@codyswann/lisa 1.46.4 → 1.47.1

package/typescript/copy-overwrite/.github/workflows/quality.yml

@@ -964,30 +964,53 @@ jobs:
           fi
         working-directory: ${{ inputs.working_directory || '.' }}
 
-      - name: 🔒 Run security audit
+      - name: 📋 Load audit exclusions
+        id: audit_exclusions
         run: |
-          if [ "${{ inputs.package_manager }}" = "npm" ]; then
-            # Run npm audit in JSON mode and filter out known false positives before failing.
-            # npm audit lacks a native --ignore flag, so we parse JSON and exclude by GHSA ID.
-
-            # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-            # Nested dep in aws-cdk-lib; fix requires minimatch v10 (incompatible with ^3.1.2)
-            # Risk: None - dev-time CDK tooling, no production runtime exposure
-
-            # Excluding GHSA-7r86-cg39-jmmj: minimatch ReDoS via multiple non-adjacent GLOBSTAR segments
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26
-            # Risk: None - only devDependency tooling, never processes untrusted user input
+          GHSA_IDS=""
+          CVE_IDS=""
+          for config_file in audit.ignore.config.json audit.ignore.local.json; do
+            if [ -f "$config_file" ]; then
+              FILE_IDS=$(jq -r '.exclusions[].id' "$config_file" 2>/dev/null)
+              if [ -n "$FILE_IDS" ]; then
+                GHSA_IDS="$GHSA_IDS $FILE_IDS"
+              fi
+              FILE_CVES=$(jq -r '.exclusions[] | select(.cve != null) | .cve' "$config_file" 2>/dev/null)
+              if [ -n "$FILE_CVES" ]; then
+                CVE_IDS="$CVE_IDS $FILE_CVES"
+              fi
+            fi
+          done
+          GHSA_IDS=$(echo "$GHSA_IDS" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' ')
+          CVE_IDS=$(echo "$CVE_IDS" | tr ' ' '\n' | sort -u | grep -v '^$' | tr '\n' ' ')
+          echo "ghsa_ids=$GHSA_IDS" >> $GITHUB_OUTPUT
+          echo "cve_ids=$CVE_IDS" >> $GITHUB_OUTPUT
+          echo "Loaded GHSA exclusions: $GHSA_IDS"
+          echo "Loaded CVE exclusions: $CVE_IDS"
+        working-directory: ${{ inputs.working_directory || '.' }}
 
-            # Excluding GHSA-23c5-xmqv-rm74: minimatch ReDoS via nested *() extglobs
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26
-            # Risk: None - only devDependency tooling, never processes untrusted user input
+      - name: 🔒 Run security audit
+        run: |
+          GHSA_IDS="${{ steps.audit_exclusions.outputs.ghsa_ids }}"
+          CVE_IDS="${{ steps.audit_exclusions.outputs.cve_ids }}"
 
-            # Excluding GHSA-2g4f-4pwh-qvx6: ajv ReDoS with $data option
-            # Nested dep in aws-cdk-lib and eslint; no fix available via npm
-            # Risk: Low - $data option not used in this application
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            # Build jq exclusion filter for npm audit GHSA IDs
+            NPM_EXCLUDE_FILTER=""
+            for _id in $GHSA_IDS; do
+              if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+                NPM_EXCLUDE_FILTER="$NPM_EXCLUDE_FILTER or . == \"$_id\""
+              else
+                NPM_EXCLUDE_FILTER=". == \"$_id\""
+              fi
+            done
 
             AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
-            UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | map(select(. == "GHSA-3ppc-4f35-3m26" or . == "GHSA-7r86-cg39-jmmj" or . == "GHSA-23c5-xmqv-rm74" or . == "GHSA-2g4f-4pwh-qvx6" | not)) | length')
+            if [ -n "$NPM_EXCLUDE_FILTER" ]; then
+              UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq "[.vulnerabilities | to_entries[] | select(.value.severity == \"high\" or .value.severity == \"critical\") | .value.via[] | select(type == \"object\") | .url | ltrimstr(\"https://github.com/advisories/\")] | unique | map(select($NPM_EXCLUDE_FILTER | not)) | length")
+            else
+              UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | length')
+            fi
             if [ "$UNFIXED_HIGH" -gt 0 ]; then
               echo "::warning::Found high or critical vulnerabilities (after excluding known false positives)"
               npm audit --production --audit-level=high || true
@@ -995,26 +1018,42 @@ jobs:
             fi
             echo "::notice::No high or critical vulnerabilities found (excluding known false positives)"
           elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
-            # Yarn audit outputs newline-delimited JSON, so we need to parse each line
-
-            # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-            # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-            # We only use glob as a library through Babel and other tools - never invoke CLI
-            # Risk: None - vulnerable code path is not executed in our application
-
-            # Excluding GHSA-w532-jxjh-hjhj (CVE-2025-29907): jsPDF ReDoS in addImage
-            # Excluding GHSA-8mvj-3j78-4qmw (CVE-2025-57810): jsPDF DoS in addImage
-            # These require user control of addImage input with malicious data
-            # Our usage is controlled and doesn't expose this attack vector
-            # Tracked for upgrade in separate security remediation ticket
-
-            # Excluding GHSA-36jr-mh4h-2g58: d3-color ReDoS
-            # Transitive dependency through react-native-svg-charts (unmaintained)
-            # Replacement charting library evaluation in progress
-            # Risk: Low - color parsing is not user-controlled in our implementation
-
-            # Filter by both GHSA ID and CVE ID for robustness
-            yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | select((.data.advisory.github_advisory_id == "GHSA-5j98-mcp5-4vw2" or .data.advisory.github_advisory_id == "GHSA-w532-jxjh-hjhj" or .data.advisory.github_advisory_id == "GHSA-8mvj-3j78-4qmw" or .data.advisory.github_advisory_id == "GHSA-36jr-mh4h-2g58" or (.data.advisory.cves | any(. == "CVE-2025-64756" or . == "CVE-2025-29907" or . == "CVE-2025-57810"))) | not) | .data.advisory' > high_vulns.json
+            # Build jq filter for GHSA IDs
+            GHSA_FILTER=""
+            for _id in $GHSA_IDS; do
+              if [ -n "$GHSA_FILTER" ]; then
+                GHSA_FILTER="$GHSA_FILTER or .data.advisory.github_advisory_id == \"$_id\""
+              else
+                GHSA_FILTER=".data.advisory.github_advisory_id == \"$_id\""
+              fi
+            done
+
+            # Build jq filter for CVE IDs
+            CVE_FILTER=""
+            for _cve in $CVE_IDS; do
+              if [ -n "$CVE_FILTER" ]; then
+                CVE_FILTER="$CVE_FILTER or . == \"$_cve\""
+              else
+                CVE_FILTER=". == \"$_cve\""
+              fi
+            done
+
+            # Combine GHSA and CVE filters
+            COMBINED_FILTER=""
+            if [ -n "$GHSA_FILTER" ] && [ -n "$CVE_FILTER" ]; then
+              COMBINED_FILTER="($GHSA_FILTER or (.data.advisory.cves | any($CVE_FILTER)))"
+            elif [ -n "$GHSA_FILTER" ]; then
+              COMBINED_FILTER="($GHSA_FILTER)"
+            elif [ -n "$CVE_FILTER" ]; then
+              COMBINED_FILTER="((.data.advisory.cves | any($CVE_FILTER)))"
+            fi
+
+            if [ -n "$COMBINED_FILTER" ]; then
+              yarn audit --groups dependencies --json | jq -r "select(.type == \"auditAdvisory\") | select(.data.advisory.severity == \"high\" or .data.advisory.severity == \"critical\") | select(($COMBINED_FILTER) | not) | .data.advisory" > high_vulns.json
+            else
+              yarn audit --groups dependencies --json | jq -r 'select(.type == "auditAdvisory") | select(.data.advisory.severity == "high" or .data.advisory.severity == "critical") | .data.advisory' > high_vulns.json
+            fi
+
             if [ -s high_vulns.json ]; then
               echo "::error::Found high or critical vulnerabilities:"
               cat high_vulns.json
@@ -1023,64 +1062,13 @@ jobs:
               echo "::notice::No high or critical vulnerabilities found (excluding known false positives)"
             fi
           elif [ "${{ inputs.package_manager }}" = "bun" ]; then
-            # Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
-            # This vulnerability only affects the glob CLI (--cmd flag), not library usage
-            # We only use glob as a library through Babel and other tools - never invoke CLI
-
-            # Excluding GHSA-8qq5-rm4j-mr97: node-tar path sanitization vulnerability
-            # Nested dependency in @expo/cli - bun resolves to patched version but audit still flags it
-            # Risk: Low - only affects tar extraction with malicious filenames, not our use case
-
-            # Excluding GHSA-37qj-frw5-hhjh: fast-xml-parser RangeError DoS with numeric entities
-            # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
-            # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
-            # Risk: None - CLI build tool, not a production runtime dependency
-
-            # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
-            # Transitive dependency in devDependencies (eslint, jest, nodemon, ts-morph, etc.)
-            # Fix requires minimatch v10 which changes export shape (object vs function),
-            # breaking test-exclude (used by Jest coverage). No production code path is affected.
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-
-            # Excluding GHSA-jmr7-xgp7-cmfj: fast-xml-parser DoS through entity expansion in DOCTYPE
-            # Transitive dependency via AWS SDK (@aws-sdk/xml-builder) and snowflake-sdk
-            # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - XML parsing of untrusted DOCTYPE content not in our code paths
-
-            # Excluding GHSA-m7jm-9gc2-mpf2: fast-xml-parser entity encoding bypass via regex injection
-            # Same transitive path as GHSA-jmr7-xgp7-cmfj (AWS SDK, snowflake-sdk)
-            # Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - no untrusted XML with DOCTYPE entity names processed
-
-            # Excluding GHSA-r6q2-hw4h-h46w: node-tar race condition via Unicode Ligature Collisions on macOS APFS
-            # Transitive via @nestjs/apollo > @apollo/gateway > make-fetch-happen > cacache > tar
-            # Resolution to ^7.5.8 set in package.json but bun audit still flags intermediate ranges
-            # Risk: None - tar extraction not used in production runtime
-
-            # Excluding GHSA-34x7-hfp2-rc4v: node-tar arbitrary file creation via hardlink path traversal
-            # Same transitive path as GHSA-r6q2-hw4h-h46w
-            # Risk: None - tar extraction not used in production runtime
-
-            # Excluding GHSA-83g3-92jg-28cx: node-tar arbitrary file read/write via hardlink target escape
-            # Same transitive path as GHSA-r6q2-hw4h-h46w
-            # Risk: None - tar extraction not used in production runtime
-
-            # Excluding GHSA-3h5v-q93c-6h6q: ws DoS when handling request with many HTTP headers
-            # Transitive via @nestjs/graphql, graphql-ws, openai, serverless-offline, serverless-esbuild
-            # Resolution to ^8.17.1 set in package.json but bun audit still flags intermediate ranges
-            # Risk: Low - WebSocket servers behind API Gateway which limits headers
-
-            # Excluding GHSA-7r86-cg39-jmmj: minimatch ReDoS via multiple non-adjacent GLOBSTAR segments
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-            # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-
-            # Excluding GHSA-23c5-xmqv-rm74: minimatch ReDoS via nested *() extglobs
-            # Same transitive dependency chain as GHSA-3ppc-4f35-3m26 (eslint, jest, ts-morph, etc.)
-            # Fix requires minimatch >=3.1.3 but bun cannot override transitive dependency version ranges
-            # Risk: None - only devDependency tooling, never processes untrusted user input
-
-            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26 --ignore GHSA-jmr7-xgp7-cmfj --ignore GHSA-m7jm-9gc2-mpf2 --ignore GHSA-r6q2-hw4h-h46w --ignore GHSA-34x7-hfp2-rc4v --ignore GHSA-83g3-92jg-28cx --ignore GHSA-3h5v-q93c-6h6q --ignore GHSA-7r86-cg39-jmmj --ignore GHSA-23c5-xmqv-rm74; then
+            # Build --ignore flags dynamically from exclusion list
+            BUN_IGNORE_FLAGS=""
+            for _id in $GHSA_IDS; do
+              BUN_IGNORE_FLAGS="$BUN_IGNORE_FLAGS --ignore $_id"
+            done
+
+            if ! bun audit --audit-level=high $BUN_IGNORE_FLAGS; then
               echo "::warning::Found high or critical vulnerabilities"
               exit 1
             fi

