From a38351b402c0798d6a7190b9df4aa0b1bf821d36 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 21 May 2026 11:13:12 +0000
Subject: [PATCH] chore(security): patch 12 Dependabot alerts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Bump mongoose 8.21.0 → 8.22.1 in datasource-mongo, datasource-mongoose,
  and _example (GHSA, alerts #350-#353).
- Add resolution **/@modelcontextprotocol/sdk/hono ^4.12.18 to close
  alerts #354, #355, #359, #360, #361 (no parent bump available; MCP SDK
  still depends on hono ^4.11.4).
- Add resolution **/ajv/fast-uri ^3.1.2 to close alerts #357, #358.
- Update existing resolution langsmith from ^0.5.18 to ^0.6.0 to close
  alert #362.
---
 package.json                              |  6 ++--
 packages/_example/package.json            |  2 +-
 packages/datasource-mongo/package.json    |  2 +-
 packages/datasource-mongoose/package.json |  2 +-
 yarn.lock                                 | 43 +++++++++++------------
 5 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/package.json b/package.json
index b2b79d32d7..f3475f082e 100644
--- a/package.json
+++ b/package.json
@@ -58,11 +58,13 @@
     "semantic-release": "^25.0.0",
     "qs": ">=6.14.1",
     "@hono/node-server": "^1.19.13",
-    "langsmith": "^0.5.18",
+    "langsmith": "^0.6.0",
     "lodash": "^4.18.0",
     "**/@langchain/langgraph-sdk/uuid": "^13.0.1",
     "**/socks/ip-address": "^10.1.1",
     "**/express-rate-limit/ip-address": "^10.1.1",
-    "**/@aws-sdk/xml-builder/fast-xml-parser": "^5.7.0"
+    "**/@aws-sdk/xml-builder/fast-xml-parser": "^5.7.0",
+    "**/@modelcontextprotocol/sdk/hono": "^4.12.18",
+    "**/ajv/fast-uri": "^3.1.2"
   }
 }
diff --git a/packages/_example/package.json b/packages/_example/package.json
index bfcb9ce9d1..1d495a9609 100644
--- a/packages/_example/package.json
+++ b/packages/_example/package.json
@@ -24,7 +24,7 @@
     "fastify4": "npm:fastify@^4.29.0",
     "koa": "^3.0.1",
     "mariadb": "^3.0.2",
-    "mongoose": "8.21.0",
+    "mongoose": "8.22.1",
     "mysql2": "^3.0.1",
     "pg": "^8.8.0",
     "reflect-metadata": "^0.1.13",
diff --git a/packages/datasource-mongo/package.json b/packages/datasource-mongo/package.json
index 03219c2720..9e5abdbcc4 100644
--- a/packages/datasource-mongo/package.json
+++ b/packages/datasource-mongo/package.json
@@ -15,7 +15,7 @@
     "@forestadmin/datasource-mongoose": "1.13.4",
     "@forestadmin/datasource-toolkit": "1.53.1",
     "json-stringify-pretty-compact": "^3.0.0",
-    "mongoose": "8.21.0",
+    "mongoose": "8.22.1",
     "tunnel-ssh": "^5.2.0"
   },
   "files": [
diff --git a/packages/datasource-mongoose/package.json b/packages/datasource-mongoose/package.json
index a3879ff5ed..b23c09ac93 100644
--- a/packages/datasource-mongoose/package.json
+++ b/packages/datasource-mongoose/package.json
@@ -20,7 +20,7 @@
     "luxon": "^3.2.1"
   },
   "devDependencies": {
-    "mongoose": "8.21.0"
+    "mongoose": "8.22.1"
   },
   "peerDependencies": {
     "mongoose": "6.x || 7.x || 8.x"
diff --git a/yarn.lock b/yarn.lock
index fa1768443c..c257c490d8 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8342,10 +8342,10 @@ fast-uri@^2.0.0, fast-uri@^2.1.0:
   resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-2.3.0.tgz#bdae493942483d299e7285dcb4627767d42e2793"
   integrity sha512-eel5UKGn369gGEWOqBShmFJWfq/xSJvsgDzgLYC845GneayWvXBf0lJCBn5qTABfewy1ZDPoaR5OZCP+kssfuw==
 
-fast-uri@^3.0.1:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.1.0.tgz#66eecff6c764c0df9b762e62ca7edcfb53b4edfa"
-  integrity sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==
+fast-uri@^3.0.1, fast-uri@^3.1.2:
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.1.2.tgz#8af3d4fc9d3e71b11572cc2673b514a7d1a8c8ec"
+  integrity sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==
 
 fast-xml-builder@^1.2.0:
   version "1.2.0"
@@ -9409,10 +9409,10 @@ highlight.js@^10.7.1:
   resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.7.3.tgz#697272e3991356e40c3cac566a74eef681756531"
   integrity sha512-tzcUFauisWKNHaRkN4Wjl/ZA07gENAjFl3J/c480dprkGTg5EQstgaNFqBfUqCq54kZRIEcreTsAgF/m2quD7A==
 
