Dependency audit¶

🔒 INTERNAL ONLY. Vendor-advisory cross-references and exact version-pin info; do not share externally without redaction.

Date of capture. 2026-04-25. Audit tool. npm audit --json (ebit-api), pnpm audit (ebit-fe, ebit-admin-fe). Scope. All three repos under /home/ubuntu/ebit/; no --production flag — counts include dev dependencies (build tooling).

Aggregate counts¶

Repo	Total advisories	Critical	High	Moderate	Low
`ebit-api`	82	5	30	33	14
`ebit-fe`	80	1	37	35	7
`ebit-admin-fe`	68	2	30	30	6
Total (raw)	230	8	97	98	27

Raw totals over-count: most advisories appear transitively in two or three repos (webpack, axios, undici, lodash, nest/*).

Top 20 advisories — prioritized¶

Direct dependencies first, transitive sorted by severity. Owner column points to the primary maintainer team.

Critical¶

#	Package	Version range	Advisory	Repo	Fix path	Risk if unpatched	Owner
1	`@bebkovan/server-core`	* (direct)	(private; transitively pulls vulnerable `eosjs` + `nestjs-cls`)	api	Upgrade `@bebkovan/server-core` to current minor; falls back to upstream `nestjs-cls` patched version	RCE potential via the `eosjs` chain	platform-auth
2	`eosjs`	`>= 20.0.4-3f9295a.0`	https://github.com/advisories/GHSA-* (deprecation; legacy crypto)	api	Pin `eosjs@20.0.3` (semver-major downgrade) or remove dependency	Crypto-API surface that we don't actually use	platform-auth
3	`next`	<14.2.30	Next.js critical advisories (cache poisoning, SSRF)	fe (admin-fe no longer uses Next — migrated to Vite + React 19)	`next@14.2.30` (minor)	Cache-poisoning + SSRF in Next dev / build server	frontend-platform
4	`form-data`	<2.5.4 / 3.0.4 / 4.0.4	GHSA-form-data unsafe random boundary	fe (transitive via `node-network-devtools`)	`form-data@4.0.4`	Predictable multipart boundary; chained with cache-poison vectors	frontend-platform
5	`cookie`	<0.7.0	GHSA-cookie name/path injection	api, fe	`cookie@0.7.x`; transitively pulled by Next/Nest	Cookie-jar tampering	platform-auth

High (direct deps)¶

#	Package	Version	Advisory	Repo	Fix	Risk	Owner
6	`axios`	1.0.0–1.14.0	DoS via `__proto__`, NO_PROXY hostname-norm SSRF, cloud-metadata exfiltration	api, fe, admin-fe	`axios@1.14.1+`	SSRF + DoS surface on outbound HTTP	platform-integrations
7	`@nestjs/core`	<=11.1.17	GHSA-36xv-jgw5-4q75 — special-element neutralization	api	`@nestjs/core` minor bump aligned with `@nestjs/bullmq@11.0.4`	Injection downstream	backend-platform
8	`@nestjs/microservices`	<=11.1.18	GHSA-hpwf-8g29-85qm — DoS via recursive `handleData` (TCP transport)	api	`@nestjs/microservices@11.1.19`	DoS on TCP transport (we use Redis transport, lower exploit-likelihood)	backend-platform
9	`@nestjs/platform-express`	<=11.1.1	(transitive Express advisories)	api	`@nestjs/platform-express@11.1.19`	Express body-parser surface	backend-platform
10	`@nestjs/cli`	<=11.0.16	webpack/inquirer/glob chain	api (dev-only)	`@nestjs/cli@11.0.21` (semver-major)	Build-time SSRF via webpack `buildHttp`	backend-platform
11	`bcrypt`	5.0.1–5.1.1	`node-pre-gyp` `tar` chain	api	`bcrypt@6.0.0` (semver-major)	Build-time vulnerability; deploy-only impact	platform-auth
12	`validator`	<=13.15.20	URL-validation bypass + incomplete special-char filter	api	`validator@13.15.21+`	Open-redirect / SSRF via class-validator URL checks	backend-platform
13	`vite`	<=6.4.1	Multiple `server.fs.deny` bypasses, path-traversal, WS arbitrary read	api (dev-only)	`vite@6.4.2+`	Dev-time only; shut down in CI/prod	dev-tooling
14	`@type-cacheable/core`	<=14.2.1	(cache-key forgery surface)	api	upgrade to current minor	Cache-key collision exploits	backend-platform

