{{ message }}
chore(deps): bump vulnerable transitive deps to patch GHSA advisories#1106
Merged
Conversation
BYK
force-pushed
the
chore/security-deps-bump
branch
from
58642ca to
c3bf98d
Compare
Contributor
|
Contributor
Resolves the remaining Dependabot/Dependency-Review security alerts. - pnpm.overrides (root): esbuild>=0.28.1 (kills lingering 0.25.12 transitive), shell-quote 1.8.4 (GHSA-w7jw-789q-3m8p), qs 6.15.2 (GHSA-q8mj-m7cp-5q26) - pnpm.overrides (docs): esbuild>=0.28.1 (GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr) - Bump hono floor to ^4.12.25 (GHSA-88fw-hqm2-52qc, CORS) - Bump @mastra/client-js to ^1.24.0 @ai-sdk/provider-utils (GHSA-866g-f22w-33x8, low/dev-only) has no upstream patch and is dismissed separately on GitHub.
BYK
force-pushed
the
chore/security-deps-bump
branch
from
c3bf98d to
c2cd664
Compare
This was referenced Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the open Dependabot security alerts for
getsentry/cli.gh security-advisorieswas empty; Dependabot had 7 open alerts (plus 1 already-fixed astro alert). This PR fixes 6 of them via dependency updates; the 7th has no upstream patch and is dismissed separately.Alerts fixed
NPM_CONFIG_REGISTRY)Changes
package.json: bump directesbuildto^0.28.1(used byscript/build.ts,script/bundle.ts,script/text-import-plugin.ts); addpnpm.overridespinning the vulnerable transitive ranges ofesbuild,shell-quote, andqsto patched versions; bump@mastra/client-jsto^1.24.0.docs/package.json(standalone, non-workspace pnpm project): addpnpm.overridesforesbuild(covers alerts feat: add test infrastructure with bun:test #6 and feat(auth): add QR code display for mobile OAuth flow #7).pnpm-lock.yamlfiles.pnpm.overrideslives under thepnpmkey, socheck:deps(no rootdependencies) still passes.Not in this PR
@ai-sdk/provider-utils, CVE-2026-8769, Low): no patched version exists upstream (first_patched_version: null). Max stable 3.x (3.0.26) is still within the affected range<=3.0.97, and only the 4.x major escapes it — but that would break the v5 consumers (@ai-sdk/ui-utilspins 2.2.8). Bumping@mastra/client-jsdoes not remove the vulnerable instances. Dev-only/inconclusive transitive dep. Dismissed on GitHub astolerable_riskpending an upstream fix.main(resolved to astro 6.3.7 ≥ 6.1.6).Verification
pnpm run check:deps✓pnpm run typecheck✓pnpm run build✓ (esbuild 0.28.1 bundle + Node SEA binary)esbuild/shell-quote/qsversions remain in either lockfile.