🔒 High Severity Security Vulnerability: flatted package DoS vulnerability

[tbrandenburg]

🚨 Security Issue

Severity: High
Source: GitHub Actions workflow run #23094946934

Problem Description

The npm audit identified a high severity security vulnerability in the flatted package that is causing CI/CD build failures.

Vulnerability Details

• Package: flatted <3.4.0
• Severity: High
• Issue: Vulnerable to unbounded recursion DoS in parse() revive phase
• Advisory: GHSA-25h7-pfq9-p65f

Impact

• CI/CD pipeline failing with exit code 2
• Quality Assurance workflow blocked
• Security audit step preventing deployments

Error Output

flatted  <3.4.0
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase
make: *** [Makefile:136: security-audit] Error 1
Process completed with exit code 2.

Recommended Action

1. Run npm audit fix to automatically update vulnerable dependencies
2. If automatic fix is not available, manually update flatted to version 3.4.0 or higher
3. Review and test the application after the update
4. Re-run the CI/CD pipeline to verify the fix

Priority

This should be addressed immediately as it's blocking the build pipeline and represents a security risk.

[github-actions]

Investigation: 🔒 High Severity Security Vulnerability: flatted package DoS vulnerability

Issue: #292 (#292)
Type: BUG
Investigated: 2026-03-14

Assessment

Metric	Value	Reasoning
Severity	HIGH	Blocking CI/CD pipeline, prevents deployments, security vulnerability in transitive dependency
Complexity	LOW	Single file change (package.json override), no code changes required
Confidence	HIGH	Clear root cause - outdated transitive dependency; straightforward fix

---

Problem Statement

The npm audit security scan identifies a high severity vulnerability in the flatted package (version < 3.4.0). The vulnerability is an unbounded recursion DoS in the parse() revive phase. This is a transitive dependency of eslint, causing CI/CD build failures with exit code 2.

---

Analysis

Root Cause Analysis (5 Whys)

WHY: npm audit reports flatted vulnerability (DoS in parse() revive phase)
↓ BECAUSE: The lock file contains flatted version 3.3.3 which is < 3.4.0
Evidence: package-lock.json:4294 - "version": "3.3.3"

↓ BECAUSE: flat-cache@4.0.1 depends on flatted@^3.2.9 (allows 3.3.x)
Evidence: package-lock.json:4286 - "flatted": "^3.2.9"

↓ BECAUSE: eslint@9.39.1 depends on file-entry-cache which depends on flat-cache
Evidence: npm ls flatted - eslint -> file-entry-cache -> flat-cache -> flatted@3.3.3

↓ ROOT CAUSE: No override specified to force flatted >= 3.4.0
The project relies on transitive dependencies without specifying version constraints for security patches.

Dependency Tree

eslint@9.39.1
  └── file-entry-cache@8.0.0
        └── flat-cache@4.0.1
              └── flatted@3.3.3  ← VULNERABLE (needs >= 3.4.0)

Affected Files

File	Lines	Action	Description
package.json	NEW	UPDATE	Add overrides for flatted >= 3.4.0
package-lock.json	AUTO	UPDATE	Will be regenerated by npm install

Git History

• Last audit fix: Unknown - this is a new vulnerability detection
• Imgression: New vulnerability detected in existing dependency chain

---

Implementation Plan

Step 1: Add overrides to package.json

File: package.json
Lines: (end of file, before closing brace)
Action: UPDATE

Current code:

{
  "name": "made",
  "private": true,
  "version": "0.1.0",
  "workspaces": [
    "packages/*"
  ],
  "scripts": { ... },
  "devDependencies": { ... }
}

Required change:
Add overrides field to force flatted >= 3.4.0:

{
  "name": "made",
  "private": true,
  "version": "0.1.0",
  "workspaces": [
    "packages/*"
  ],
  "scripts": { ... },
  "devDependencies": { ... },
  "overrides": {
    "flatted": ">=3.4.0"
  }
}

Why: npm overrides allow forcing a specific version of transitive dependencies. This is the standard way to address security vulnerabilities in transitive dependencies without waiting for upstream fixes.

---

Step 2: Regenerate package-lock.json

Action: RUN COMMAND

npm install

This will regenerate the lock file with flatted >= 3.4.0.

---

Step 3: Verify the fix

Action: RUN COMMAND

make security-audit

Expected output: No vulnerabilities reported (or only unrelated ones).

---

Patterns to Follow

From npm documentation - using overrides:

// package.json
{
  "overrides": {
    "flatted": ">=3.4.0"
  }
}

Reference: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides

---

Edge Cases & Risks

Risk/Edge Case	Mitigation
Override breaks eslint	flatted 3.4.0 is backward compatible; only fixes DoS vulnerability
Lock file conflicts	Delete node_modules and package-lock.json, then reinstall

---

Validation

Automated Checks

# Verify flatted version is >= 3.4.0
npm ls flatted

# Expected output should show flatted@3.4.0 or higher

# Run full security audit
make security-audit

# Expected: 0 vulnerabilities

Manual Verification

1. Run make security-audit - should pass with 0 vulnerabilities
2. Verify npm ls flatted shows version >= 3.4.0

---

Scope Boundaries

IN SCOPE:

• Add overrides to root package.json
• Regenerate package-lock.json to get fixed flatted version

OUT OF SCOPE (do not touch):

• Upgrading eslint (current version works fine)
• Modifying any application code
• Changes to frontend or backend packages

---

Metadata

• Investigated by: GHAR
• Timestamp: 2026-03-14
• Artifact: .ghar/issues/issue-292.md

[github-actions]

🕰️ This issue has been inactive for over 3 days.

@tbrandenburg - Could you provide an update on this issue?

If this issue is resolved or no longer relevant, please consider closing it.