Track and resolve transitive dependency vulnerabilities (npm audit)

Apra Fleet is an open-source MCP server

Brought to you by: apralabs

#100 Track and resolve transitive dependency vulnerabilities (npm audit)

Status: closed

Owner: nobody

Labels: None

Updated: 2026-05-06

Created: 2026-04-08

Creator: Anonymous

Private: No

Originally created by: kumaakh

Summary

Static analysis via MseeP and npm audit report 9 vulnerabilities (6 high, 3 moderate) in transitive dependencies. All are fixable via npm audit fix. None are directly exploitable in apra-fleet's current deployment model (local CLI + SSH server), but should be resolved before or shortly after a production release.

Findings (updated 2026-05-06)

HIGH

Package	Advisories	Fix	Via	Mitigation
`vite` 7.0.0–7.3.1	GHSA-4w7w-66w2-5vf9 path traversal in `.map` handling; GHSA-v2wj-q39q-566r `server.fs.deny` bypass; GHSA-p9ff-h696-f583 arbitrary file read via dev server WebSocket	`>7.3.1`	`vitest` (devDependency)	Not exploitable in production. Vite is dev-only — not included in the SEA binary or distributed to users. Risk exists only on developer machines running `npm test`.
`picomatch` 4.0.0–4.0.3	GHSA-3v7f-55p6-f55p method injection in POSIX char classes; GHSA-c2c7-rcm5-vvqj ReDoS via extglob quantifiers	`>=4.0.4`	`vitest` (devDependency)	Not exploitable in production. Dev-only transitive dep. Patterns matched by picomatch are not user-controlled in the test suite.
`path-to-regexp` 8.0.0–8.3.0	GHSA-j3q9-mxjg-w52f ReDoS via sequential optional groups; GHSA-27v5-c462-wpq7 ReDoS via multiple wildcards	`>=8.4.0`	`@modelcontextprotocol/sdk` → `express`	Low exploitability. Fleet server listens only on localhost stdio/socket — not exposed to the network. Route patterns are fixed at startup, not user-supplied.
`hono` <4.12.14	GHSA-q5qw-h33p-qvwr arbitrary file access via serveStatic; GHSA-5pq2-9x2x-5p6w cookie attribute injection; GHSA-p6xx-57qc-3wxr SSE CR/LF injection; GHSA-v8w9-8mx6-g223 prototype pollution; GHSA-26pp-8wgv-hjvm cookie name validation; GHSA-r5rp-j6wh-rvv4 cookie name bypass; GHSA-xf4j-xp2r-rqqx path traversal in toSSG(); GHSA-wmmm-f939-6g9c serveStatic repeated slashes; GHSA-458j-xx4x-4375 JSX HTML injection; GHSA-xpcf-pg52-r92g IPv4-mapped IPv6 in ipRestriction()	`>=4.12.14`	`@modelcontextprotocol/sdk`	Low exploitability. Fleet does not expose hono routes publicly. The server binds to localhost stdio — cookie handling, serveStatic, and SSE are not used in fleet's MCP transport layer. Prototype pollution is the highest concern if user-controlled input ever reaches parseBody.
`@hono/node-server` <1.19.13	GHSA-wc8c-qw6v-h7f6 auth bypass via encoded slashes in serveStatic; GHSA-92pp-h63x-v22m middleware bypass via repeated slashes	`>=1.19.13`	`@modelcontextprotocol/sdk`	Low exploitability. Same rationale as hono — serveStatic is not used in fleet's MCP transport.
`express-rate-limit` 8.2.0–8.2.1	GHSA-46wh-pxpv-q5gq IPv4-mapped IPv6 bypass in per-client rate limiting	`>=8.2.2`	`@modelcontextprotocol/sdk`	Low exploitability. Rate limiting is not applied at the fleet server level. The server is not network-exposed.

MODERATE

Package	Advisory	Fix	Via	Mitigation
`uuid` 11.0.0–11.1.0	GHSA-w5hq-g745-h8pq missing buffer bounds check in v3/v5/v6	`>=14.0.0`	direct production dependency	Fleet only uses `uuid()` (v4) with no `buf` argument — the vulnerable code path (custom buffer output) is never called. However, this is a direct dep and should be upgraded. Note: v14 is a major version jump — test for breaking changes.
`postcss` <8.5.10	GHSA-qx2v-qp2m-jg93 XSS via unescaped `</style>` in CSS stringify	`>=8.5.10`	`vitest` (devDependency)	Not exploitable in production. Dev-only dep. No CSS processing in the fleet binary.

Fix

All 9 vulnerabilities report fix available via npm audit fix:

npm audit fix
npm test   # verify nothing broke

Root cause for the MCP-chain findings (hono, @hono/node-server, express-rate-limit, path-to-regexp) is the version of @modelcontextprotocol/sdk. Upgrading the SDK should resolve those transitively.

For uuid: v14 is a major version bump — update package.json directly and verify the uuid() call signature hasn't changed.

Acceptance criteria

[ ] npm audit reports 0 high/critical vulnerabilities
[ ] All existing tests pass after fix
[ ] No breaking changes to MCP tool interfaces
[ ] uuid direct dependency bumped and tested

Tickets: #105
Tickets: ~~#252~~

Discussion

Anonymous - 2026-04-23

Originally posted by: kumaakh

Technical direction: Run npm audit fix on a dedicated branch, then validate.

Approach:

Create branch fix/npm-audit, run npm audit fix (dry-run first with --dry-run to review the 49-package addition)

The root cause is an outdated @modelcontextprotocol/sdk — check the SDK changelog for breaking API changes before bumping it

After fix: run npm test — all existing tests must pass

Run npm audit to confirm 0 high/critical remaining

The vite and picomatch findings are devDependencies only and do not appear in the production binary — these can be deprioritized if the SDK bump alone doesn't clear them

Add npm audit --audit-level high to the CI workflow (.github/workflows/ci.yml) as a gate to prevent regressions

Key files:

package.json / package-lock.json — dependency versions

.github/workflows/ci.yml — add audit step
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2026-05-06

Ticket changed by: kumaakh

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link: