Fix high and critical npm security vulnerabilities across monorepo apps

Problem

Multiple applications within the monorepo were flagged for high and critical security vulnerabilities in their dependency trees via npm audit and Dependabot:

• dbtaudit: protobufjs critical arbitrary code execution (GHSA-xq3m-2v4x-88gg)
• router: fastify body schema validation bypass (GHSA-247c-9743-5963)
• marketing-site: Multiple high vulnerabilities in astro, undici, vite, defu, h3, picomatch
• hubspot-cli: 9 high vulnerabilities in transitive dependencies (axios, express, body-parser, path-to-regexp, vite, @modelcontextprotocol/sdk)

Symptoms

Security audits reported:

• 1 CRITICAL vulnerability (protobufjs)
• Multiple HIGH severity vulnerabilities
• Vulnerabilities in both direct dependencies and transitive dependencies

What Didn’t Work

• Standard npm audit fix: Often insufficient because sub-dependencies were locked by parent packages that had not yet released updates
• Waiting for parent package updates: HubSpot CLI and other tools pinned older versions of transitive deps
• Global npm installs: Using global installs bypassed project security auditing

Solution

A multi-layered approach was used to patch all flagged vulnerabilities:

1. dbtaudit - Fixed via audit fix

npm audit fix
# Fixed protobufjs -> 7.5.5

2. router - Updated fastify

// apps/router/package.json
"fastify": "^5.9.0"

3. marketing-site - Major version bumps

// apps/marketing-site/package.json
"astro": "^6.1.8",
"@astrojs/node": "^10.0.5"

4. hubspot-cli - npm overrides for transitive deps

// tools/hubspot-cli/package.json
{
  "name": "@brainforge/hubspot-cli-local",
  "devDependencies": {
    "@hubspot/cli": "^7.0.2"
  },
  "overrides": {
    "axios": "^1.15.0",
    "body-parser": "^1.20.3",
    "express": "^4.21.2",
    "path-to-regexp": "^0.1.13",
    "vite": "^6.4.2",
    "@modelcontextprotocol/sdk": "^1.25.4",
    "qs": "^6.14.0",
    "send": "^1.1.0",
    "serve-static": "^1.16.2"
  }
}

Why This Works

1. Direct framework updates (fastify, astro) incorporate upstream security patches
2. npm overrides force the package manager to install specified secure versions regardless of the dependency tree’s default resolution, effectively closing vulnerabilities in deep-tree transitive dependencies
3. Local tooling within the monorepo (vs global npm installs) ensures consistent security auditing

Prevention

1. Local Tooling: Keep developer tools within the monorepo’s tools/ directory rather than global installs
2. Version Overrides: Use the overrides field (or resolutions for Yarn) to patch deep-tree vulnerabilities when parent packages lag behind security releases
3. Continuous Auditing: Run npm audit regularly across all sub-apps in the monorepo
4. Dependabot Grouping: Configure Dependabot to regularly surface and apply security patches

Verification

Run npm audit in each affected directory:

cd apps/dbtaudit && npm audit     # 0 vulnerabilities
cd apps/router && npm audit       # 0 vulnerabilities
cd apps/marketing-site && npm audit  # 0 vulnerabilities
cd tools/hubspot-cli && npm audit  # 0 high/critical (moderate/low remain)

Related

• PR #934: Original security fix PR
• npm audit documentation
• npm overrides