ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20c16ab1e0f87d49b45b597b2bc192d107582d72
DashDescomplicar/package-lock.json
Emanuel Almeida 20c16ab1e0 security: fix 3 critical vulnerabilities + dependency audit 
CRITICAL FIXES:
- Remove hardcoded DB password from api/db.ts (was: 9qPRdCGGqM4o)
- Remove hardcoded API key from api/routes/wp-monitor.ts
- Add mandatory env var validation for DB_USER, DB_PASS, DB_NAME
- Add mandatory env var validation for WP_MONITOR_API_KEY
- Add connection timeouts to MySQL pool (10s/15s/30s)

VERIFIED:
- .env never committed to Git (credentials not exposed in repo)
- .gitignore working correctly

DEPENDENCIES:
- Fix qs vulnerability (GHSA-w7fw-mjwx-w883)
- npm audit: 1 low → 0 vulnerabilities

Related: AUDIT-REPORT.md vulnerabilities 1.1, 1.2, 1.3
Next: Implement rate limiting, CORS restrictions, input validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-14 03:38:09 +00:00

215 KiB
Executable File
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink