chore(security): patch 23 Dependabot alerts#1734
Merged
Merged
Conversation
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Coverage Impact This PR will not change total coverage. 🚦 See full report on Qlty Cloud »🛟 Help
|
nbouliol
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
23 fixed, 4 ignored, 4 deferred, 11 resolutions added, 4 resolutions removed. | label: 🔒 security applied
Fixed
**/concurrently/shell-quote(concurrently pins 1.8.3 exact)packages/forest-cloud^17.12.2 → ^17.13.4, + resolution**/forest-cli/joi(forest-cli pins 17.12.2 exact)**/tsx/esbuild(tsx pins ~0.28.0)**/subscriptions-transport-ws/ws@babel/core: ^7.29.6(many toolchain chains)tar>=7.5.11 → >=7.5.16packages/forest-cloud^4.0.4 → ^4.0.6, + root resolutionform-data: >=4.0.6(azure/superagent/axios chains)**/typedoc/markdown-it**/@modelcontextprotocol/sdk/hono^4.12.18 → ^4.12.25**/@nestjs/platform-express/multer(platform-express pins 2.0.2 exact)**/@semantic-release/github/undici: ^7.28.0**/node-gyp/undici: ^6.27.0and**/@actions/http-client/undici: ^6.27.0Ignored
packages/_exampledemo app; nothing is shipped to production. The patched version (11.1.24) is a NestJS 10→11 breaking major;_exampleintentionally pins Nest 10. Same root cause as #385 / #390.devDependencyofpackages/agent, used only in integration tests of the NestJS/Fastify mounting; the published@forestadmin/agentdoes not ship it (not independencies/peerDependencies). The middleware-bypass exploit requires a live Fastify HTTP server receiving untrusted traffic. Fix (11.1.24) requires@nestjs/common/@nestjs/core11 peers — a breaking major touching test infrastructure._example.packages/workflow-executor/docker/deps/yarn.lock, where the only consumer of uuid@8.3.2 issequelize@6(declaresuuid@^8.3.2). The advisory affectsv3/v5/v6when abufargument is provided; grepping sequelize's sources shows it only callsuuid.v1/uuid.v4, never v3/v5/v6. Sequelize 6 cannot take uuid 11 (patched) without an override, and that lockfile is generated bybuild-deps-manifest.jswhich intentionally carries no resolutions.Deferred
Skipped by the 7-day age gate; next run will pick them up:
Resolutions added
All entries live in the root
package.json— Yarn 1 does not honor workspace-levelresolutions, so parent-scoped root entries are the narrowest honored form.**/node-gyp/undici: ^6.27.0sqlite3 > node-gyp@12 > undici@^6.25.0; node-gyp is pulled by sqlite3's build — no ancestor bump pulls 6.27.0. Minor bump.**/@actions/http-client/undici: ^6.27.0@qiwi/multi-semantic-release > semantic-release > @semantic-release/npm > @actions/core > @actions/http-client@^3.0.0 > undici@^5.28.5; no @actions/http-client release on a patched undici. Note: this is an undici 5→6 major inside dev release tooling — see Risks.**/@semantic-release/github/undici: ^7.28.0@semantic-release/github > undici@^7.0.0; parent range already allows 7.28.0, resolution forces the lockfile refresh. Minor bump.**/@nestjs/platform-express/multer: ^2.2.0_example > @nestjs/platform-express@10 > multer@2.0.2(exact pin); bumping platform-express to a version on multer 2.2 would be a Nest major. Minor bump of multer.**/typedoc/markdown-it: ^14.2.0typedoc > markdown-it@^14.1.1; range allows it, resolution forces refresh.**/subscriptions-transport-ws/ws: ^7.5.11forest-cloud > subscriptions-transport-ws@0.9 > ws@^5||^6||^7; parent is unmaintained, no bump available. Patch bump of ws.**/tsx/esbuild: ^0.28.1workflow-executor-example > tsx > esbuild@~0.28.0; patch bump.**/concurrently/shell-quote: ^1.8.4_example > concurrently@9 > shell-quote@1.8.3(exact pin); no concurrently release on 1.8.4 yet. Resolved to 1.9.0.**/forest-cli/joi: ^17.13.4forest-cloud > forest-cli > joi@17.12.2(exact pin); direct bump in forest-cloud covers only its own copy. Minor bump.form-data: >=4.0.6@azure/core-rest-pipeline,superagent,axios,@types/superagent, forest-cloud direct). Patch bump.@babel/core: ^7.29.6Also modified existing entries:
tar>=7.5.11 → >=7.5.16 (#388),**/@modelcontextprotocol/sdk/hono^4.12.18 → ^4.12.25 (#392–#396).Resolutions removed
package.json(root)axios: >=1.16.0^1.8.3,^1.16.0) now naturally resolve to ≥1.16.0 (latest 1.x is 1.18.1); verified by removing + reinstalling, lockfile stays at 1.17.0.package.json(root)@hono/node-server: ^1.19.13^1.19.9naturally resolves to 1.19.14 ≥ pin; verified by removing + reinstalling (stays 1.19.14).package.json(root)**/ajv/fast-uri: ^3.1.2fast-uri@^3.0.1, which naturally resolves to 3.1.3 ≥ 3.1.2 (the^2.xconsumers are still covered by the remaining**/@fastify/ajv-compiler/fast-uriand**/fast-json-stringify/fast-urientries); verified by removing + reinstalling (stays 3.1.2).packages/agent/package.jsonoverrides: { @paralleldrive/cuid2: 2.2.2 }overridesare ignored by Yarn 1 entirely, andpackages/agentalready pins@paralleldrive/cuid2: 2.2.2as an exact direct dependency; verified by removing + reinstalling (stays 2.2.2).Kept (still active):
lerna/**/glob(forces 9.x/10.x ranges up),semantic-release ^25(forces ^21 range up),qs >=6.15.2(aqs@6.13.0exact pin exists),langsmith ^0.6.0(holds langchain's>=0.5.0 <1.0.0below 0.7),lodash ^4.18.0(alodash@4.17.23exact pin exists),uuid ^11.1.1(forces 8.x/9.x/10.x ranges),tmp >=0.2.6(a^0.0.33range exists),**/express-rate-limit/ip-address ^10.1.1(parent pins 10.1.0 exact),**/@aws-sdk/xml-builder/fast-xml-parser ^5.7.0(parent pins 5.5.8 exact),**/@fastify/ajv-compiler/fast-uri,**/fast-json-stringify/fast-uri(parents on ^2.x).Risks
@actions/http-client— the only cross-major forced bump. Blast radius is the semantic-release publish tooling (dev-only, runs in release CI). undici 6 kept therequest/ProxyAgentAPI surface http-client uses, but if the release workflow breaks, revert the**/@actions/http-client/undicientry.concurrently,typedoc).Manual testing
Covered by CI. If the release pipeline is exercised before the next scheduled release, keep an eye on the semantic-release GitHub/npm publish steps (undici bump).
Validation
✅ CI green