chore(deps): patch high/critical audit advisories with in-range bumps#60023
Merged
Conversation
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
Contributor
|
Size Change: +4.53 kB (+0.01%) Total Size: 80.1 MB 📦 View Changed
ℹ️ View Unchanged
|
robbie-c
force-pushed
the
claude/optimistic-lamport-1854b2
branch
from
6956f70 to
57a353f
Compare
robbie-c
changed the title
robbie-c
force-pushed
the
claude/optimistic-lamport-1854b2
branch
2 times, most recently
from
29ad43f to
033ccb4
Compare
robbie-c
force-pushed
the
claude/optimistic-lamport-1854b2
branch
2 times, most recently
from
49f1ad2 to
23ca306
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Clear the high and critical advisories from pnpm audit that are fixable with in-range versions, without adding any pnpm overrides. A bare override can force a parent onto a major it does not declare support for, so we only take fixes the dependency graph already permits; the CI audit gate guards future regressions. Direct dependency bumps in their manifests: - @opentelemetry node SDK group to the 0.218 / 0.76 train (sdk-node, exporter-trace-otlp-grpc/http, auto-instrumentations-node, instrumentation-pg); also pulls a patched exporter-prometheus. - liquidjs, lodash, nodemailer. Transitive advisories that resolve within the parents' existing ranges are carried by the lockfile, including both criticals (handlebars, protobufjs) plus braces, cross-spawn, glob, vite, rollup, and ~20 more. Not fixed here, since clearing them would need an out-of-range override or a new direct dependency (deliberately avoided; future regressions are caught by the CI audit gate): @xmldom/xmldom, body-parser, minimatch, path-to-regexp, serialize-javascript, tar, tar-fs, ws, undici (its >=7.24 fix also removes the maxRedirections API used in nodejs/src/utils/request.ts), and happy-dom (the auto-installed peer of @tiptap/html does not persist without a direct dep or override). node-forge stays on its existing 1.3.2 override pin; playwright needs a coordinated CI container bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
robbie-c
force-pushed
the
claude/optimistic-lamport-1854b2
branch
from
23ca306 to
0a6945c
Compare
Contributor
|
🎭 Playwright didn't run on this PR — your changes touch code that could affect E2E behavior, but Playwright is opt-in via label now to keep CI cost down. Add the Most PRs don't need this. Real regressions still get caught on master and fix-forward. |
Contributor
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
nodejs/package.json:109
Lodash `4.18.0` was released as the fix for CVE-2025-13465/prototype-pollution but was immediately deprecated because it introduced a breaking functionality issue (see lodash/lodash#6167). The actual fix is `4.18.1`. The lockfile already resolves to `4.18.1`, so today's installation is fine, but the floor in the manifest permits the deprecated `4.18.0` to be installed in a fresh resolve if `4.18.1` is ever yanked or if a CI step pins an older snapshot.
```suggestion
"lodash": "^4.18.1",
```
Reviews (1): Last reviewed commit: "chore(deps): patch high/critical audit a..." | Re-trigger Greptile |
![mendral-app[bot]](https://avatars.githubusercontent.com/in/1975249?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Supply Chain Security Review
⚠️ serialize-javascript@6.0.2 — HIGH RCE and MODERATE DoS remain unfixed
This transitive dependency (likely via webpack/terser) is vulnerable to:
- GHSA-5c6j-r48x-rmvq (HIGH, CVSS 8.1): RCE via
RegExp.flagsandDate.prototype.toISOString()— fixed in 7.0.3 - GHSA-qj8w-gfj5-8c6v (MODERATE, CVSS 5.9): CPU exhaustion DoS — fixed in 7.0.5
The PR upgrades from 6.0.1→6.0.2 (fixing one prior advisory) but the version still carries these two. A resolution override to >=7.0.5 would clear both.
⚠️ nodemailer@7.0.13 — SMTP injection vulns require major bump to fix
- GHSA-vvjj-xcjg-gr5g (MODERATE): SMTP command injection via CRLF in transport name — fixed in 8.0.5
- GHSA-c7w3-x93f-qmm8 (LOW): SMTP command injection via unsanitized
envelope.size— fixed in 8.0.4
The manifest specifies ^7.0.11 so semver won't pull in the fix (8.x). These were also present in the previous ^7.0.5 range, so this PR doesn't regress — but the vulns persist. Consider upgrading to nodemailer 8.x when feasible.
Net impact is strongly positive: this PR resolves 90+ known vulnerabilities across axios, vite, protobufjs, undici, handlebars, lodash, tar, and many others. The 4 newly-introduced advisories are either transitive (serialize-javascript) or require a breaking major version bump (nodemailer) and were already present before this PR in practice.
