# Dependency Scan — Azaion UI

**Date**: 2026-05-12
**Scope**: `package.json` + `bun.lock` (root) and `mission-planner/package.json` + `mission-planner/bun.lock`
**Tool**: `bun audit v1.3.11` (the project's pinned package manager)
**Cycle**: Phase B / Cycle 2 (post AZ-498, AZ-499)

---

## Summary

| Severity | Count | Packages |
|----------|-------|----------|
| Critical | 0     | —        |
| High     | 1     | `vite` (dev-server only) |
| Moderate | 2     | `vite` (dev-server only), `postcss` (build-time, low surface) |
| Low      | 0     | —        |

**Both roots (main `ui/` and `mission-planner/`) report the SAME advisory set** — they share the same Vite 6.x + PostCSS 8.5.x major versions.

## Findings

### F-DEP-1 — Vite Arbitrary File Read via Dev Server WebSocket — HIGH

| Field | Value |
|-------|-------|
| Advisory | [GHSA-p9ff-h696-f583](https://github.com/advisories/GHSA-p9ff-h696-f583) |
| Package | `vite` |
| Installed | `6.4.1` (resolved in `bun.lock`) |
| Affected | `vite <= 6.4.1` |
| Fix | Upgrade to `vite >= 6.4.2` (or latest 6.x), or `bun update` |
| Found via | `bun audit` |
| Roots | `ui/` (direct), `mission-planner/` (direct) |

**Production impact**: **NONE.** The Vite dev server is only used during `bun run dev` and `vitest` (test). Production runs `nginx:alpine` serving pre-built static assets from `dist/` (`Dockerfile:8-12`). The Vite WebSocket endpoint does not exist in production.

**Developer-machine impact**: **HIGH** in dev. An attacker on the same network as a developer running `bun run dev` (default `--host` exposes `0.0.0.0`) can read arbitrary files from the developer's filesystem via the WebSocket path traversal. Mitigation: bind dev server to `localhost` only (Vite default unless `--host` is passed).

**Remediation**:
1. `bun update vite` in both roots (drops in-range to `6.4.2+`).
2. Verify build passes (`bun run build`) and fast tests stay green (`scripts/run-tests.sh fast`).
3. CI would-have-blocked check: add `bun audit --high` exit-code gate to `.woodpecker/build-arm.yml` (Phase B follow-up — see infrastructure review).

### F-DEP-2 — Vite Path Traversal in Optimized Deps `.map` Handling — MODERATE

| Field | Value |
|-------|-------|
| Advisory | [GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9) |
| Package | `vite` |
| Installed | `6.4.1` |
| Affected | `vite <= 6.4.1` |
| Fix | Upgrade to `vite >= 6.4.2` (same upgrade as F-DEP-1) |
| Found via | `bun audit` |
| Roots | `ui/` (direct), `mission-planner/` (direct) |

**Production impact**: **NONE** — same reason as F-DEP-1; production has no Vite dev server.

**Developer-machine impact**: **MODERATE** — path traversal on `/optimized-deps/<…>.map` paths during dev sessions.

**Remediation**: same upgrade as F-DEP-1 (single `bun update vite` resolves both).

### F-DEP-3 — PostCSS XSS via Unescaped `</style>` in CSS Stringify Output — MODERATE

| Field | Value |
|-------|-------|
| Advisory | [GHSA-qx2v-qp2m-jg93](https://github.com/advisories/GHSA-qx2v-qp2m-jg93) |
| Package | `postcss` (transitive: `vite > postcss`) |
| Installed | `8.5.8` (resolved in `bun.lock`) |
| Affected | `postcss < 8.5.10` |
| Fix | Upgrade to `postcss >= 8.5.10` (transitive — flows through `vite >= 6.4.2`) |
| Found via | `bun audit` |
| Roots | `ui/` (transitive), `mission-planner/` (transitive) |

**Production impact**: **LOW.** The advisory affects code that takes UNTRUSTED CSS as input and feeds it to PostCSS to stringify; the result is then injected into a page, allowing `</style>` breakout → XSS. In this project PostCSS only processes:
- `src/index.css` (controlled, in-repo)
- Tailwind-generated CSS (via `@tailwindcss/vite` 4.2.2, controlled inputs)
- No user-supplied CSS is ever processed.

There is no exploit path in this codebase today. Treat as a hygiene upgrade.

**Build-time impact**: PostCSS runs at build time. The vulnerability surfaces only with attacker-controlled CSS input, which does not occur in this build.

**Remediation**: same upgrade as F-DEP-1/F-DEP-2 (transitive resolution lifts `postcss` to `>= 8.5.10`).

## Combined Remediation

A single command fixes all three findings in both roots:

```bash
bun update vite        # in ui/
cd mission-planner && bun update vite
```

Then re-run `bun audit` in both roots to confirm zero findings.

## CI Coverage Gap

`.woodpecker/build-arm.yml` does NOT run `bun audit` today (confirmed by file inspection). The current pipeline catches only static-analysis regressions (`scripts/run-tests.sh static`), not new CVEs entering the lockfile. This is a **MEDIUM** infrastructure finding — see `infrastructure_review.md` F-INF-1.

## Self-verification

- [x] Both `package.json` manifests scanned (`ui/` + `mission-planner/`)
- [x] Each finding has a GHSA advisory ID
- [x] Upgrade paths identified for the High and Moderate findings (single `bun update vite`)
- [x] Production vs. dev impact distinguished for every finding