Web Service Dependency Vulnerabilities

Overview

This document tracks known dependency security vulnerabilities in the web service and their remediation status.

Current Status

Last Audit: 2025-11-10 Critical Issues: 0 (resolved) Outstanding Issues: 5 (1 high, 2 moderate, 2 low)

Resolved Vulnerabilities

Critical: form-data (RESOLVED 2025-11-10)

• Issue: Uses unsafe random function for choosing boundaries (CWE-330)
• Advisory: https://github.com/advisories/GHSA-fjxv-7rqg-78g4
• Resolution: Applied pnpm audit --fix - updated to safe versions
• Status: ✅ Fixed

Outstanding Vulnerabilities

1. HIGH: pdfjs-dist ≤4.1.392

• Issue: Arbitrary JavaScript execution upon opening malicious PDF
• Advisory: https://github.com/advisories/GHSA-wgrm-67xf-hhpq
• Current Version: ≤4.1.392
• Fix Available: v5.4.394 (breaking change required)
• Impact: PDF viewing functionality
• Priority: HIGH - address in next maintenance cycle
• Mitigation: Only process trusted PDFs

2. MODERATE: dompurify <3.2.4

• Issue: XSS vulnerability in DOMPurify
• Advisory: https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
• Fix Available: Requires handsontable@16.1.1 (breaking change)
• Impact: HTML sanitization in user-generated content
• Priority: Medium
• Mitigation: Existing CSP policies provide additional XSS protection

3. LOW: @eslint/plugin-kit <0.3.4

• Issue: Regular Expression Denial of Service (ReDoS)
• Advisory: https://github.com/advisories/GHSA-xffm-g5w8-qvg7
• Fix Available: Requires eslint@9.39.1 (outside dependency range)
• Impact: Dev tooling only
• Priority: Low
• Mitigation: Dev environment only, no production impact

4-5. LOW: Additional vulnerabilities (2)

• Impact: Dev dependencies only
• Priority: Low

Remediation Plan

Phase 1: High Priority (Next Sprint)

• Update pdfjs-dist to v5.4.394
• Test PDF viewing and download functionality
• Verify no breaking changes in PDF workflows

Phase 2: Medium Priority (Within 2 Sprints)

• Update handsontable to v16.1.1 (includes dompurify fix)
• Test all grid components using Handsontable
• Verify HTML sanitization still works correctly

Phase 3: Low Priority (Next Major Angular Update)

• Update ESLint tooling as part of Angular upgrade
• Address remaining low-severity dev dependency issues

Testing Required

After each update, verify:

• PDF viewing and download functionality
• Handsontable grid rendering and editing
• HTML sanitization in rich text fields
• ESLint configuration and linting rules

Commands

# View current vulnerabilities
pnpm audit

# Attempt safe fixes only
pnpm audit --fix

# Check dependency tree
pnpm why <package-name>

Note: pnpm does not have a --force equivalent for pnpm audit --fix. For breaking changes, manually update the dependency in package.json and run pnpm install.

References

• Web service location: src/services/web/
• Package manifest: src/services/web/package.json
• Package manager configuration: src/services/web/.npmrc