fix(ci): fix npm audit vulnerabilities (firecrawl#2682)

- Update undici from ^7.10.0 to ^7.18.2 to fix GHSA-g9mf-h72j-4rw9
- Allowlist GHSA-73rr-hh4g-fpgx (jsdiff via ts-node and git-diff):
  Low severity DoS in patch parsing - affects dev tools only

Co-authored-by: firecrawl-spring[bot] <254786068+firecrawl-spring[bot]@users.noreply.github.com>
Co-authored-by: mogery <mogery@sideguide.dev>

Author: firecrawl-spring[bot]

apps/api/audit-ci.jsonc

@@ -9,6 +9,8 @@
         "GHSA-mh29-5h37-fv8m|@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>@istanbuljs/load-nyc-config>js-yaml", // not impacted by this
         "GHSA-36hm-qxxp-pg3m|@coinbase/x402>x402>wagmi>@wagmi/connectors>@coinbase/wallet-sdk>preact", // we don't use preact in our code paths
         "GHSA-3vhc-576x-3qv4|@coinbase/x402>x402>wagmi>@wagmi/connectors>porto>hono", // we don't use hono
-        "GHSA-f67f-6cw9-8mq4|@coinbase/x402>x402>wagmi>@wagmi/connectors>porto>hono" // we don't use hono
+        "GHSA-f67f-6cw9-8mq4|@coinbase/x402>x402>wagmi>@wagmi/connectors>porto>hono", // we don't use hono
+        "GHSA-73rr-hh4g-fpgx|git-diff>diff", // dev dependency for diffs, not processing user-supplied patches
+        "GHSA-73rr-hh4g-fpgx|ts-node>diff" // dev dependency for TypeScript execution, not processing user-supplied patches
     ]
 }

apps/api/package.json

@@ -133,7 +133,7 @@
     "tldts": "^6.1.75",
     "tough-cookie": "^4.1.4",
     "turndown": "^7.1.3",
-    "undici": "^7.10.0",
+    "undici": "^7.18.2",
     "uuid": "^13.0.0",
     "winston": "^3.14.2",
     "ws": "^8.18.0",

apps/api/pnpm-lock.yaml

@@ -2,6 +2,7 @@ import type { Socket } from "net";
 import { config } from "../../../../config";
 import type { TLSSocket } from "tls";
 import * as undici from "undici";
+import { interceptors } from "undici";
 import { CookieJar } from "tough-cookie";
 import { cookie } from "http-cookie-agent/undici";
 import IPAddr from "ipaddr.js";
@@ -19,11 +20,7 @@ export function isIPPrivate(address: string): boolean {
 }
 
 function createBaseAgent(skipTlsVerification: boolean) {
-  const agentOpts: undici.Agent.Options = {
-    maxRedirections: 5000,
-  };
-
-  return config.PROXY_SERVER
+  const baseAgent = config.PROXY_SERVER
     ? new undici.ProxyAgent({
         uri: config.PROXY_SERVER.includes("://")
           ? config.PROXY_SERVER
@@ -34,14 +31,15 @@ function createBaseAgent(skipTlsVerification: boolean) {
         requestTls: {
           rejectUnauthorized: !skipTlsVerification, // Only bypass SSL verification if explicitly requested
         },
-        ...agentOpts,
       })
     : new undici.Agent({
         connect: {
           rejectUnauthorized: !skipTlsVerification, // Only bypass SSL verification if explicitly requested
         },
-        ...agentOpts,
       });
+
+  // Add redirect interceptor for handling redirects
+  return baseAgent.compose(interceptors.redirect({ maxRedirections: 5000 }));
 }
 
 function attachSecurityCheck(agent: undici.Dispatcher) {

apps/api/src/scraper/scrapeURL/engines/utils/safeFetch.ts

@@ -1,4 +1,7 @@
 {
     "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
-    "low": true
+    "low": true,
+    "allowlist": [
+        "GHSA-73rr-hh4g-fpgx|ts-node>diff" // dev dependency for TypeScript execution, not processing user-supplied patches
+    ]
 }

apps/js-sdk/audit-ci.jsonc

@@ -1,4 +1,7 @@
 {
     "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
-    "low": true
+    "low": true,
+    "allowlist": [
+        "GHSA-73rr-hh4g-fpgx|ts-node>diff" // dev dependency for TypeScript execution, not processing user-supplied patches
+    ]
 }