration is "superjson": "^2.2.1"
Update the dependency to "superjson": "^2.2.6" (or latest stable version)
Run pnpm install in the browser-ext directory to update the lock file
Verify that browser-ext/src/lib/api-client.ts (tRPC client using superjson) still works with the updated version
Check for any breaking changes in the superjson changelog between 2.2.1 and the target version
Run the browser extension build to confirm no compilation errors

tests:

Unit: tRPC client serialization/deserialization works with the updated superjson version
Integration: Browser extension can successfully communicate with the tRPC API
Build: pnpm build in the browser-ext directory completes without errors

acceptance_criteria:

browser-ext/package.json declares superjson >= 2.2.6
Lock file reflects the updated version (no 2.2.1–2.2.5 range resolved)
Browser extension builds successfully
tRPC client communication works correctly with the updated dependency
No prototype pollution vulnerability remains (CVE-2022-23631 is fixed in >=2.2.6)

validation:

notes:

Finding p8-011: CVE-2022-23631 (CVSS 10.0) affects superjson 2.2.1–2.2.5
The web server is NOT affected (does not use superjson)
This is a quick fix — primarily a dependency version bump
The caret range ^2.2.1 allows 2.2.1–2.2.5; changing to ^2.2.6 ensures only patched versions are installed