Oleksandr Bezdieniezhnykh
f7dd6c98d8
Security audit (5 phases) → reports under _docs/05_security/. AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts. AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via package.json overrides in both roots; clean reinstall clears all bun audit advisories. Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44, NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report. Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7). 229 PASS / 13 SKIP / 0 FAIL on static + fast suites. Co-authored-by: Cursor <cursoragent@cursor.com>
4.9 KiB
Dependency Scan — Azaion UI
Date: 2026-05-12
Scope: package.json + bun.lock (root) and mission-planner/package.json + mission-planner/bun.lock
Tool: bun audit v1.3.11 (the project's pinned package manager)
Cycle: Phase B / Cycle 2 (post AZ-498, AZ-499)
Summary
| Severity | Count | Packages |
|---|---|---|
| Critical | 0 | — |
| High | 1 | vite (dev-server only) |
| Moderate | 2 | vite (dev-server only), postcss (build-time, low surface) |
| Low | 0 | — |
Both roots (main ui/ and mission-planner/) report the SAME advisory set — they share the same Vite 6.x + PostCSS 8.5.x major versions.
Findings
F-DEP-1 — Vite Arbitrary File Read via Dev Server WebSocket — HIGH
| Field | Value |
|---|---|
| Advisory | GHSA-p9ff-h696-f583 |
| Package | vite |
| Installed | 6.4.1 (resolved in bun.lock) |
| Affected | vite <= 6.4.1 |
| Fix | Upgrade to vite >= 6.4.2 (or latest 6.x), or bun update |
| Found via | bun audit |
| Roots | ui/ (direct), mission-planner/ (direct) |
Production impact: NONE. The Vite dev server is only used during bun run dev and vitest (test). Production runs nginx:alpine serving pre-built static assets from dist/ (Dockerfile:8-12). The Vite WebSocket endpoint does not exist in production.
Developer-machine impact: HIGH in dev. An attacker on the same network as a developer running bun run dev (default --host exposes 0.0.0.0) can read arbitrary files from the developer's filesystem via the WebSocket path traversal. Mitigation: bind dev server to localhost only (Vite default unless --host is passed).
Remediation:
bun update vitein both roots (drops in-range to6.4.2+).- Verify build passes (
bun run build) and fast tests stay green (scripts/run-tests.sh fast). - CI would-have-blocked check: add
bun audit --highexit-code gate to.woodpecker/build-arm.yml(Phase B follow-up — see infrastructure review).
F-DEP-2 — Vite Path Traversal in Optimized Deps .map Handling — MODERATE
| Field | Value |
|---|---|
| Advisory | GHSA-4w7w-66w2-5vf9 |
| Package | vite |
| Installed | 6.4.1 |
| Affected | vite <= 6.4.1 |
| Fix | Upgrade to vite >= 6.4.2 (same upgrade as F-DEP-1) |
| Found via | bun audit |
| Roots | ui/ (direct), mission-planner/ (direct) |
Production impact: NONE — same reason as F-DEP-1; production has no Vite dev server.
Developer-machine impact: MODERATE — path traversal on /optimized-deps/<…>.map paths during dev sessions.
Remediation: same upgrade as F-DEP-1 (single bun update vite resolves both).
F-DEP-3 — PostCSS XSS via Unescaped </style> in CSS Stringify Output — MODERATE
| Field | Value |
|---|---|
| Advisory | GHSA-qx2v-qp2m-jg93 |
| Package | postcss (transitive: vite > postcss) |
| Installed | 8.5.8 (resolved in bun.lock) |
| Affected | postcss < 8.5.10 |
| Fix | Upgrade to postcss >= 8.5.10 (transitive — flows through vite >= 6.4.2) |
| Found via | bun audit |
| Roots | ui/ (transitive), mission-planner/ (transitive) |
Production impact: LOW. The advisory affects code that takes UNTRUSTED CSS as input and feeds it to PostCSS to stringify; the result is then injected into a page, allowing </style> breakout → XSS. In this project PostCSS only processes:
src/index.css(controlled, in-repo)- Tailwind-generated CSS (via
@tailwindcss/vite4.2.2, controlled inputs) - No user-supplied CSS is ever processed.
There is no exploit path in this codebase today. Treat as a hygiene upgrade.
Build-time impact: PostCSS runs at build time. The vulnerability surfaces only with attacker-controlled CSS input, which does not occur in this build.
Remediation: same upgrade as F-DEP-1/F-DEP-2 (transitive resolution lifts postcss to >= 8.5.10).
Combined Remediation
A single command fixes all three findings in both roots:
bun update vite # in ui/
cd mission-planner && bun update vite
Then re-run bun audit in both roots to confirm zero findings.
CI Coverage Gap
.woodpecker/build-arm.yml does NOT run bun audit today (confirmed by file inspection). The current pipeline catches only static-analysis regressions (scripts/run-tests.sh static), not new CVEs entering the lockfile. This is a MEDIUM infrastructure finding — see infrastructure_review.md F-INF-1.
Self-verification
- Both
package.jsonmanifests scanned (ui/+mission-planner/) - Each finding has a GHSA advisory ID
- Upgrade paths identified for the High and Moderate findings (single
bun update vite) - Production vs. dev impact distinguished for every finding