Security Vulnerability Backlog¶
Overview¶
Note: This is a temporary planning document that will be archived once all vulnerabilities are resolved.
GitHub Dependabot has identified 11 active security vulnerabilities in the SyRF monorepo dependencies. This document tracks these vulnerabilities using a service-based hierarchy for systematic remediation.
Current Status: 11 open alerts
- 2 High severity
- 8 Moderate severity
- 1 Low severity
Last Updated: 2025-11-14
Epic Hierarchy¶
This work is organized as a single epic with service-based parent tasks and specific sub-tasks for each dependency update.
Structure¶
Epic: Security Vulnerabilities - Dependabot Alerts
├── Parent: user-guide Security Updates (High Priority)
│ └── Sub-task: Fix REXML DoS vulnerabilities
├── Parent: web Production Dependency Updates (High/Moderate)
│ ├── Sub-task: Investigate & Fix PDF.js vulnerability
│ ├── Sub-task: Update DOMPurify
│ └── Sub-task: Update js-yaml
├── Parent: api/pm Service Updates (Moderate)
│ └── Sub-task: Fix OpenTelemetry sensitive logging
└── Parent: web Development Dependency Updates (Low-Moderate)
├── Sub-task: Update Vite
├── Sub-task: Update webpack-dev-server
├── Sub-task: Update http-proxy-middleware
├── Sub-task: Update ESLint plugins
└── Sub-task: Update misc dev dependencies
Epic Summary¶
| Issue | Level | Alerts | Services | Estimate | Status |
|---|---|---|---|---|---|
| Security Vulnerabilities | Epic | ~28 | all | 7-11h | #2177 |
| ├─ user-guide Security Updates | Parent | 6 | user-guide | 2-3h | #2178 |
| │ └─ Fix REXML DoS vulnerabilities | Sub-task | 6 | user-guide | 2-3h | #2173 |
| ├─ web Production Dependency Updates | Parent | 3 | web | 4-6h | #2179 |
| │ ├─ Investigate & Fix PDF.js | Sub-task | 1 | web | 2-3h | #2174 |
| │ ├─ Update DOMPurify | Sub-task | 1 | web | 1h | #2182 |
| │ └─ Update js-yaml | Sub-task | 1 | web | 1h | #2183 |
| ├─ api/pm Service Updates | Parent | 1 | api/pm | 2-3h | #2180 |
| │ └─ Fix OpenTelemetry sensitive logging | Sub-task | 1 | api/pm | 2-3h | #2184 |
| └─ web Development Dependency Updates | Parent | 18+ | web | 1-2h | #2181 |
| ├─ Update Vite | Sub-task | 6 | web | 30m | #2185 |
| ├─ Update webpack-dev-server | Sub-task | 2 | web | 15m | #2186 |
| ├─ Update http-proxy-middleware | Sub-task | 4 | web | 15m | #2187 |
| ├─ Update ESLint plugins | Sub-task | 2 | web | 15m | #2188 |
| └─ Update misc dev dependencies | Sub-task | 4 | web | 15m | #2189 |
1. Epic: Security Vulnerabilities - Dependabot Alerts¶
Issue: #2177 Priority: High Total Alerts: ~28 Dependabot alerts Estimated Effort: 7-11 hours Services Affected: user-guide, web, api, project-management
Description¶
Systematic remediation of all Dependabot security alerts across the SyRF monorepo, organized by service for efficient batch updates and testing.
Parent Tasks¶
- user-guide Security Updates (#2178)
- web Production Dependency Updates (#2179)
- api/pm Service Updates (#2180)
- web Development Dependency Updates (#2181)
Overall Acceptance Criteria¶
- All 11 active Dependabot alerts resolved
- No new vulnerabilities introduced
- All service test suites pass
- Staging deployments successful for affected services
- Production deployments successful after staging verification
1.1. user-guide Security Updates¶
Issue: #2178 Priority: High Alerts: 6 REXML vulnerabilities Service: user-guide (Jekyll documentation) Estimated Effort: 2-3 hours
Description¶
Update Ruby gems in the user-guide Jekyll application to resolve multiple REXML denial of service vulnerabilities.
