Skip to content

Improve minifier behavior and remove vulnerable dependencies#44

Open
tobitege wants to merge 3 commits intowolfe-labs:mainfrom
tobitege:main
Open

Improve minifier behavior and remove vulnerable dependencies#44
tobitege wants to merge 3 commits intowolfe-labs:mainfrom
tobitege:main

Conversation

@tobitege
Copy link
Copy Markdown

Summary

This PR contains two follow-up changes on top of main.

  1. Adjust the Lua minifier integration in DULuaConfig
  • pass explicit minifier options instead of relying on the library defaults
  • keep global renaming disabled
  • fall back to the original code when minification fails instead of aborting the whole build
  1. Remove vulnerable dependencies and replace the small pieces of functionality that depended on them
  • remove the direct npm dependency, which was pulling most of the reported advisories into the lockfile
  • remove axios and replace its two GET call sites with a small local HTTP JSON helper in src/lib/HttpClient.ts
  • remove lodash usage by replacing the remaining call sites with native code
  • bump yaml to ^1.10.3
  • add an override for cross-spawn so the clipboard-related transitive dependency resolves to a fixed version
  • refresh package-lock.json

Why

The repository had accumulated Dependabot alerts from an older dependency tree. After these changes, the local audit is clean while the CLI still builds and starts normally.

Verification

  • npm install
  • npm audit
  • npm run build
  • du-lua help

@tobitege
Copy link
Copy Markdown
Author

tobitege commented Apr 20, 2026

@matpratta - fyi: just today there was another axios npm sec thread reported by CISA, but fortunately this repo's version was locked to an older version. This makes the removal of axios with this PR even more important.
Edit: doh! they reported an incident from 3+ weeks ago!

@matpratta
Copy link
Copy Markdown
Contributor

Hey @tobitege!

It's been a while I don't work on this project (or anything related to DU, haven't had the game installed since they shutdown).

Will try to review it over the weekend, as it's a somewhat big PR, mainly concerned about breaking the minifier behavior for others.

Thanks for the PR though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants