Raise template audit level to high and clean up GHSA suppressions#702
Closed
bryan-thompsoncodes wants to merge 3 commits intomainfrom
Closed
Raise template audit level to high and clean up GHSA suppressions#702bryan-thompsoncodes wants to merge 3 commits intomainfrom
bryan-thompsoncodes wants to merge 3 commits intomainfrom
Conversation
…ssions Template CI workflows now use --audit-level=high (matching the website's existing policy) instead of the default moderate level. This eliminates the need to suppress moderate/low severity transitive vulnerabilities that only upstream maintainers can fix. Removes GHSA-2g4f-4pwh-qvx6 (ajv, medium) and GHSA-w7fw-mjwx-w883 (qs, low) from the express-js template's ignoreGhsas list since they fall below the new threshold. Adds an audit policy section to DEPENDENCY_MANAGEMENT.md documenting the approach and a quarterly review cadence for remaining suppressions.
github-actions
bot
added
dependencies
The audit-level=high change exposed transitive vulnerabilities that were always present but hadn't been audited recently. All are in upstream dependency trees (TypeSpec compiler, vitest, express) that we cannot fix. quickstart: 4 high-severity GHSAs (all via @typespec/compiler > tar, picomatch) express-js: 13 high-severity GHSAs (via @typespec/compiler, vitest, express)
Documents each high-severity suppressed GHSA with severity, package, issue description, dependency path, and remediation notes. Adds //ignoreGhsas comment to both template package.json files pointing to the registry. References AUDIT_EXCEPTIONS.md from DEPENDENCY_MANAGEMENT.md.
bryan-thompsoncodes
requested review from
jcrichlake and
widal001
and removed request for
widal001
Collaborator
Author
|
Going a different route after discussing with team #703 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes proposed
Raises template CI audit level from default (moderate) to
--audit-level=high, matching the website's existing policy. Removes 2 GHSA suppressions from the express-js template that fall below the new threshold. Documents the audit policy and quarterly review cadence in DEPENDENCY_MANAGEMENT.md.The recent Dependabot PRs (#673, #679, #697) accumulated 21 GHSA audit exceptions across the template
package.jsonfiles. Most are moderate/low severity transitive vulnerabilities deep in the TypeSpec, vitest, and express dependency trees that only upstream maintainers can fix. Suppressing each one individually doesn't scale — raising the audit level is the sustainable fix.Context for reviewers
With
--audit-level=high:ignoreGhsasci-template-express-js.yml--audit-level=highaddedci-template-quickstart.yml--audit-level=highaddedtemplates/express-js/package.jsonDEPENDENCY_MANAGEMENT.mdVerified by reviewing each GHSA severity against the GitHub Advisory Database. The 2 remaining express-js entries (GHSA-3ppc-4f35-3m26, GHSA-83g3-92jg-28cx) are both high severity.
Additional information
None.