Skip to content

chore(deps): upgrade hedgebox-dummy app deps to clear audit advisories#60239

Merged
robbie-c merged 1 commit into
masterfrom
claude/bump-hedgebox-dummy-deps
May 28, 2026
Merged

chore(deps): upgrade hedgebox-dummy app deps to clear audit advisories#60239
robbie-c merged 1 commit into
masterfrom
claude/bump-hedgebox-dummy-deps

Conversation

@robbie-c
Copy link
Copy Markdown
Member

@robbie-c robbie-c commented May 27, 2026

Problem

tools/hedgebox-dummy/ is the standalone Next.js demo app used to generate realistic session recordings for Hedgebox demo data. It's deliberately excluded from the root pnpm workspace (!tools/hedgebox-dummy in pnpm-workspace.yaml) with its own package.json and lockfile, so the main CI never installs or builds it and its dependencies had drifted badly. pnpm audit inside the fixture reported 40 advisories (14 high, 24 moderate, 2 low), dominated by an old next@14.2.35 (a stack of SSRF / DoS / XSS / cache-poisoning CVEs) plus transitive protobufjs, dompurify, postcss, and a lint-time minimatch/picomatch cluster.

Since this fixture is not production and not shipped, this PR takes the cavalier path the maintainer asked for: bump aggressively (including the next major) and rebuild the whole lockfile, then verify by building locally because CI won't.

Changes

Manifest bumps in tools/hedgebox-dummy/package.json:

Dependency Before After Why
next 14.2.35 15.5.18 clears every flagged next advisory (highest patched cited is 15.5.16); stays on 15.x rather than jumping to 16 to avoid the React 19 / Node requirement churn
eslint-config-next 14.2.35 15.5.18 match next major
eslint ^8 ^9 drop EOL eslint 8 and its vulnerable transitive minimatch/js-yaml/ajv (lint-time only)
posthog-js ^1.369.3 ^1.376.2 pulls protobufjs >=8.2.0 and dompurify >=3.4.0 through @opentelemetry, clearing those advisories at the parent
postcss ^8 ^8.5.15 direct floor for the CSS-stringify XSS fix
uuid + @types/uuid ^9 removed zero references anywhere in source; removed rather than bumped

Overrides (the fixture already uses a pnpm.overrides block; both changes stay in-major, so no parent is forced onto an unsupported major):

  • protobufjs: >=7.5.5>=8.2.0 (the old floor was satisfied by the vulnerable 8.0.1)
  • postcss: added >=8.5.10 so next's bundled copy also gets the fix

Two latent type errors that next 15's stricter build surfaced (the app is never built in CI, so next dev's non-blocking overlay had hidden them):

  • src/app/files/[id]/page.tsx: params is now a Promise in the App Router, so it's unwrapped with React use()
  • src/app/files/page.tsx: return type widened to React.JSX.Element | null (it returns null when unauthenticated)

next-env.d.ts is the standard next-15 regeneration (adds the typed-routes reference). The large pnpm-lock.yaml diff is the intentional full rebuild.

How did you test this code?

I am an agent (Claude Code), automated checks only, run inside tools/hedgebox-dummy/:

  • pnpm audit: 40 advisories → 0.
  • pnpm install --frozen-lockfile: passes (lockfile consistent with the manifest).
  • pnpm exec next build: green after the two type fixes. All 9 routes compile, type-check, lint, and prerender (/, /files, /files/[id], /login, /signup, /pricing, /mariustechtips, /_not-found). I verified the build failed before the type fixes (next-15 async-params constraint, then the null return-type) and passes after, so the changes are load-bearing.
  • I did not run the app at runtime against a live PostHog instance (needs the local stack + DB for fetch-posthog-key); the build-time render of every route is the automated gate here.

Publish to changelog?

no

Docs update

No docs changes needed. Add skip-inkeep-docs if the bot triggers.

🤖 Agent context

Authored by Claude Code (Claude Opus 4.7), agent-driven. Requires human review; do not self-merge.

