Skip to content

chore(deps): clear 4 more advisories (shell-quote, form-data, hono, yaml)#130

Closed
harry-harish wants to merge 1 commit into
chore/scorecard-vuln-remediationfrom
chore/scorecard-vuln-followup
Closed

chore(deps): clear 4 more advisories (shell-quote, form-data, hono, yaml)#130
harry-harish wants to merge 1 commit into
chore/scorecard-vuln-remediationfrom
chore/scorecard-vuln-followup

Conversation

@harry-harish

Copy link
Copy Markdown
Member

What

Follow-up to #129. After the initial 12 Scorecard advisories were cleared, OSV flagged four more (newer advisories — their patch releases postdate the original Scorecard scan). All four are cleared here with patch-level forward-pins via pnpm.overrides.

⚠️ Stacked on #129 — base branch is chore/scorecard-vuln-remediation. Retarget to main once #129 merges.

The four

Advisory Sev Bump Source Ships?
GHSA-w7jw-789q-3m8p shell-quote 🔴 crit 1.7.3 → 1.9.0 wxt → @wxt-dev/module-react dev/build
GHSA-hmw2-7cc7-3qxx form-data 🟠 high 4.0.5 → 4.0.6 common transitive mostly dev
GHSA-88fw-hqm2-52qc + GHSA-wgpf-jwqj-8h8p hono 🟠 high 4.12.23 → 4.12.27 @modelcontextprotocol/sdkpeek-mcp runtime (same-minor patch)
GHSA-48c2-rrv3-qjmp yaml 🟡 mod 2.7.1 → 2.9.0 @astrojs/check → volar-service-yaml (only the stale 2.7.1 copy) dev

Verification

  • pnpm audit confirms all four cleared.
  • pnpm build green across all packages.
  • peek-mcp tests pass (296) under hono 4.12.27 — the one runtime-facing bump.
  • pnpm test shows no new failures (only the pre-existing Windows-only tracelane-cli/detect).

Deliberately deferred

  • undici (GHSA-vxpw-j846-p89q et al.) — deep @wdio/* peer transitives; provided by the consumer's WebdriverIO install, so it's dev/test-only and a separate bump.
  • uuid (GHSA-w5hq-g745-h8pq) — fix requires 8 → 11, a major (ESM-only) jump under WXT that risks breaking the extension build. Needs a deliberate migration.

🤖 Generated with Claude Code

…aml)

Follow-up to the Scorecard vuln sweep (#129). OSV flagged four advisories
after the initial 12 — all patch-level forward-pins via pnpm.overrides:

- shell-quote 1.7.3 -> 1.8.4  (GHSA-w7jw-789q-3m8p, critical) — dev/build,
  via wxt -> @wxt-dev/module-react
- form-data 4.0.5 -> 4.0.6    (GHSA-hmw2-7cc7-3qxx, high) — common transitive
- hono 4.12.23 -> 4.12.27     (GHSA-88fw-hqm2-52qc, GHSA-wgpf-jwqj-8h8p) —
  the one runtime case, via @modelcontextprotocol/sdk in peek-mcp (same-minor patch)
- yaml 2.7.1 -> 2.9.0         (GHSA-48c2-rrv3-qjmp) — only the stale
  volar-service-yaml copy under @astrojs/check

Verified: pnpm audit confirms the four cleared; pnpm build green;
peek-mcp tests pass (296) under hono 4.12.27; no new test failures.

undici (@wdio peer transitives) and uuid (an 8->11 major under WXT) are
left for a deliberate bump.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: harry-harish <harry652k15@gmail.com>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)
  • main

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4eab7783-d7c6-41c4-9e41-412e563d3e95

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/scorecard-vuln-followup

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@harry-harish

Copy link
Copy Markdown
Member Author

Closing as redundant: \main\ already shipped these via Phase 4b (2026-06-27) — shell-quote 1.8.4, form-data 4.0.6, hono 4.12.25, yaml 2.9.0 are all present in the current overrides block. Discovered after rebasing onto current main (this branch was built from a ~10-commit-stale main). The astro 6 / vitest 3 / js-yaml work is being rebuilt onto current main in #129.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant