Skip to content

fix(deps): patch security vulnerabilities in hono, dependency-cruiser, and transitive deps#1104

Merged
jeanduplessis merged 7 commits into
mainfrom
chore/deps-and-worktree-config
Mar 16, 2026
Merged

fix(deps): patch security vulnerabilities in hono, dependency-cruiser, and transitive deps#1104
jeanduplessis merged 7 commits into
mainfrom
chore/deps-and-worktree-config

Conversation

@jeanduplessis
Copy link
Copy Markdown
Contributor

@jeanduplessis jeanduplessis commented Mar 15, 2026

Summary

Patches 9 security vulnerabilities identified by pnpm audit by bumping direct dependencies and updating transitive deps in the lockfile:

  • hono catalog ^4.12.1^4.12.7 — fixes arbitrary file access via serveStatic, cookie attribute injection, SSE control field injection, and prototype pollution via parseBody
  • dependency-cruiser ^17.3.1^17.3.8 — drops the vulnerable ajv transitive dependency entirely
  • @hono/node-server 1.19.9 → 1.19.11 (lockfile) — fixes authorization bypass via encoded slashes
  • express-rate-limit 8.2.1 → 8.3.1 (lockfile) — fixes IPv4-mapped IPv6 rate limit bypass
  • flatted 3.3.3 → 3.4.1 (lockfile) — fixes unbounded recursion DoS in parse()
  • undici 6.23.0 → 6.24.1 for @qdrant/js-client-rest (lockfile) — fixes WebSocket DoS, HTTP smuggling, and CRLF injection

Reduces pnpm audit from 27 → 18 vulnerabilities. The remaining 18 are blocked by upstream pinning (discord.js, miniflare, monaco-editor, storybook/elliptic).

Verification

  • pnpm install — passes
  • pnpm audit — confirms reduction from 27 to 18 vulnerabilities

Visual Changes

N/A

Reviewer Notes

  • All direct dep bumps are semver-patch within the same minor version.
  • undici@6.24.1 was added to minimumReleaseAgeExclude because it was published 1 day ago (within the 4-day minimumReleaseAge window). This exclusion can be removed after March 18.
  • The remaining 18 vulnerabilities cannot be fixed without upstream releases from discord.js (pins undici 6.21.3), @cloudflare/vitest-pool-workers/miniflare (pins undici 7.18.2, dev-only), monaco-editor (pins dompurify 3.2.7), and storybook/elliptic (no patched version exists, dev-only).

@jeanduplessis
fix(deps): patch security vulnerabilities in hono, dependency-cruiser…
2a5b138 
…, and transitive deps

Bump hono catalog ^4.12.1 -> ^4.12.7 (fixes serveStatic file access,
cookie injection, SSE injection, prototype pollution).

Bump dependency-cruiser ^17.3.1 -> ^17.3.8 (drops vulnerable ajv dep).

Update transitive deps via lockfile: @hono/node-server 1.19.9 -> 1.19.11,
express-rate-limit 8.2.1 -> 8.3.1, flatted 3.3.3 -> 3.4.1,
undici 6.23.0 -> 6.24.1 (qdrant).

Reduces pnpm audit from 27 to 18 vulnerabilities.
@jeanduplessis
chore: gitignore .gw.yml worktree config
2a9db5e
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Mar 15, 2026
View reviewed changes
Comment thread pnpm-workspace.yaml
Comment thread pnpm-workspace.yaml
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot Bot commented Mar 15, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (9 files)
  • .gitignore
  • cloud-agent-next/src/server.ts
  • cloudflare-ai-attribution/src/ai-attribution.worker.ts
  • cloudflare-deploy-infra/builder/src/index.ts
  • cloudflare-gastown/src/middleware/analytics.middleware.ts
  • cloudflare-webhook-agent-ingest/src/index.ts
  • package.json
  • pnpm-lock.yaml
  • pnpm-workspace.yaml

Reviewed by gpt-5.4-20260305 · 443,859 tokens

@jeanduplessis
fix: resolve hono 4.12.7 type incompatibilities across workspaces
4cab61c 
Add null guards for c.req.param() which now returns string | undefined
in hono >=4.12.7 (cloud-agent-next, deploy-builder).

Cast workers-tagged-logger middleware to MiddlewareHandler to bridge
stale .d.ts compiled against older hono (ai-attribution, webhook-agent).
@jeanduplessis
fix(gastown): remove unnecessary type assertions in analytics middleware
57b07d3
@jeanduplessis
fix(deps): add pnpm overrides to eliminate vulnerable transitive hono…
aaa43d9 
… and undici versions
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Mar 15, 2026
View reviewed changes
Comment thread package.json Outdated
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Mar 15, 2026
View reviewed changes
Comment thread package.json Outdated
@jeanduplessis jeanduplessis requested a review from eshurakov March 16, 2026 09:19
@jeanduplessis jeanduplessis merged commit 0b6da65 into main Mar 16, 2026
18 checks passed
@jeanduplessis jeanduplessis deleted the chore/deps-and-worktree-config branch March 16, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@eshurakov eshurakov eshurakov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeanduplessis @eshurakov