chore(security): patch Dependabot alerts (2026-05-21)#1591
Open
PMerlet wants to merge 1 commit into
Open
Conversation
- Bump mongoose 8.21.0 → 8.22.1 in datasource-mongo, datasource-mongoose, and _example (GHSA, alerts #350-#353). - Add resolution **/@modelcontextprotocol/sdk/hono ^4.12.18 to close alerts #354, #355, #359, #360, #361 (no parent bump available; MCP SDK still depends on hono ^4.11.4). - Add resolution **/ajv/fast-uri ^3.1.2 to close alerts #357, #358. - Update existing resolution langsmith from ^0.5.18 to ^0.6.0 to close alert #362.
|
Coverage Impact This PR will not change total coverage. 🚦 See full report on Qlty Cloud »🛟 Help
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
12 fixed, 1 ignored, 1 deferred, 2 resolutions added, 0 resolutions removed. | label: 🔒 security applied
Fixed
packages/datasource-mongo/package.jsonpackages/datasource-mongoose/package.jsonpackages/_example/package.json**/@modelcontextprotocol/sdk/hono(transitive via MCP SDK)**/ajv/fast-uri(transitive via ajv)langsmithupdated from^0.5.18to^0.6.0Ignored
Address6HTML-emitting methods) — Vulnerable code path is unreachable from our code. The only chain to a vulnerableip-address@5.9.4is@forestadmin/agent → forest-ip-utils@1.0.1 → ip-address ^5.8.9.forest-ip-utilsonly consumesnew Address6(ipv6).bigInteger()(for numeric comparison in IP-whitelist matching) and never returns/exposes the vulnerable methodsAddress6.group(),Address6.link(), orAddressError.parseMessageto callers. Forest Admin usesforest-ip-utils.isIpMatchesRuleinpackages/agent/src/routes/security/ip-whitelist.tsto validate request IPs server-side — no HTML rendering of anyAddress6-derived value happens anywhere in the codebase (verified withgrep -rn '\.group(\|\.link(\|parseMessage'— no hits land onip-address).forest-ip-utils@1.0.1is the latest published version and is the onlyip-address ^5.xconsumer (other ip-address chains already pin to^10.1.1via existing resolutions). Forcingip-address@10.xhere would risk breakingforest-ip-utils(itsAddress6.bigInteger()call was renamed in newer majors ofip-address) for no reachable-vulnerability benefit.Deferred
Resolutions added
^4.12.18— parent chain@modelcontextprotocol/sdk → hono. Parent bump not viable: even the latest@modelcontextprotocol/sdk@1.29.0still depends onhono: ^4.11.4, so bumping the parent does not move hono off the vulnerable line. Placed in rootpackage.jsonas parent-scoped form**/@modelcontextprotocol/sdk/hono— the only chain to hono in the tree is via MCP SDK (used bymcp-serverand indirectly byai-proxyvia@langchain/mcp-adapters); the scoped key keeps the pin contained to that chain.^3.1.2— parent chainajv@^8 → fast-uri. Parent bump not viable: ajv@^8.17.1 (latest 8.x) already accepts fast-uri ^3.x and naturally pulled the vulnerable 3.1.0; no ajv release bumps the lower bound past 3.1.1. Placed in rootpackage.jsonas parent-scoped form**/ajv/fast-uri— the onlyfast-uri ^3consumer in the tree is ajv (thefast-uri ^2chain via fastify@3/fast-json-stringifywas not flagged by Dependabot and resolves to 2.3.0, which the advisory's npm-range does not cover).The existing top-level
langsmithpin was edited in place (range bump^0.5.18→^0.6.0), not added — counted as the resolution-update path to fix #362 rather than a new entry.Resolutions removed
None. All 11 existing entries in the root
resolutionsblock were swept; each pinned package is still present in the resolved tree (none stale), and each parent chain still requests a range whose natural resolution would fall back below the pin (e.g.tar: many parents request^6.xand would re-introduce tar 6.x;qs:body-parser@1.20.3andexpress@4.21.2pinqs 6.13.0exactly;**/socks/ip-addressand**/express-rate-limit/ip-addressstill required because the only other ip-address chain —forest-ip-utils— is the ignored alert #349 above). Nothing was redundant.Risks
find/findOne/aggregate, hooks). No peer-dep bump.@langchain/core@1.1.15and@langchain/community → @langchain/classic, both of which declarelangsmith@>=0.4.0 <1.0.0, so the peer range is satisfied. No Forest Admin code imports langsmith directly. Risk surface: tracing/observability behavior inai-proxyruntime; covered by CI.Manual testing
Covered by CI.
Validation
✅ CI green
Note
Patch Dependabot security alerts by bumping langsmith, mongoose, and resolution overrides
langsmithfrom^0.5.18to^0.6.0in the root package.json.**/@modelcontextprotocol/sdk/hono(^4.12.18) and**/ajv/fast-uri(^3.1.2) to force secure transitive dependency versions.mongoosefrom8.21.0to8.22.1across the mongo and mongoose datasource packages and the example package.Macroscope summarized a38351b.