Skip to content

Upgrade @crowdstrike/foundry-js to 0.22.0, fix tmp and ws CVEs#128

Closed
mraible wants to merge 1 commit into
mainfrom
upgrade-foundry-js-0.22.0
Closed

Upgrade @crowdstrike/foundry-js to 0.22.0, fix tmp and ws CVEs#128
mraible wants to merge 1 commit into
mainfrom
upgrade-foundry-js-0.22.0

Conversation

@mraible
Copy link
Copy Markdown
Contributor

@mraible mraible commented Jun 1, 2026

Upgrades @crowdstrike/foundry-js from 0.21.0 to 0.22.0 and fixes two security vulnerabilities in transitive dependencies:

  • tmp (0.2.5 -> 0.2.7): Path traversal via unsanitized prefix/postfix that enables directory escape (GHSA-ph9p-34f9-6g65, high severity)
  • ws (8.19.0 -> 8.21.0): Uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx, moderate severity)

Both fixes are applied via overrides in package.json. The lockfile has been migrated from npm (package-lock.json) to pnpm (pnpm-lock.yaml). The dist bundle has been rebuilt. All 23 tests pass and pnpm audit reports no known vulnerabilities.

@mraible
Upgrade @crowdstrike/foundry-js to 0.22.0, fix tmp and ws CVEs
1fd4d1b 
Upgrades @crowdstrike/foundry-js from 0.21.0 to 0.22.0. Adds overrides for tmp (0.2.7) and ws (8.21.0) to fix path traversal (GHSA-ph9p-34f9-6g65) and uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx) vulnerabilities. Migrates from npm to pnpm for lockfile management.
@mraible mraible requested a review from a team June 1, 2026 15:56
@mraible
Copy link
Copy Markdown
Contributor Author

mraible commented Jun 1, 2026

Closing - incorrectly migrated from npm to pnpm. Will redo with npm.

@mraible mraible closed this Jun 1, 2026
@mraible mraible deleted the upgrade-foundry-js-0.22.0 branch June 1, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mraible