package/typescript/copy-overwrite/audit.ignore.config.json

@@ -0,0 +1,87 @@
+{
+  "exclusions": [
+    {
+      "id": "GHSA-5j98-mcp5-4vw2",
+      "cve": "CVE-2025-64756",
+      "package": "glob",
+      "reason": "CLI command injection — only affects glob CLI --cmd flag, not library usage"
+    },
+    {
+      "id": "GHSA-8qq5-rm4j-mr97",
+      "package": "node-tar",
+      "reason": "Path sanitization vulnerability — nested in @expo/cli, tar extraction not in our code path"
+    },
+    {
+      "id": "GHSA-37qj-frw5-hhjh",
+      "package": "fast-xml-parser",
+      "reason": "RangeError DoS with numeric entities — transitive via React Native CLI, build tool only"
+    },
+    {
+      "id": "GHSA-3ppc-4f35-3m26",
+      "package": "minimatch",
+      "reason": "ReDoS via repeated wildcards — devDeps only, fix requires breaking minimatch v10"
+    },
+    {
+      "id": "GHSA-7r86-cg39-jmmj",
+      "package": "minimatch",
+      "reason": "ReDoS via multiple non-adjacent GLOBSTAR segments — devDeps only, fix requires minimatch >=3.1.3"
+    },
+    {
+      "id": "GHSA-23c5-xmqv-rm74",
+      "package": "minimatch",
+      "reason": "ReDoS via nested *() extglobs — devDeps only, fix requires minimatch >=3.1.3"
+    },
+    {
+      "id": "GHSA-2g4f-4pwh-qvx6",
+      "package": "ajv",
+      "reason": "ReDoS with $data option — $data option not used, nested in aws-cdk-lib/eslint"
+    },
+    {
+      "id": "GHSA-jmr7-xgp7-cmfj",
+      "package": "fast-xml-parser",
+      "reason": "DoS through entity expansion in DOCTYPE — transitive via AWS SDK, no untrusted XML parsing"
+    },
+    {
+      "id": "GHSA-m7jm-9gc2-mpf2",
+      "package": "fast-xml-parser",
+      "reason": "Entity encoding bypass via regex injection — same path as GHSA-jmr7-xgp7-cmfj"
+    },
+    {
+      "id": "GHSA-r6q2-hw4h-h46w",
+      "package": "node-tar",
+      "reason": "Race condition via Unicode Ligature Collisions on macOS APFS — transitive via NestJS/Apollo, tar not used in production"
+    },
+    {
+      "id": "GHSA-34x7-hfp2-rc4v",
+      "package": "node-tar",
+      "reason": "Arbitrary file creation via hardlink path traversal — same path as GHSA-r6q2-hw4h-h46w"
+    },
+    {
+      "id": "GHSA-83g3-92jg-28cx",
+      "package": "node-tar",
+      "reason": "Arbitrary file read/write via hardlink target escape — same path as GHSA-r6q2-hw4h-h46w"
+    },
+    {
+      "id": "GHSA-3h5v-q93c-6h6q",
+      "package": "ws",
+      "reason": "DoS via many HTTP headers — WebSocket servers behind API Gateway which limits headers"
+    },
+    {
+      "id": "GHSA-w532-jxjh-hjhj",
+      "cve": "CVE-2025-29907",
+      "package": "jsPDF",
+      "reason": "ReDoS in addImage — controlled usage only, no user-controlled input to addImage"
+    },
+    {
+      "id": "GHSA-8mvj-3j78-4qmw",
+      "cve": "CVE-2025-57810",
+      "package": "jsPDF",
+      "reason": "DoS in addImage — controlled usage only, no user-controlled input to addImage"
+    },
+    {
+      "id": "GHSA-36jr-mh4h-2g58",
+      "package": "d3-color",
+      "reason": "ReDoS — transitive via react-native-svg-charts, color parsing not user-controlled"
+    }
+  ]
+}

package/typescript/copy-overwrite/eslint.ignore.config.json

@@ -70,6 +70,9 @@
     "scripts/**",
 
     "lib/**/*.js",
-    "cdk.out/**"
+    "cdk.out/**",
+
+    "audit.ignore.config.json",
+    "audit.ignore.local.json"
   ]
 }

package/typescript/create-only/audit.ignore.local.json

@@ -0,0 +1,3 @@
+{
+  "exclusions": []
+}