Nijil / Fix critical security issue

[nijil-deriv]

Run npm run audit fix

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/protobufjs	7.5.4	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@xmldom/xmldom	0.8.11	🟢 7.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 1/4 approved changesets -- score normalized to 2 Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 12 out of 12 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 12 contributing companies or organizations
npm/lodash	4.17.23	🟢 7.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 8 23 out of 26 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Contributors 🟢 10 project has 89 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 14 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
npm/lodash-es	4.17.23	🟢 7.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 8 23 out of 26 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Contributors 🟢 10 project has 89 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 14 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
npm/dompurify	3.3.3	🟢 9.6	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Code-Review 🟢 8 Found 12/14 approved changesets -- score normalized to 8 Pinned-Dependencies 🟢 10 all dependencies are pinned Security-Policy 🟢 10 security policy file detected CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(3.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 17 out of 17 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
npm/@xmldom/xmldom	0.8.13	🟢 7.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 1/4 approved changesets -- score normalized to 2 Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 12 out of 12 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 12 contributing companies or organizations
npm/dompurify	3.4.0	🟢 9.6	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Code-Review 🟢 8 Found 12/14 approved changesets -- score normalized to 8 Pinned-Dependencies 🟢 10 all dependencies are pinned Security-Policy 🟢 10 security policy file detected CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 10 SAST tool is run on all commits License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(3.x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 17 out of 17 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
npm/lodash	4.18.1	🟢 7.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 8 23 out of 26 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Contributors 🟢 10 project has 89 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 14 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
npm/lodash-es	4.18.1	🟢 7.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 8 23 out of 26 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Contributors 🟢 10 project has 89 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 14 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
npm/protobufjs	7.5.5	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

package-lock.json

• protobufjs@7.5.4
• @xmldom/xmldom@0.8.11
• lodash@4.17.23
• lodash-es@4.17.23
• dompurify@3.3.3
• follow-redirects@1.15.11
• @xmldom/xmldom@0.8.13
• dompurify@3.4.0
• follow-redirects@1.16.0
• lodash@4.18.1
• lodash-es@4.18.1
• protobufjs@7.5.5

[github-actions]

Claude finished @nijil-deriv's task in 1m 40s —— View job

---

PR Review: Fix critical security issue

• Gather context and analyze PR changes
• Review dependency updates for correctness and safety
• Check for any regressions or concerns
• Post comprehensive review

---

Summary

This PR runs npm audit fix and updates 6 packages in package-lock.json only. No application code changes. CI dependency review passes with no new vulnerabilities.

---

Package Updates

Package	Before	After	Type	Notes
@xmldom/xmldom	0.8.11	0.8.13	Transitive	⚠️ Old version was explicitly deprecated as "critical issues"
dompurify	3.3.3	3.4.0	Direct (^3.3.2)	XSS sanitizer — good to keep current
follow-redirects	1.15.11	1.16.0	Dev transitive	Minor bump
lodash	4.17.23	4.18.1	Direct (>=4.17.21)	Minor bump
lodash-es	4.17.23	4.18.1	Transitive	Minor bump
protobufjs	7.5.4	7.5.5	Transitive	Patch bump

---

Findings

🟢 Positive

• The @xmldom/xmldom 0.8.11 removal is the most important fix — the old version was explicitly marked deprecated with a "critical issues" warning. Upgrading to 0.8.13 resolves this.
• dompurify (XSS sanitization) being kept up to date is good security hygiene.
• CI dependency review confirms ✅ no new vulnerabilities introduced.
• Only package-lock.json changed; package.json constraints correctly allow these updates.

🟡 Medium

• lodash still shows 96 existing vulnerabilities per OpenSSF Scorecard in both the old and new version. This PR does not address those — they are long-standing known issues with lodash. Consider whether lodash can be removed/replaced in a future refactor, or if overrides can pin safer sub-dependencies.

🟡 Medium

• lodash constraint in package.json is ">=4.17.21" — an unbounded range that allows any future version. Consider tightening to ">=4.18.1" now that this version is validated: Fix this →

🔵 Low

• PR title says "Fix critical security issue" — the @xmldom/xmldom deprecation is genuinely critical, but the other 5 updates are routine minor/patch bumps. Consider a more precise title to aid future changelog searches.

---

Verdict

✅ Safe to merge. The changes are confined to package-lock.json, address a legitimately deprecated and vulnerable package (@xmldom/xmldom), and introduce no regressions. The medium-priority lodash constraint tightening is a nice-to-have but not blocking.

[github-actions]

Preview Link: https://fix-security-issues1.bot-65f.pages.dev

Name	Result
Build status	Completed ✅
Preview URL	Visit Preview
Action URL	Visit Action