Skip to content

fix(deps): patch basic-ftp, fast-uri, fast-xml-builder (PMAA-113, PMAA-114)#313

Merged
gaurav-singh-9227 merged 1 commit into
browserstack:mainfrom
manoj-k04:fix/security-vulns
Jun 1, 2026
Merged

fix(deps): patch basic-ftp, fast-uri, fast-xml-builder (PMAA-113, PMAA-114)#313
gaurav-singh-9227 merged 1 commit into
browserstack:mainfrom
manoj-k04:fix/security-vulns

Conversation

@manoj-k04
Copy link
Copy Markdown
Collaborator

@manoj-k04 manoj-k04 commented Jun 1, 2026

Summary

Patches three transitive dependency CVEs surfaced via Dependabot + bumps the server to 1.2.21.

Package Before After Advisory
basic-ftp 5.3.0 5.3.1 GHSA-rpmf-866q-6p89 — client-side DoS via unbounded multiline FTP control response buffering (CVSS 7.5) — PMAA-113
fast-uri 3.1.0 3.1.2 GHSA-q3j6-qgpj-74h6 — path traversal via percent-encoded dot segments (CVSS 7.5) — PMAA-114
fast-xml-builder 1.1.5 1.2.0 GHSA-5wm8-gmm8-39j9 — attribute-quote escape enabling injected HTML/XML attributes

All three are transitive, so the fix lives entirely in package-lock.json. Lockfile was regenerated from scratch (rm package-lock.json && npm install) rather than surgical bumps — picks up registry-current resolutions across the tree. npm audit now reports 0 vulnerabilities (all severities).

Closes Dependabot PRs #290, #292, #293 — they can be closed once this lands.

Test plan

  • npm run lint — clean
  • npm run format — no changes
  • npm test — 21 files / 182 tests passing
  • npx tsc — clean compile
  • npm audit — 0 vulnerabilities
  • MCP smoke test against the rebuilt server: full TestManagement create → list → update → run → result → close chain ran end-to-end against real BrowserStack TCM (project PR-135949); 11 additional read-only tools round-tripped with dummy IDs without transport errors
  • Reviewer verification: npm ci && npm audit && npm test

🤖 Generated with Claude Code

@manoj-k04 @claude
fix(deps): patch basic-ftp, fast-uri, fast-xml-builder + bump to 1.2.21
f503566 
Resolves three transitive security advisories surfaced via Dependabot:
- basic-ftp 5.3.0 -> 5.3.1 (GHSA-rpmf-866q-6p89 — client-side DoS via unbounded multiline control response, PMAA-113)
- fast-uri 3.1.0 -> 3.1.2 (GHSA-q3j6-qgpj-74h6 — path traversal via percent-encoded dot segments, PMAA-114)
- fast-xml-builder 1.1.5 -> 1.2.0 (GHSA-5wm8-gmm8-39j9 — attribute-quote escape allowing injected attributes)

Lockfile regenerated from scratch (`rm package-lock.json && npm install`) so all transitive deps land on registry-current versions; npm audit reports 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gaurav-singh-9227 gaurav-singh-9227 merged commit a304aee into browserstack:main Jun 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruturaj-browserstack ruturaj-browserstack ruturaj-browserstack approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@manoj-k04 @ruturaj-browserstack @gaurav-singh-9227