Tools used: Read/Edit/Bash/Grep for investigation and the local pnpm build loop. Key decisions:

  • next 15, not 16. 15.5.18 resolves all listed next advisories with no extra security benefit from 16, while 16 would force React 19 and a higher Node floor (more code surgery, more risk) for a fixture whose only job is to build and run locally.
  • Removed uuid instead of bumping it. It had zero references in src/ or scripts/, so removal kills the advisory at the source.
  • Parent bump preferred over override for protobufjs/dompurify (bumping posthog-js brought safe versions); the two override edits that remain are in-major and scoped, consistent with the fixture's existing override block.
  • Local build is the gate. Because this fixture is workspace-excluded and never built in CI, the only way to validate a major next bump is to build it locally, which is exactly what surfaced (and fixed) the two pre-existing type errors.

@robbie-c @claude
chore(deps): upgrade hedgebox-dummy app deps to clear audit advisories
0336b83 
Bumps the standalone hedgebox-dummy demo app (excluded from the root
workspace, not built by CI) to clear all 40 pnpm audit advisories
(14 high, 24 moderate, 2 low):

- next 14.2.35 -> 15.5.18 (multiple SSRF/DoS/XSS/cache-poisoning CVEs)
- eslint-config-next -> 15.5.18 to match; eslint ^8 -> ^9
- posthog-js ^1.369.3 -> ^1.376.2 (pulls protobufjs >=8.2.0, dompurify
  >=3.4.0 through @opentelemetry, clearing those advisories)
- postcss floor ^8 -> ^8.5.15 and a scoped postcss >=8.5.10 override so
  next's bundled copy also picks up the CSS-stringify XSS fix
- protobufjs override tightened >=7.5.5 -> >=8.2.0 (8.0.1 was vulnerable)
- removed uuid + @types/uuid (zero source references)

Two latent type errors surfaced by next 15's stricter build (the app is
never built in CI) are fixed: the [id] route now awaits the async
`params` Promise via React `use()`, and FilesPage's return type allows
null. Verified locally with `next build` (all 9 routes compile, type
check, and prerender) and `pnpm audit` (0 advisories).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@assign-reviewers-posthog assign-reviewers-posthog Bot requested a review from a team May 27, 2026 12:49
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 27, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​next@​15.5.1862100919970
Addednpm/​eslint-config-next@​15.5.18991006598100
Addednpm/​@​types/​react@​18.3.291001007995100
Addednpm/​playwright@​1.60.01001001009980
Addednpm/​@​types/​node@​20.19.411001008195100
Addednpm/​posthog-js@​1.376.28110082100100
Updatednpm/​postcss@​8.5.6 ⏵ 8.5.1599 +1100 +28293100
Addednpm/​autoprefixer@​10.5.0991008986100
Addednpm/​tailwindcss@​3.4.19961008798100
Addednpm/​pg@​8.21.0981009989100
Updatednpm/​eslint@​8.57.1 ⏵ 9.39.489 +1100100 +195 +45100

View full report

@robbie-c robbie-c marked this pull request as ready for review May 27, 2026 13:12
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 27, 2026

Reviews (1): Last reviewed commit: "chore(deps): upgrade hedgebox-dummy app ..." | Re-trigger Greptile

@marandaneto marandaneto removed the request for review from a team May 27, 2026 14:14
@robbie-c robbie-c merged commit 0d1ab14 into master May 28, 2026
178 of 183 checks passed
@robbie-c robbie-c deleted the claude/bump-hedgebox-dummy-deps branch May 28, 2026 11:58
@deployment-status-posthog
Copy link
Copy Markdown

deployment-status-posthog Bot commented May 28, 2026
edited
Loading

Deploy status

Environment Status Deployed At Workflow
dev ✅ Deployed 2026-05-28 12:31 UTC Run
prod-us ✅ Deployed 2026-05-28 12:53 UTC Run
prod-eu ✅ Deployed 2026-05-28 12:55 UTC Run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rafaeelaudibert rafaeelaudibert rafaeelaudibert approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robbie-c @rafaeelaudibert