Skip to content

security: remediate 23 Dependabot alerts on default branch (1 high, 18 moderate, 4 low) #1353

Description

@AndriiPasternak31

Summary

23 open Dependabot alerts on the default branch (1 high · 18 moderate · 4 low), all npm. They surface on every push as the "GitHub found 23 vulnerabilities" banner. All are transitive/direct npm deps across three lockfiles; 6 version bumps clear 22 of 23 — one low DOMPurify advisory has no upstream patch yet.

Snapshot taken 2026-06-26 via gh api /repos/Abilityai/trinity/dependabot/alerts. Re-run before starting in case Dependabot has opened auto-bump PRs.

Remediation (grouped by lockfile)

src/frontend/package-lock.json — 18 alerts

Package Current Bump to Clears
dompurify < 3.4.11 3.4.11 15 alerts (1 HIGH-adjacent XSS-sanitizer staleness; CVE-2026-41238/41239/41240, 0540, 49458/49459/49978, + GHSA cluster)
vite ≤ 6.4.2 6.4.3 CVE-2026-53571 (HIGHserver.fs.deny bypass on Windows alt paths) + CVE-2026-53632 (MEDIUM)

DOMPurify is the runtime XSS sanitizer behind utils/markdown.js (H-005) — the most security-relevant of the set, even though each individual advisory is rated moderate/low.

GHSA-x4vx-rjvf-j5p4 (dompurify, LOW) has no patched version — cannot be resolved by a bump. Monitor upstream; acceptable to leave open with a note.

package-lock.json (repo root) — 3 alerts

Package Current Bump to Clears
@hono/node-server < 1.19.13 1.19.13 CVE-2026-39406 (MEDIUM)
ip-address ≤ 10.1.0 10.1.1 CVE-2026-42338 (MEDIUM)
qs 6.11.1–6.15.1 6.15.2 CVE-2026-8723 (MEDIUM)

src/mcp-server/package-lock.json — 2 alerts

Package Current Bump to Clears
qs 6.11.1–6.15.1 6.15.2 CVE-2026-8723 (MEDIUM)
esbuild 0.27.3–0.28.0 0.28.1 GHSA-g7r4-m6w7-qqqr (LOW, dev/build-time)

Notes on severity

  • The lone HIGH (vite CVE-2026-53571) is a dev-server fs.deny bypass — prod serves the frontend as static assets via nginxinc/nginx-unprivileged, so it is not prod-exploitable. Set priority accordingly (filed P2).
  • vite/esbuild are build-time only; qs/ip-address/@hono/node-server are server-side deps; dompurify is the only runtime browser-facing one.

Acceptance criteria

  • src/frontend, root, and src/mcp-server lockfiles bumped per the tables above (npm audit fix / targeted npm install <pkg>@<ver> + lockfile refresh)
  • npm audit clean in all three manifests except the unpatched GHSA-x4vx-rjvf-j5p4 (documented exception)
  • Frontend e2e (frontend-e2e.yml) green after the DOMPurify/vite bumps (markdown render + dev-server start are the at-risk surfaces)
  • Dependabot alert count drops to ≤ 1 (the unpatched low)

Ownership

Spans frontend (Korin — DOMPurify/vite) and security (Sazonenka — triage/sign-off) zones; not Agent Server. Filed as triage/tracking — unassigned. Consider letting Dependabot raise the grouped bump PRs and reviewing those rather than hand-editing lockfiles.

Generated from a Dependabot snapshot on 2026-06-26.

Metadata

Metadata

Assignees

Labels

complexity-lowComplexity: low (board points 1-3)dependenciesPull requests that update a dependencypriority-p2ImportantsecuritySecurity vulnerabilityseverity-highHigh severity security findingstatus-in-devMerged to dev, awaiting release cut to maintheme-securityTheme: Securitytype-bugBug fix

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions