Skip to content

fix(deps): override smol-toml to resolve audit vulnerability#304

Merged
AndyTWF merged 1 commit intomainfrom
audit-fix
Apr 9, 2026
Merged

fix(deps): override smol-toml to resolve audit vulnerability#304
AndyTWF merged 1 commit intomainfrom
audit-fix

Conversation

@AndyTWF
Copy link
Copy Markdown
Contributor

@AndyTWF AndyTWF commented Apr 9, 2026

Summary

  • Adds a pnpm override for smol-toml@<1.6.11.6.1 to fix a moderate DoS vulnerability (GHSA-v3rj-xjv7-4jmq)
  • The vulnerable transitive dependency came through @vercel/node@vercel/build-utils@vercel/python-analysissmol-toml
  • pnpm audit now reports no known vulnerabilities

🤖 Generated with Claude Code

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cli-web-cli Ready Ready Preview, Comment Apr 9, 2026 0:38am

Request Review

@AndyTWF AndyTWF requested a review from umair-ably April 9, 2026 12:31
@AndyTWF AndyTWF marked this pull request as ready for review April 9, 2026 12:37
@AndyTWF @claude
fix(deps): override smol-toml to >=1.6.1 to resolve audit vulnerability
7693476 
The transitive dependency smol-toml (<1.6.1) via @vercel/node had a
moderate DoS vulnerability (GHSA-v3rj-xjv7-4jmq). Adding a pnpm
override forces resolution to the patched version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude-code-ably-assistant
Copy link
Copy Markdown

claude-code-ably-assistant bot commented Apr 9, 2026

Walkthrough

This PR fixes a moderate DoS vulnerability (GHSA-v3rj-xjv7-4jmq) in the transitive dependency smol-toml (versions below 1.6.1), which was pulled in via @vercel/node@vercel/build-utils@vercel/python-analysis. A pnpm.overrides entry forces resolution to the patched version (>=1.6.1), and pnpm audit now reports no known vulnerabilities.

Changes

Area Files Summary
Config package.json Adds pnpm.overrides entry to pin smol-toml to >=1.6.1
Config pnpm-lock.yaml Lockfile updated to reflect the forced resolution

Review Notes

  • No breaking changes — this is a pure dependency override with no code changes.
  • No new direct dependencies — the override only constrains an existing transitive dependency.
  • No tests needed — the change is limited to dependency resolution; no runtime behavior is affected.
  • Security context: smol-toml <1.6.1 is vulnerable to a ReDoS (Regular Expression DoS) attack. The patched version 1.6.1 is a drop-in fix with no API changes.
  • Scope of @vercel/node: Verify that @vercel/node is only a dev/build dependency (not bundled into the published npm package), so end-users of @ably/cli are not transitively exposed.

Generated by Claude Code

claude-code-ably-assistant[bot]
claude-code-ably-assistant bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@claude-code-ably-assistant claude-code-ably-assistant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This is a clean, targeted security fix. No source code, commands, tests, or utilities changed — only package.json and pnpm-lock.yaml.

What changed:

  • Added a pnpm override "smol-toml@<1.6.1": "1.6.1" to force the patched version for any transitive dependency requesting a vulnerable range
  • Lockfile consistently updated: smol-toml@1.5.2 removed, all references point to 1.6.1
  • The vulnerable path (@vercel/node@vercel/build-utils@vercel/python-analysissmol-toml) is correctly resolved

No issues found. The fix is correct, minimal, and consistent with the existing override pattern already used in this repo (see the esbuild, ajv, js-yaml entries above it). Ready to merge.

@AndyTWF AndyTWF enabled auto-merge April 9, 2026 12:40
@AndyTWF AndyTWF merged commit a5d60f9 into main Apr 9, 2026
11 checks passed
@AndyTWF AndyTWF deleted the audit-fix branch April 9, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude-code-ably-assistant claude-code-ably-assistant[bot] claude-code-ably-assistant[bot] left review comments

@umair-ably umair-ably umair-ably approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndyTWF @umair-ably