chore(deps): clear 4 more advisories (shell-quote, form-data, hono, yaml)#130
chore(deps): clear 4 more advisories (shell-quote, form-data, hono, yaml)#130harry-harish wants to merge 1 commit into
Conversation
…aml) Follow-up to the Scorecard vuln sweep (#129). OSV flagged four advisories after the initial 12 — all patch-level forward-pins via pnpm.overrides: - shell-quote 1.7.3 -> 1.8.4 (GHSA-w7jw-789q-3m8p, critical) — dev/build, via wxt -> @wxt-dev/module-react - form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx, high) — common transitive - hono 4.12.23 -> 4.12.27 (GHSA-88fw-hqm2-52qc, GHSA-wgpf-jwqj-8h8p) — the one runtime case, via @modelcontextprotocol/sdk in peek-mcp (same-minor patch) - yaml 2.7.1 -> 2.9.0 (GHSA-48c2-rrv3-qjmp) — only the stale volar-service-yaml copy under @astrojs/check Verified: pnpm audit confirms the four cleared; pnpm build green; peek-mcp tests pass (296) under hono 4.12.27; no new test failures. undici (@wdio peer transitives) and uuid (an 8->11 major under WXT) are left for a deliberate bump. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: harry-harish <harry652k15@gmail.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Closing as redundant: \main\ already shipped these via Phase 4b (2026-06-27) — shell-quote 1.8.4, form-data 4.0.6, hono 4.12.25, yaml 2.9.0 are all present in the current overrides block. Discovered after rebasing onto current main (this branch was built from a ~10-commit-stale main). The astro 6 / vitest 3 / js-yaml work is being rebuilt onto current main in #129. |
What
Follow-up to #129. After the initial 12 Scorecard advisories were cleared, OSV flagged four more (newer advisories — their patch releases postdate the original Scorecard scan). All four are cleared here with patch-level forward-pins via
pnpm.overrides.The four
GHSA-w7jw-789q-3m8pshell-quote@wxt-dev/module-reactGHSA-hmw2-7cc7-3qxxform-dataGHSA-88fw-hqm2-52qc+GHSA-wgpf-jwqj-8h8phono@modelcontextprotocol/sdk→ peek-mcpGHSA-48c2-rrv3-qjmpyaml@astrojs/check→ volar-service-yaml (only the stale 2.7.1 copy)Verification
pnpm auditconfirms all four cleared.pnpm buildgreen across all packages.pnpm testshows no new failures (only the pre-existing Windows-onlytracelane-cli/detect).Deliberately deferred
GHSA-vxpw-j846-p89qet al.) — deep@wdio/*peer transitives; provided by the consumer's WebdriverIO install, so it's dev/test-only and a separate bump.GHSA-w5hq-g745-h8pq) — fix requires 8 → 11, a major (ESM-only) jump under WXT that risks breaking the extension build. Needs a deliberate migration.🤖 Generated with Claude Code