Sub-tasks¶
- Fix REXML DoS vulnerabilities (#2173)
Acceptance Criteria¶
- All 6 REXML-related Dependabot alerts resolved
- User-guide service test suite passes
- Jekyll site builds successfully locally
- Docker compose works for local development
- CI/CD pipeline builds user-guide successfully
- Deployed site at help.syrf.org.uk is functional
1.1.1. Fix REXML DoS Vulnerabilities¶
Issue: #2173 Priority: High Parent: user-guide Security Updates (#2178)
Affected Alerts¶
-
142 - GHSA-vmwr-mc7x-5vc3 (High)¶
-
141 - GHSA-5866-49gr-22v4 (Moderate)¶
-
140 - GHSA-r55c-59qm-vjw6 (Moderate)¶
-
139 - GHSA-4xqq-m2hx-25v8 (Moderate)¶
-
138 - GHSA-vg3r-rm7w-2xgh (Moderate)¶
-
143 - GHSA-2rxp-v6pw-ch6m (Moderate)¶
Impact¶
Potential DoS attacks during documentation build. While this affects build environment rather than production, it could disrupt CI/CD pipelines.
Implementation Steps¶
- Run
bundle updatein user-guide directory - Review Gemfile.lock changes
- Test Jekyll site builds locally
- Test Docker compose (
docker-compose up) - Verify CI/CD pipeline builds successfully
- Check deployed site at help.syrf.org.uk
- Verify all 6 alerts are closed
Files to Update¶
user-guide/Gemfileuser-guide/Gemfile.lock
1.2. web Production Dependency Updates¶
Issue: #2179 Priority: High/Moderate Alerts: 3 (PDF.js, DOMPurify, js-yaml) Service: web (Angular frontend) Estimated Effort: 4-6 hours
Description¶
Update production JavaScript dependencies in the web service to resolve XSS and prototype pollution vulnerabilities.
Sub-tasks¶
Acceptance Criteria¶
- All 3 production dependency alerts resolved
- Web service test suite passes
- XSS protection verified
- YAML parsing functionality works
- Staging deployment successful
- Manual testing of affected features complete
1.2.1. Investigate & Fix PDF.js Vulnerability¶
Issue: #2174 Priority: High Parent: web Production Dependency Updates (#2179)
Affected Alert¶
-
135 - GHSA-wgrm-67xf-hhpq (High)¶
Impact¶
Arbitrary JavaScript execution when opening malicious PDF. Potential XSS vulnerability if PDF viewing is enabled.
Investigation Phase¶
- Search codebase for PDF.js imports
- Check package.json for pdf.js dependencies
- Review features that might use PDF viewing
- Document findings in issue
Remediation (based on investigation)¶
Option A - If PDF.js is used:
- Update PDF.js to patched version
- Test PDF viewing functionality
- Verify fix with test cases
Option B - If PDF.js is NOT used:
- Remove PDF.js from package.json
- Remove unused imports
- Verify build completes without PDF.js
Files to Check¶
src/services/web/package.jsonsrc/services/web/src/**/*.ts
1.2.2. Update DOMPurify¶
Issue: #2182 Priority: Moderate Parent: web Production Dependency Updates (#2179)
Affected Alert¶
-
136 - GHSA-vhxf-7vqr-mrjg (Moderate)¶
Impact¶
Cross-site Scripting (XSS) vulnerability in DOMPurify could allow malicious scripts in user-generated content.
Implementation Steps¶
- Update DOMPurify in
src/services/web/package.json - Run
npm installto update package-lock.json - Test XSS protection with malicious input samples
- Verify sanitization of user-generated content
- Run web service test suite
- Manual testing of rich text editors/content display
Acceptance Criteria¶
- DOMPurify updated to patched version
- Alert #136 is resolved
- XSS protection still functions correctly
- All web tests pass
- No regression in content sanitization
1.2.3. Update js-yaml¶
Issue: #2183 Priority: Moderate Parent: web Production Dependency Updates (#2179)
Affected Alert¶
-
144 - GHSA-mh29-5h37-fv8m (Moderate)¶
Impact¶
Prototype pollution in merge (<<) could allow attackers to modify object prototypes.
Implementation Steps¶
- Identify where js-yaml is used in codebase
- Update js-yaml in
src/services/web/package.json - Run
npm installto update package-lock.json - Test YAML parsing functionality
- Verify no breaking changes in YAML handling
- Run web service test suite
Acceptance Criteria¶
- js-yaml updated to patched version
- Alert #144 is resolved
- YAML parsing works correctly
- All web tests pass
- No regression in YAML-dependent features
1.3. api/pm Service Updates¶
Issue: #2180 Priority: Moderate Alerts: 1 (OpenTelemetry) Services: api, project-management Estimated Effort: 2-3 hours
Description¶
Update or configure OpenTelemetry instrumentation to prevent sensitive query parameters from being logged.
