Fix npm dependency vulnerabilities (Webpack 3 compatible)

[polevaultweb]

Summary

GitHub Dependabot flagged 30 open vulnerability alerts (2 Composer dev-only, 28 npm). The npm runtime dependencies that ship in dist/ need updating, but the current build toolchain (Webpack 3 + Babel 6) cannot parse modern ES module syntax.

Key Constraint

Webpack 3 + Babel 6 only supports CommonJS/ES5. Any updated dependency must not use ES module syntax (export default, object spread in source, optional chaining, etc.) or the build will fail.

Runtime deps to update (ship in dist/)

Package	Current	Issue	Notes
axios	^0.18.0	SSRF, ReDoS CVEs	1.x uses ESM — need highest safe 0.x (likely 0.21.4 or 0.28.x)
sanitize-html	^1.18.2	Multiple CVEs	2.x uses ESM — need highest safe 1.x or find CJS-compatible 2.x
qs	^6.5.1	Prototype pollution	Likely safe to update within 6.x (stays CJS) — verify

What was tried

• Updated to axios@^1.7.0, qs@^6.14.0, sanitize-html@^2.13.0
• npm install required --legacy-peer-deps (eslint peer conflict) and --ignore-scripts (node-sass needs native build)
• npm run build failed: Webpack 3 cannot parse ES module syntax in axios 1.x and sanitize-html 2.x

Approach

1. Find the highest versions of each package that are both CVE-free AND Webpack 3 compatible
2. If no safe+compatible version exists, consider vendoring a pre-built bundle or pinning with an overrides entry
3. Long term: modernise the build toolchain (Webpack 5 + Babel 7 or Vite) — tracked separately as Vue 2→3 migration

Dev-only deps (lower priority)

The 26 remaining npm alerts are in devDependencies (grunt, webpack-dev-server, node-sass, etc.) that never ship to customers. These are noise unless the build toolchain is modernised.

2 Composer alerts (phpunit, symfony/process) are also dev-only.

[polevaultweb]

🔍 Issue Triage

Type: bug
Severity: medium
Complexity: medium
RICE Score: 12 — Reach: 600 × Impact: 0.5 × Confidence: 80% / Effort: 2pw

---

Problem

GitHub Dependabot has flagged 30 open vulnerability alerts: 2 Composer dev-only and 28 npm. The critical issue is that 3 npm runtime dependencies shipped in dist/ have known CVEs:

• axios ^0.18.0 — SSRF and ReDoS vulnerabilities
• sanitize-html ^1.18.2 — Multiple CVEs (XSS, ReDoS)
• qs ^6.5.1 — Prototype pollution

The core constraint: Webpack 3 + Babel 6 cannot parse modern ES module syntax. Updating to axios 1.x or sanitize-html 2.x causes build failures because these versions use ES modules (export default, object spread, optional chaining).

The 26 remaining npm alerts are in devDependencies (grunt, webpack-dev-server, node-sass) that never ship to customers — lower priority.

Reproduction Steps

1. Clone wp-user-manager, run npm install --legacy-peer-deps --ignore-scripts
2. Update axios to 1.x, sanitize-html to 2.x in package.json
3. Run npm run build
4. Actual: Build fails with ES module syntax errors from Webpack 3
5. Expected: Build should succeed with patched, CVE-free dependencies

Environment: Webpack 3.12.0, Babel 6.x, Node.js 22.x

Proposed Solution

Phase 1 (immediate): Find the highest Webpack 3-compatible versions that fix CVEs:

• axios: Test versions 0.21.4, 0.27.x, 0.28.x (all use CommonJS syntax)
• sanitize-html: Test highest 1.x version (likely 1.27.x)
• qs: Likely safe to update within 6.x range (stays CommonJS)

Verify each candidate:

1. Run npm install with the pinned version
2. Run npm run build — must succeed
3. Check CVE status on Snyk/GitHub

Phase 2 (long-term): Modernize the build toolchain (Webpack 5 + Babel 7 or Vite). This is blocked by the Vue 2 → 3 migration effort (tracked separately).

Acceptance Criteria

• GIVEN the updated package.json, WHEN running npm install && npm run build, THEN the build succeeds without ES module errors
• GIVEN the built dist/ files, WHEN analyzed with Dependabot or Snyk, THEN runtime CVEs for axios, sanitize-html, and qs are resolved or mitigated
• GIVEN the updated dependencies, WHEN testing registration forms, profile editing, and avatar uploads, THEN all functionality works correctly (no regressions)

Technical Notes

• Files involved: package.json, webpack.config.js, dist/ built assets
• Dependencies: Webpack 3, Babel 6, axios, sanitize-html, qs — all runtime dependencies embedded in plugin
• Sensitive areas: File uploads (sanitize-html is used for user-submitted content), HTTP requests (axios for Stripe/API calls)
• Estimated effort: 1-2 days (medium). Research + test compatible versions (1 day), verify no regressions (0.5 day), document findings (0.5 day).

Related Issues

None. Long-term toolchain modernization is tracked separately.

---

Backlog summary: [RICE: 12] [Type: bug] [Effort: M] — Fix npm runtime dependency CVEs (Webpack 3 compatible)