Tag @mendral-app with feedback or questions. View session
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Supply Chain Security Review
⚠️ serialize-javascript@6.0.2 — RCE and DoS vulnerabilities persist (fix requires major bump to 7.0.5+)
GHSA-5c6j-r48x-rmvq (HIGH, RCE via RegExp.flags/Date.prototype.toISOString) and GHSA-qj8w-gfj5-8c6v (MODERATE, CPU exhaustion DoS) affect all versions below 7.0.3/7.0.5. This is a transitive dependency (likely via webpack/terser) so fixing requires the upstream bundler to adopt the new major. These vulns existed in the prior version (6.0.1) as well — this PR does not regress security here.
⚠️ nodemailer@7.0.13 — SMTP command injection vulns persist (fix requires 8.0.4+)
GHSA-vvjj-xcjg-gr5g (MODERATE, CRLF injection in EHLO/HELO) and GHSA-c7w3-x93f-qmm8 (LOW, unsanitized envelope.size) are fixed only in nodemailer 8.x. The PR bumps from ^7.0.5 to ^7.0.11 (resolves to 7.0.13), which fixes the older vulns but not these. Consider planning a major version upgrade to nodemailer 8.x.
Overall this is a net-positive security update fixing 90+ advisories across the dependency tree. The 4 "newly introduced" vulnerabilities are actually pre-existing issues that persist because their fixes require semver-major bumps.
Tag @mendral-app with feedback or questions. View session
The lodash floor was raised to ^4.18.1 via a GitHub suggestion that edited only the manifest, leaving pnpm-lock.yaml's specifier at ^4.18.0 and failing --frozen-lockfile. Resync the lockfile specifier; resolved version stays 4.18.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bump the manifest floors to the resolved versions so a fresh install cannot pick a lower (potentially vulnerable) version than what is tested: liquidjs ^10.25.7 -> ^10.27.0 (nodejs + frontend) and nodemailer ^7.0.11 -> ^7.0.13. The @opentelemetry/* and lodash floors already match their installed versions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Supply Chain Security Review
⚠️ serialize-javascript@6.0.2 — HIGH-severity RCE remains unfixed (transitive)
GHSA-5c6j-r48x-rmvq (RCE via RegExp.flags/Date.prototype.toISOString, CVSS 8.1) is fixed in 7.0.3. GHSA-qj8w-gfj5-8c6v (CPU DoS) is fixed in 7.0.5. This is a transitive dependency (likely via terser/webpack) and was already vulnerable in the base revision at 6.0.1 — this PR does not regress the posture, but the issue persists. Consider adding a pnpm.overrides entry to force serialize-javascript@^7.0.5 if compatible.
⚠️ nodemailer@7.0.13 — two advisories require 8.x to fix
GHSA-vvjj-xcjg-gr5g (SMTP CRLF injection, fixed 8.0.5) and GHSA-c7w3-x93f-qmm8 (command injection via envelope.size, fixed 8.0.4) persist. Both were already present in the base at 7.0.5. The CRLF issue requires admin-level privileges (CVSS AC:L/PR:H). Consider evaluating a bump to nodemailer 8.x when compatible.