-hono@^4.11.4:
-  version "4.12.14"
-  resolved "https://registry.yarnpkg.com/hono/-/hono-4.12.14.tgz#4777c9512b7c84138e4f09e61e3d2fa305eb1414"
-  integrity sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==
+hono@^4.11.4, hono@^4.12.18:
+  version "4.12.21"
+  resolved "https://registry.yarnpkg.com/hono/-/hono-4.12.21.tgz#f11846462095d365b9a8b4859b37c02cb0981df3"
+  integrity sha512-uV63apnb0kyPtAUwoWgaGh9HyIFcv8lgmzPZSiTBQAFOFGIzka5EZ1dZocmGnn0XdX0+XTqJ6Tqv7selMuGLRQ==
 
 hook-std@^4.0.0:
   version "4.0.0"
@@ -11319,13 +11319,12 @@ koa@^3.0.1:
     type-is "^2.0.1"
     vary "^1.1.2"
 
-"langsmith@>=0.4.0 <1.0.0", langsmith@^0.5.18:
-  version "0.5.21"
-  resolved "https://registry.yarnpkg.com/langsmith/-/langsmith-0.5.21.tgz#2f4cd30dafc22922e423cf0f151ead5f636e76b0"
-  integrity sha512-l140hzgqo91T/QKDXLEfRnnxahuwVEVohr9zqpy3BaGDeBdrPiJuNJ2TBhPZxNXNCl68IkVcn555FD3jp5peyw==
+"langsmith@>=0.4.0 <1.0.0", langsmith@^0.6.0:
+  version "0.6.3"
+  resolved "https://registry.yarnpkg.com/langsmith/-/langsmith-0.6.3.tgz#a3d8ad58d66a47d3697e3c69b2be3f6df5233190"
+  integrity sha512-pXrQ4/4myQvjFFOAUmt5pWRrLEZR20gzIJD7MNdUH+5/S5nLI4ZRBo/SYKC6coaYj9pYTfQdBIzcs+3kfJ5uDA==
   dependencies:
     p-queue "6.6.2"
-    uuid "10.0.0"
 
 lerna@^8.2.3:
   version "8.2.3"
@@ -12682,10 +12681,10 @@ mongodb@~6.20.0:
     bson "^6.10.4"
     mongodb-connection-string-url "^3.0.2"
 
-mongoose@8.21.0:
-  version "8.21.0"
-  resolved "https://registry.yarnpkg.com/mongoose/-/mongoose-8.21.0.tgz#e4b940a6b22c2fc176916667766f34656e352906"
-  integrity sha512-dW2U01gN8EVQT5KAO5AkzjbqWc8A/CsEq15jOzq/M9ISpy8jw3iq7W9ZP135h9zykFOMt3AMxq4+anvt2YNJgw==
+mongoose@8.22.1:
+  version "8.22.1"
+  resolved "https://registry.yarnpkg.com/mongoose/-/mongoose-8.22.1.tgz#6b873d88b883c9b283e2a3b94cdc541d108ea94a"
+  integrity sha512-c0bzt7ElI1CwWiyFSgg9bfhlFcblAoPwr+gmDcLCryClyKaeixWhP9KDGnr13kRPE8KPAuUN3ZZ3jSDxSPvoTg==
   dependencies:
     bson "^6.10.4"
     kareem "2.6.3"
@@ -17323,11 +17322,6 @@ utils-merge@1.0.1:
   resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
   integrity sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==
 
-uuid@10.0.0, uuid@^10.0.0:
-  version "10.0.0"
-  resolved "https://registry.yarnpkg.com/uuid/-/uuid-10.0.0.tgz#5a95aa454e6e002725c79055fd42aaba30ca6294"
-  integrity sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==
-
 uuid@11.1.1:
   version "11.1.1"
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-11.1.1.tgz#f6d81d2e1c65d00762e5e29b16c5d2d995e208ad"
@@ -17338,6 +17332,11 @@ uuid@8.0.0:
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.0.0.tgz#bc6ccf91b5ff0ac07bbcdbf1c7c4e150db4dbb6c"
   integrity sha512-jOXGuXZAWdsTH7eZLtyXMqUb9EcWMGZNbL9YcGBJl4MH4nrxHmZJhEHvyLFrkxo+28uLb/NYRcStH48fnD0Vzw==
 
+uuid@^10.0.0:
+  version "10.0.0"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-10.0.0.tgz#5a95aa454e6e002725c79055fd42aaba30ca6294"
+  integrity sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==
+
 uuid@^13.0.0, uuid@^13.0.1:
   version "13.0.2"
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-13.0.2.tgz#41bc9c07b12f665089c205f6507976adbdf84ff8"