High (transitive — frequently chained)¶

#	Package	Version	Advisory	Repos	Fix	Risk	Owner
15	`webpack`	5.49.0–5.104.0	GHSA-8fgc, GHSA-38r7 — `buildHttp` allowedUris bypass + redirect SSRF	api, fe, admin-fe	`webpack@5.104.0+` (semver-major in some chains)	Build-time SSRF + cache persistence	dev-tooling
16	`undici`	<6.21.2	Multiple advisories (resource exhaustion, request-smuggling)	fe (via `node-network-devtools`)	`undici@6.21.2+`	Backend HTTP-client surface	frontend-platform
17	`tar`	<=6.2.0	(zip-slip / path-traversal)	api (via `node-pre-gyp`)	Bumped via `bcrypt@6.0.0`	Build-time only	dev-tooling
18	`serialize-javascript`	<6.0.2	XSS in serialized output	fe, admin-fe (terser-webpack-plugin)	Bumped by webpack upgrade	Build-time JS injection	dev-tooling
19	`bullmq`	1.0.1–5.76.1	Depends on vulnerable `uuid`	api	`bullmq@5.77.0+`	UUID predictability; low risk for our usage	backend-platform
20	`lodash`	(per `@nestjs/config`)	various lodash advisories	api	`@nestjs/config@4.0.4` (semver-major)	Prototype-pollution surface	backend-platform

Moderate (notable)¶

@nestjs/common <10.4.16 — GHSA-cj7v-w2c7-cp7c — RCE via Content-Type header (CVSS 5.5). Owner: backend-platform. Fix: @nestjs/common@10.4.16+.
@nestjs/bull * — depends on vulnerable bull. Migrate fully to @nestjs/bullmq (already primary).
@google-cloud/storage (legacy ranges) — retry-request, teeny-request, uuid chain. Fix: @google-cloud/storage@5.20.4+ (semver-major).

Patch plan¶

Wave	Effort	Items	Target
W1 (immediate, semver-safe)	1d	`@nestjs/common`, `@nestjs/microservices`, `@nestjs/platform-express`, `validator`, `axios`, `cookie`, `next` patch	Q2-2026
W2 (semver-major, gated by tests)	3–5d	`@nestjs/cli`, `@nestjs/bullmq` 11.0.4, `@nestjs/config` 4.x, `bcrypt` 6.x, `@google-cloud/storage` 5.x	Q2-2026
W3 (replace / sunset)	2d	Remove `eosjs`-pulling `@bebkovan/server-core` shim if unused; sunset `@nestjs/bull`	Q3-2026
W4 (build-time only)	tracked	`webpack`, `vite`, `tar`, `serialize-javascript` — bumped via tooling upgrades	Continuous

Verification¶

After each wave, re-run npm audit / pnpm audit and append the diff to this file under a new "Capture YYYY-MM-DD" section.
CI gate: GitLab CI job security:audit runs npm audit --audit-level=high and pnpm audit --audit-level=high against the lockfile on every MR. Failing job blocks merge unless an explicit audit-exception:<pkg>:<advisory> label is set with a justification.
Renovate / Dependabot: {{TBD: confirm enablement}} — currently we patch on-demand.

Known accepted¶

Package	Advisory	Why accepted	Compensating control
`vite`	various	Dev-only; not in production bundle	CI uses pinned image; prod build is separate
`webpack` `buildHttp`	GHSA-8fgc, GHSA-38r7	We don't use `buildHttp` plugin	Build-time grep asserts plugin absent
`eosjs`	(legacy)	Only loaded transitively; runtime path not exercised	{{TBD: confirm via runtime tracing}}

Cross-references¶

Findings track: docs/security/internal/findings.md (no SR-NNN currently filed for dep advisories — captured here instead).
Customer-facing layer: docs/security/client/risk-register.md does not enumerate dep advisories; treated as ongoing operational hygiene.
Audit job spec: .gitlab-ci.yml security:audit stage (each repo).
Renovate config: {{TBD}}.