fix: address security vulnerabilities in dependencies by PMerlet · Pull Request #1516 · ForestAdmin/agent-nodejs

PMerlet · 2026-03-30T15:46:23Z

Summary

Bump sequelize to ^6.37.8 across all packages (SQL injection — CVSS 7.5)
Bump @modelcontextprotocol/sdk to ^1.28.0 in mcp-server and ai-proxy (fixes transitive hono, @hono/node-server, express-rate-limit)
Bump typedoc to ^0.28.18 (fixes transitive markdown-it)
Bump forest-cli to 5.3.9 in forest-cloud (ships fixed sequelize)
Re-resolve @aws-sdk/xml-builder to 3.972.16 (ships fixed fast-xml-parser 5.5.8)
Remove 6 stale yarn resolutions now covered by parent package bumps
Clean up remaining resolutions (7 kept, all still necessary)

Vulnerabilities addressed

Package	CVE/GHSA	CVSS	Fix
sequelize	SQL Injection via JSON column cast	7.5	^6.37.8
hono (4 CVEs)	File access, SSE injection, cookie injection, prototype pollution	7.5	>=4.12.7 via SDK bump
@hono/node-server	Auth bypass via encoded slashes	7.5	>=1.19.10 via SDK bump
express-rate-limit	IPv4-mapped IPv6 bypass	7.5	>=8.2.2 via SDK bump
fast-xml-parser (2 CVEs)	Entity expansion DoS	7.5	5.5.8 via xml-builder bump
markdown-it	Vulnerability fix	-	>=14.1.1 via typedoc bump

Test plan

CI passes (no breaking changes — all bumps are semver-compatible)
Verify GitHub security alerts are cleared after merge

🤖 Generated with Claude Code

Note

Fix security vulnerabilities by updating dependencies across packages

Bumps sequelize to ^6.37.8 across all packages that depend on it (agent, datasource-sequelize, datasource-sql, datasource-replica, etc.)
Bumps @modelcontextprotocol/sdk to ^1.28.0 in ai-proxy and mcp-server
Updates tar version range to >=7.5.11 and removes version-pinning overrides for hono, markdown-it, and @aws-sdk/xml-builder in the root package.json

^{Macroscope summarized f3472fd.}

- Bump sequelize ^6.37.8 (SQL injection CVE) - Bump @modelcontextprotocol/sdk ^1.28.0 (fixes transitive hono, @hono/node-server, express-rate-limit) - Bump typedoc ^0.28.18 (fixes transitive markdown-it) - Bump forest-cli 5.3.9 (ships fixed sequelize) - Re-resolve @aws-sdk/xml-builder to 3.972.16 (ships fixed fast-xml-parser 5.5.8) - Remove 6 stale resolutions now covered by parent package bumps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

qltysh · 2026-03-30T15:52:05Z

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.
Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.
File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)
- Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

## @forestadmin/ai-proxy [1.6.3](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/ai-proxy@1.6.2...@forestadmin/ai-proxy@1.6.3) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1))

## @forestadmin/datasource-sequelize [1.13.7](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/datasource-sequelize@1.13.6...@forestadmin/datasource-sequelize@1.13.7) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1))

## @forestadmin/datasource-sql [1.17.9](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/datasource-sql@1.17.8...@forestadmin/datasource-sql@1.17.9) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/datasource-sequelize:** upgraded to 1.13.7

## @forestadmin/datasource-replica [1.8.6](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/datasource-replica@1.8.5...@forestadmin/datasource-replica@1.8.6) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/datasource-sequelize:** upgraded to 1.13.7 * **@forestadmin/datasource-sql:** upgraded to 1.17.9

## @forestadmin/mcp-server [1.8.10](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/mcp-server@1.8.9...@forestadmin/mcp-server@1.8.10) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/agent-client:** upgraded to 1.4.15 * **@forestadmin/forestadmin-client:** upgraded to 1.37.19

## @forestadmin/agent [1.75.2](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/agent@1.75.1...@forestadmin/agent@1.75.2) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/forestadmin-client:** upgraded to 1.37.19 * **@forestadmin/mcp-server:** upgraded to 1.8.10 * **@forestadmin/datasource-sql:** upgraded to 1.17.9

## @forestadmin/agent-testing [1.0.25](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/agent-testing@1.0.24...@forestadmin/agent-testing@1.0.25) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/agent-client:** upgraded to 1.4.15 * **@forestadmin/forestadmin-client:** upgraded to 1.37.19 * **@forestadmin/agent:** upgraded to 1.75.2 * **@forestadmin/datasource-sql:** upgraded to 1.17.9

## @forestadmin/forest-cloud [1.12.100](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/forest-cloud@1.12.99...@forestadmin/forest-cloud@1.12.100) (2026-03-31) ### Bug Fixes * address security vulnerabilities in dependencies ([#1516](#1516)) ([c52b1e1](c52b1e1)) ### Dependencies * **@forestadmin/agent:** upgraded to 1.75.2 * **@forestadmin/datasource-sequelize:** upgraded to 1.13.7 * **@forestadmin/datasource-sql:** upgraded to 1.17.9

DayTF approved these changes Mar 31, 2026

View reviewed changes

PMerlet merged commit c52b1e1 into main Mar 31, 2026
29 checks passed

PMerlet deleted the fix/security-vulnerabilities branch March 31, 2026 13:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: address security vulnerabilities in dependencies#1516

fix: address security vulnerabilities in dependencies#1516
PMerlet merged 1 commit intomainfrom
fix/security-vulnerabilities

PMerlet commented Mar 30, 2026 •

edited by macroscopeapp bot

Loading

Uh oh!

qltysh bot commented Mar 30, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

PMerlet commented Mar 30, 2026 • edited by macroscopeapp bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Vulnerabilities addressed

Test plan

Fix security vulnerabilities by updating dependencies across packages

Uh oh!

qltysh bot commented Mar 30, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

PMerlet commented Mar 30, 2026 •

edited by macroscopeapp bot

Loading