Sub-tasks¶
- Fix OpenTelemetry sensitive logging (#2184)
Acceptance Criteria¶
- Alert #134 is resolved
- Sensitive data not logged
- Telemetry still functions correctly
- All api and pm tests pass
- Staging deployment successful
1.3.1. Fix OpenTelemetry Sensitive Logging¶
Issue: #2184 Priority: Moderate Parent: api/pm Service Updates (#2180)
Affected Alert¶
-
134 - GHSA-vh2m-22xx-q94f (Moderate)¶
Impact¶
Sensitive query parameters (passwords, tokens, etc.) may be logged by default, potentially exposing sensitive data in logs.
Implementation Steps¶
Option A - Update packages:
- Update OpenTelemetry packages in api and pm services
- Test telemetry instrumentation
- Verify sensitive params are excluded
Option B - Configure filtering:
- Add configuration to exclude sensitive parameters
- Update appsettings.json for both services
- Test filtering with sample requests
Both options:
- Review existing logs for exposed sensitive data
- Document configuration changes
- Run api and pm test suites
- Integration testing with telemetry
Files to Update¶
src/services/api/SyRF.API.Endpoint/*.csproj(if updating packages)src/services/project-management/SyRF.ProjectManagement.Endpoint/*.csproj(if updating packages)src/services/api/SyRF.API.Endpoint/appsettings.json(if configuring)src/services/project-management/SyRF.ProjectManagement.Endpoint/appsettings.json(if configuring)
Acceptance Criteria¶
- Alert #134 is resolved
- Sensitive parameters not logged
- Telemetry instrumentation works
- All api tests pass
- All pm tests pass
- Configuration documented
1.4. web Development Dependency Updates¶
Issue: #2181 Priority: Low-Moderate Alerts: 18+ development dependency vulnerabilities Service: web (Angular development) Estimated Effort: 1-2 hours
Description¶
Update development dependencies (Vite, webpack, ESLint, etc.) that don't affect production builds but should be current for secure development environment.
Sub-tasks¶
- Update Vite (#2185)
- Update webpack-dev-server (#2186)
- Update http-proxy-middleware (#2187)
- Update ESLint plugins (#2188)
- Update misc dev dependencies (#2189)
Acceptance Criteria¶
- All 18+ development dependency alerts resolved
- Dev server starts and runs correctly
- Hot-reload functionality works
- Build process completes successfully
- Linting works without errors
- All web tests pass
- No degradation in developer experience
- Breaking changes documented (if any)
1.4.1. Update Vite¶
Issue: #2185 Priority: Moderate Parent: web Development Dependency Updates (#2181)
Affected Alerts¶
-
133 - server.fs.deny bypass via backslash (Moderate)¶
-
132 - File serving vulnerabilities (Low)¶
-
131 - server.fs settings not applied to HTML (Low)¶
-
119 - server.fs.deny bypass with .svg (Moderate)¶
-
114 - Invalid request-target bypass (Moderate)¶
-
113 - Relative path bypass (Moderate)¶
Impact¶
Development-only vulnerabilities allowing file system access bypasses. Does not affect production builds.
Implementation Steps¶
- Update Vite to latest stable version in
src/services/web/package.json - Run
npm install - Test dev server starts (
npm start) - Test hot-reload functionality
- Test build process (
npm run build) - Review Vite changelog for breaking changes
- Update documentation if config changes needed
Acceptance Criteria¶
- All 6 Vite alerts resolved
- Dev server works correctly
- Hot-reload functions as expected
- Build succeeds
- No regression in dev experience
1.4.2. Update webpack-dev-server¶
Issue: #2186 Priority: Moderate Parent: web Development Dependency Updates (#2181)
Affected Alerts¶
-
121 - Source code exposure (non-Chromium browsers) (Moderate)¶
-
120 - Source code exposure (all browsers) (Moderate)¶
Impact¶
Source code may be stolen when accessing malicious websites. Development-only vulnerability.
Implementation Steps¶
- Update webpack-dev-server in
src/services/web/package.json - Run
npm install - Test dev server with Angular application
- Verify no breaking changes
- Test with different browsers if possible
Acceptance Criteria¶
- Both webpack-dev-server alerts resolved
- Dev server works correctly
- No breaking changes
- All web tests pass
1.4.3. Update http-proxy-middleware¶
Issue: #2187 Priority: Moderate Parent: web Development Dependency Updates (#2181)
Affected Alerts¶
-
118 - fixRequestBody proceeds despite bodyParser failure (Moderate)¶
-
117 - writeBody can be called twice (Moderate)¶
-
116 - Duplicate of #118 (Moderate)¶
-
115 - Duplicate of #117 (Moderate)¶
Impact¶
Body parsing and double write vulnerabilities. Development-only impact.