Tag @mendral-app with feedback or questions. View session
This was referenced May 27, 2026
robbie-c
added a commit
that referenced
this pull request
May 27, 2026
nodemailer 7.x has an SMTP command-injection advisory (GHSA-vvjj-xcjg-gr5g, CRLF in the EHLO/HELO transport name) and a command injection via unsanitized envelope.size (GHSA-c7w3-x93f-qmm8), both fixed only in nodemailer 8.x (8.0.4 / 8.0.5). nodemailer is a direct dependency (nodejs CDP email service), so bump nodejs/package.json to ^8.0.8 and @types/nodemailer to ^8.0.0 to match. 8.0.8 is the newest release old enough to clear the repo's minimumReleaseAge guard (8.0.9 was published ~20h ago); it already carries both SMTP fixes. The createTransport / sendMail / SendMailOptions usage is unchanged across the major (verified via tsc), so no code changes are needed. Split out from the main audit PR (#60023) since it is a semver-major bump, beyond that PR's in-range scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
pnpm auditflags some critical warnings. Note that this is not a real issue, see https://overreacted.io/npm-audit-broken-by-design/ for more info, but it'd be good to fix this nonetheless to make this less noisy.Claude code continues:
pnpm auditflagged 2 critical and ~110 high advisories, the large majority transitive. This PR clears every advisory that can be fixed with an in-range version, without adding anypnpmoverrides. The reasoning: an override can force a parent onto a major it does not declare support for (verified: bare overrides on this tree forcedexpress@5ontobody-parser@1,@puppeteer/browsersontotar-fs@2, etc.), so we only take fixes the dependency graph already permits. Future regressions are caught by the CI audit gate rather than pinned by overrides.Changes
Direct dependency bumps (in their manifests):
@opentelemetry/*Node SDK group to a consistent train:sdk-node,exporter-trace-otlp-grpc/-httpto^0.218.0,auto-instrumentations-nodeto^0.76.0,instrumentation-pgto^0.70.0(also pulls a patchedexporter-prometheus).liquidjs^10.25.7,lodash^4.18.0,nodemailer^7.0.11.Transitive advisories cleared via the lockfile (patched version is within the parents' existing ranges, so no override and no new manifest entry needed): both criticals (
handlebars,protobufjs), plusaxios,base-x,basic-ftp,braces,cross-spawn,effect,express-rate-limit,fast-uri,fast-xml-builder,flatted,glob,immutable,jws,picomatch,rollup,svgo,vite,webpack-dev-middleware,@babel/plugin-transform-modules-systemjs,undici@6.Net
pnpm audit --audit-level=high: 2 critical to 0, and 27 of 39 flagged packages cleared.pnpm install --frozen-lockfilepasses (the lockfile is consistent with the no-override manifests). Rebased onto current master (which now includes #60101).Deliberately not fixed (would require an out-of-range override)
These have no patched version inside a parent's declared range, so clearing them would mean forcing an unsupported version via an override, which this PR avoids. They remain flagged and will be caught on future branches by CI audit:
@xmldom/xmldom,body-parser,path-to-regexpexpress@4pinspath-to-regexp 0.1.7).minimatch,tar-fs,wspnpm updatecannot dislodge without a forced override.serialize-javascript,tarundici(7.x)maxRedirectionsfromrequest(), which would also need a code change innodejs/src/utils/request.ts.node-forge1.3.2override pin (pre-existing, not changed here).happy-dom@tiptap/html. It reverts to the vulnerable version once the temporary override is removed, and only stays patched with a direct dependency or override, neither of which this PR adds.playwright>= 1.55.1fix needs the pinnedghcr.io/posthog/playwright:v1.45.0CI container rebuilt and the workflow references (ci-storybook.yml,ci-e2e-playwright.yml) updated to match. An initial bump to1.55.1broke all visual-regression shards (the installed@playwright/testmismatched the v1.45.0 browser container), so it was reverted. Note a separate part of this advisory is a false positive against the internal@posthog/playwrightworkspace dir.The
Playwright E2E testscheck is opt-in via therun-playwrightlabel. The collectstatic and node-services breakages that previously blocked it master-wide were fixed in #60101, now merged and included in this branch's base. The only remaining E2E failure is a pre-existing post-login regression (a credential-review screen flow), unrelated to this dependency PR, and will be fixed in #59751.How did you test this code?
I am an agent (Claude Code). Automated checks only, no manual/UI testing:
pnpm installresolves cleanly;pnpm install --frozen-lockfilepasses (CI-consistent).pnpm audit --audit-level=high: 2 critical to 0; remaining highs are the table above.nodejstsc: unchanged from themasterbaseline (the only pre-existing errors are the@posthog/hogvm/@posthog/cyclotron"not built locally" cascade).services/mcptsc: only the pre-existing@posthog/quill"not built locally" cascade.kea-typegen writethentsc --noEmit. 63 errors remain, all from unbuilt@posthog/quill/@posthog/hogvmworkspace packages (a local-only artifact, since those aren't built in this environment, the same way the nodejs check hits@posthog/cyclotron). Every erroring file imports one of those two packages; zero errors come from this PR's dependency changes. CI builds those packages, so its frontend typecheck is the real gate.Publish to changelog?
no
Docs update
No docs changes needed.
🤖 Agent context
Authored by Claude Code (Claude Opus 4.7), agent-driven. Requires human review; do not self-merge.
This started as a broad
pnpm.overridesPR. During review the maintainer questioned whether overrides force packages onto versions their parents don't support. A check confirmed it: 0 parent-range violations onmaster, 9 introduced by the overrides (4 cross-major). We pivoted to this no-override approach: fix only what is reachable in-range (direct manifest bumps plus lockfile resolution), and leave the rest for a follow-up rather than force unsupported versions. The CI audit gate is the guard against future drift.