Security: bundled Dependabot bumps + axios supply-chain pin#12
Merged
Conversation
Closes 28 of 29 open Dependabot alerts on the TypeScript CLI (xlsx remains; no patch available on npm — separate effort). Direct dependency bumps: - axios: ^1.6.2 -> 1.15.1 (exact pin to skip compromised 1.14.1 released 2026-03-31; closes GHSA-fvcv-3m26-pcqx, GHSA-3p68-rc4w-qgx5) - yaml: ^2.3.4 -> ^2.8.3 (closes GHSA-48c2-rrv3-qjmp) - mammoth: ^1.11.0 -> ^1.12.0 - @modelcontextprotocol/sdk: ^1.27.1 -> ^1.29.0 - ts-jest: ^29.1.1 -> ^29.4.9 (closes critical GHSA-2w6w-674q-4c4q and 6 other dev-scope handlebars advisories) npm overrides for stuck transitives: - @xmldom/xmldom ^0.8.12, brace-expansion ^2.0.3, picomatch ^2.3.2 - follow-redirects ^1.16.0 (axios transitive) - hono ^4.12.14, @hono/node-server ^1.19.13 (MCP SDK transitives) - express > path-to-regexp ^0.1.13 (RPC server) - router > path-to-regexp ^8.4.0 (MCP SDK express 5) Verified after install: - No plain-crypto-js in lockfile (compromised axios payload) - axios resolves to 1.15.1 exact - npm audit reports 1 remaining alert (xlsx, no fix available) - npm test: 20/20 suites pass, 331 tests pass Test fix: tests/version.test.ts mockExecSync casts updated to `as unknown as ReturnType<typeof execSync>` because @types/node 20.19.39 (pulled by transitive minor bump) tightened Buffer typing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes 28 of 29 open Dependabot alerts on the TypeScript CLI in one bundled bump.
The remaining alert is xlsx — SheetJS no longer publishes patches to npm. Tracking that as a separate effort (library swap or CDN install).
Direct dependency bumps
axios^1.6.21.15.1(exact pin)1.14.1released 2026-03-31 (UNC1069 supply-chain attack). Also closes GHSA-fvcv-3m26-pcqx, GHSA-3p68-rc4w-qgx5.yaml^2.3.4^2.8.3mammoth^1.11.0^1.12.0@modelcontextprotocol/sdk^1.27.1^1.29.0ts-jest^29.1.1^29.4.9npm
overridesfor stuck transitives@xmldom/xmldom ^0.8.12,brace-expansion ^2.0.3,picomatch ^2.3.2follow-redirects ^1.16.0(axios transitive)hono ^4.12.14,@hono/node-server ^1.19.13(MCP SDK transitives)express > path-to-regexp ^0.1.13(RPC server indist/server.js)router > path-to-regexp ^8.4.0(MCP SDK express 5 router)Why exact-pin axios?
Versions
1.14.1and0.30.4were published with a maliciousplain-crypto-js@4.2.1post-install dropper (cross-platform RAT) during a maintainer-account compromise on 2026-03-31. We're on the 1.x line, target1.15.1(latest, clean), and pin exact so a^range can never resolve back to1.14.1if anything weird happens with the registry.Test plan
npm install— clean install, noplain-crypto-jsin lockfile (grep -ic plain-crypto-js package-lock.json→0)npm ls axios→axios@1.15.1exactnpm audit— down from 29 alerts to 1 (xlsx only)npm run build— passesnpm test— 20/20 suites, 331 tests passprompd-cli/typescript/Dockerfile) still works for the RPC serverOut of scope
exceljs) or CDN install. Recommend adding a file-size guard inassets.ts/package.tsas a stopgap.Test fix included
tests/version.test.tsupdated twomockExecSync.mockReturnValue(... as unknown as Buffer)casts toas unknown as ReturnType<typeof execSync>because the transitive@types/nodeminor bump (20.19.11 → 20.19.39) tightened Buffer typing. Pre-existing test brittleness, surfaced by the bump.🤖 Generated with Claude Code