Implementation Steps¶
- Update http-proxy-middleware in
src/services/web/package.json - Run
npm install - Test proxy configuration (if used in development)
- Verify API proxying still works
- Check for breaking changes in proxy config
Acceptance Criteria¶
- All 4 http-proxy-middleware alerts resolved
- Proxy functionality works (if used)
- No breaking changes
- Dev environment functional
1.4.4. Update ESLint plugins¶
Issue: #2188 Priority: Low Parent: web Development Dependency Updates (#2181)
Affected Alerts¶
Impact¶
Regular Expression Denial of Service during linting. Development-only vulnerability.
Implementation Steps¶
- Update @eslint/plugin-kit and related packages in
src/services/web/package.json - Run
npm install - Test linting (
npm run lint) - Verify linting rules still apply correctly
- Check for any new ESLint warnings
Acceptance Criteria¶
- Both ESLint alerts resolved
- Linting works without errors
- Linting rules function correctly
- No regression in code quality checks
1.4.5. Update Miscellaneous Dev Dependencies¶
Issue: #2189 Priority: Low Parent: web Development Dependency Updates (#2181)
Affected Alerts¶
-
129 - brace-expansion ReDoS (Low)¶
-
123 - brace-expansion ReDoS duplicate (Low)¶
-
130 - tmp arbitrary write (Low)¶
-
124 - on-headers manipulation (Low)¶
Impact¶
Various low-priority development dependency vulnerabilities. No production impact.
Implementation Steps¶
- Update brace-expansion in
src/services/web/package.json - Update tmp in
src/services/web/package.json - Update on-headers in
src/services/web/package.json - Run
npm install - Run full test suite
- Verify no breaking changes
Acceptance Criteria¶
- All 4 miscellaneous alerts resolved
- All web tests pass
- No breaking changes
- Dev environment fully functional
Testing Strategy¶
Per-Service Testing¶
user-guide¶
- Local Jekyll build
- Docker compose
- CI/CD pipeline
- Deployed site verification
web¶
- Unit tests (
npm test) - E2E tests (if available)
- Dev server functionality
- Production build
- Manual feature testing
api/pm¶
- Unit tests (
dotnet test) - Integration tests
- Telemetry verification
- Log inspection
Integration Testing¶
- Full monorepo build succeeds
- All services deploy to staging
- Inter-service communication works
- No performance degradation
Deployment Testing¶
- Staging deployments successful
- Manual verification in staging
- Production deployment (after staging approval)
- Post-deployment monitoring
Remediation Phases¶
Phase 1: High Priority (Immediate)¶
Estimated: 4-6 hours
- REXML vulnerabilities (user-guide)
- PDF.js investigation and fix (web)
Deliverable: High-severity vulnerabilities resolved
Phase 2: Production Dependencies (Near-term)¶
Estimated: 2-4 hours
- DOMPurify update (web)
- js-yaml update (web)
- OpenTelemetry fix (api/pm)
Deliverable: All production dependency vulnerabilities resolved
Phase 3: Development Dependencies (Low Priority)¶
Estimated: 1-2 hours
- Vite, webpack, http-proxy updates (web)
- ESLint and misc updates (web)
Deliverable: Clean Dependabot security dashboard
Notes¶
- Development vs Production: Many vulnerabilities are in development dependencies (Vite, webpack, etc.) which don't affect production builds
- Service Grouping: Updates grouped by service for efficient batch testing
- Breaking Changes: Review changelogs carefully; dependency updates may require configuration changes
- CI/CD Integration: All updates go through CI/CD pipeline before merging
- Archived Alerts: Some alerts (#127, #126 - form-data) appear archived and may be auto-resolved
Related Documentation¶
- Dependency Map - Service dependency information
- CI/CD Approach - Build and deployment process
- GitHub Dependabot - Live security alerts
GitHub/ZenHub Issue Tracking¶
Epic and Parent Tasks¶
- Epic: Security Vulnerabilities - Dependabot Alerts (#2177)
- Parent: user-guide Security Updates (#2178)
- Parent: web Production Dependency Updates (#2179)
- Parent: api/pm Service Updates (#2180)
- Parent: web Development Dependency Updates (#2181)
Sub-task Issues¶
All sub-tasks created with proper hierarchy:
- #2173 - Fix REXML DoS vulnerabilities
- #2174 - Investigate & Fix PDF.js vulnerability
- #2182 - Update DOMPurify
- #2183 - Update js-yaml
- #2184 - Fix OpenTelemetry sensitive logging
- #2185 - Update Vite
- #2186 - Update webpack-dev-server
- #2187 - Update http-proxy-middleware
- #2188 - Update ESLint plugins
- #2189 - Update misc dev dependencies
Obsolete issues (superseded by new structure):