Fix/vulnerabilities

[muneebs]

Summary

This PR fixes critical timing attack vulnerabilities in CSRF token validation and updates all vulnerable dependencies to their patched versions.

Changes Made

• Security: Fixed 3 timing attack vulnerabilities by replacing !== with timingSafeEqual() in token validation (validation.ts:104, 142, 147)
• Security: Fixed weak secret generation to use proper base64 encoding instead of comma-separated decimals (constants.ts:146)
• Dependencies: Updated qs, diff, js-yaml, next, and dev tools to patched versions
• Build: Updated package exports to match new tsdown output format (.mjs files)

Key Improvements

• Eliminates timing side-channel attacks that could allow token reconstruction through response timing analysis
• Zero vulnerabilities remaining (verified via pnpm audit)
• Stronger secrets with proper cryptographic encoding
• All dependency CVEs resolved including CVE-2025-15284 (qs), CVE-2026-24001 (diff)

Technical Details

Security Fixes

All CSRF token comparisons now use constant-time equality checks to prevent timing attacks:

- if (cookieToken !== submittedToken) {
+ if (!timingSafeEqual(cookieToken, submittedToken)) {

Default secret generation now uses generateSecureSecret() for proper base64-encoded high-entropy secrets.

Breaking Changes

None - all changes are backward compatible.

Testing Instructions

1. Run pnpm install to update dependencies
2. Run pnpm test - all 66 tests should pass
3. Run pnpm audit - should report zero vulnerabilities

Impact Assessment

• Security: Critical - addresses vulnerabilities that could bypass CSRF protection
• Compatibility: None - all changes are internal security improvements
• Performance: Negligible - timing-safe comparisons add microseconds per request

Checklist

• Security vulnerabilities fixed
• All tests passing (66/66)
• Dependencies updated
• Zero audit vulnerabilities
• Changeset created

Related Issues

Addresses critical security vulnerabilities discovered in security audit.

Summary by CodeRabbit

• Bug Fixes

  • Mitigated timing-attack vulnerabilities in CSRF/token validation and replaced weak secret generation with a secure, high-entropy method.

• Chores

  • Security dependency updates (qs, diff, js-yaml, next, and dev tooling).
  • Broadened Next.js compatibility to v16 and updated build output for improved module compatibility.
  • All tests passing; immediate upgrade recommended.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@muneebs has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 12 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Hark: CSRF validation comparisons were hardened to constant-time operations, secret generation now uses a secure helper, and multiple dependencies (including qs, diff, js-yaml, next, tooling) were upgraded; package entrypoints for the core package moved to MJS formats.

Changes

Cohort / File(s)	Summary
Changelog ​.changeset/critical-security-fixes.md	Adds a changelog entry describing timing-attack mitigations, stronger secret generation, and dependency security updates.
Core security & logic packages/core/src/validation.ts, packages/core/src/constants.ts	Replaces direct string equality checks with timingSafeEqual for CSRF token verification; swaps weak secret generation for generateSecureSecret().
Core package metadata packages/core/package.json	Changes main/types/exports/module to MJS outputs (.mjs, .d.mts) and bumps tsdown devDependency.
Root tooling & overrides package.json	Bumps dev tooling (biome, vitest, typescript, jsdom, @types/node), adds qs pnpm override (>=6.14.1), updates tsdown and related deps.
Examples & framework packages examples/express-app/package.json, packages/nextjs/package.json, packages/express/package.json	Updates example express version; bumps next (incl. peer range) and tsdown in nextjs; updates tsdown in express package.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: export timingSafeEqual from crypto module and use in CSRF verif… #26: Applies timingSafeEqual in CSRF verification—very similar token-comparison hardening.
• Fix/url handling #15: Modifies validateDoubleSubmit in validation.ts; touches the same CSRF validation area.

Suggested reviewers

• raulcrisan

Poem

"A flicker of code in shadowed night,
Tokens kept true by constant-time light;
Secrets reborn with entropy's song,
Dependencies mended, stout and strong;
Go forth, brave repo — endure and long."

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fix/vulnerabilities' is vague and generic, using non-descriptive terminology that fails to convey meaningful information about the specific changes made.	Consider a more descriptive title such as 'Fix timing-attack vulnerabilities in CSRF token validation and update dependencies' to clearly summarize the main changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.changeset/critical-security-fixes.md:
- Line 32: The CVE identifiers in the changeset entry ("1112593, 1112638,
1112649") are missing the standard CVE prefix and year; update the line
containing "**next** (CVEs: 1112593, 1112638, 1112649): Updated to 15.4.10+ -
fixes multiple security issues" to use full CVE notation (e.g., CVE-YYYY-NNNNN)
for each identifier, ensuring the correct year is applied and the format matches
"CVE-YYYY-NNNNN" so the references are traceable.

In `@package.json`:
- Line 41: The package.json dependency "@types/node": "^25.1.0" is pinned to
Node 25 typings which will mismatch the project's engine (Node >=18.0.0); update
the dependency to a version that aligns with the supported Node range (for
example change "@types/node" to "^22.0.0" or to a version that matches your
minimum engine) so type definitions reflect the actual runtimes developers will
use and avoid type/runtime divergence.

🧹 Nitpick comments (1)

.changeset/critical-security-fixes.md (1)

46-46: A whisper from the static analysis oracle.

The phrase "high severity" might benefit from a hyphen when used as a compound adjective: "high-severity vulnerabilities." A small matter, yet precision in language mirrors precision in code.

📜 Suggested refinement

-- ✅ Zero high severity vulnerabilities
+- ✅ Zero high-severity vulnerabilities

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.changeset/critical-security-fixes.md:
- Line 7: Replace the bolded prose line "**SECURITY FIXES: Critical timing
attack vulnerabilities and dependency updates**" with a proper Markdown heading
(remove the surrounding ** markers and prepend an appropriate heading marker
like "# " or "## "), e.g. "## SECURITY FIXES: Critical timing attack
vulnerabilities and dependency updates", so the title is a real heading rather
than emphasized text to satisfy MD036; target the exact string "**SECURITY
FIXES: Critical timing attack vulnerabilities and dependency updates**" in the
.changeset/critical-security-fixes.md file.
- Around line 36-38: The changelog entry for "@types/node" in
.changeset/critical-security-fixes.md conflicts with package.json: the changelog
lists 25.1.0 while package.json has ^20.0.0; reconcile by either (A) updating
the changelog line to match package.json (change "Updated `@types/node` to 25.1.0"
→ "Updated `@types/node` to ^20.0.0") or (B) bumping the dependency in
package.json to 25.1.0 and then regenerate the lockfile (npm/yarn/pnpm install)
so package.json, lockfile, and the changelog all agree; make sure the unique
token "@types/node" is the one updated and confirm consistency across
.changeset/critical-security-fixes.md, package.json, and the lockfile.
- Around line 45-47: Update the three checklist lines so they clearly state the
post-upgrade status: replace "✅ Zero critical vulnerabilities" with "✅ Zero
critical vulnerabilities remaining", change "✅ Zero high severity
vulnerabilities" to "✅ Zero high-severity vulnerabilities remaining"
(hyphenating "high-severity"), and replace "✅ Zero known CVEs (verified via pnpm
audit)" with "✅ No remaining known CVEs after upgrade (verified via pnpm
audit)"; keep the verification note and emoji formatting intact.