Skip to content

fix(deps): address Dependabot alerts #63/#70/#71#1048

Merged
accius merged 3 commits into
accius:Stagingfrom
ceotjoe:fix/dependabot-63-70-71
Jun 1, 2026
Merged

fix(deps): address Dependabot alerts #63/#70/#71#1048
accius merged 3 commits into
accius:Stagingfrom
ceotjoe:fix/dependabot-63-70-71

Conversation

@ceotjoe
Copy link
Copy Markdown
Collaborator

@ceotjoe ceotjoe commented May 31, 2026

Summary

  • Bumps axios 1.15.2 → 1.16.1 — fixes prototype pollution vulnerabilities (MITM, header injection, proxy bypass, DoS) — high severity
  • Bumps ws 8.19.0 → 8.21.0 — fixes uninitialized memory disclosure
  • Bumps express 4.22.1 → 4.22.2, qs 6.14.2 → 6.15.2, body-parser 1.20.4 → 1.20.5 — fixes DoS via null entries in comma-format arrays
  • Also resolves transitive brace-expansion DoS and ip-address XSS picked up in the same pass

Closes Dependabot alerts #63, #70, #71. All bumps are within already-declared semver ranges — no breaking changes.

Test plan

  • npm audit reports 0 vulnerabilities after fix
  • Full test suite passes (945 tests, 0 failures in project files)

🤖 Generated with Claude Code

ceotjoe and others added 3 commits May 31, 2026 18:17
@ceotjoe @claude
fix(deps): upgrade tmp to 0.2.7 to fix CVE-2026-44705
3c953bf 
Resolves Dependabot alert accius#68. The tmp package had a path traversal
vulnerability (GHSA-ph9p-34f9-6g65) in versions < 0.2.6. Updated the
lock file so the transitive dep from tmp-promise resolves to 0.2.7.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ceotjoe @claude
fix(deps): address Dependabot alerts accius#63/accius#70/accius#71
084113e 
Bump axios 1.15.2→1.16.1 (prototype pollution MITM/header-injection/proxy-bypass, high),
ws 8.19.0→8.21.0 (uninitialized memory disclosure), express 4.22.1→4.22.2 + qs 6.14.2→6.15.2
+ body-parser 1.20.4→1.20.5 (DoS via null entries in comma-format arrays).

Also fixes transitive brace-expansion DoS and ip-address XSS picked up in the same pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ceotjoe @claude
fix(deps): fix Dependabot accius#71 in rig-bridge lock file
7216949 
Bump rig-bridge transitive deps: express→4.22.2, qs→6.15.2,
body-parser→1.20.5, ws→8.21.0 via npm audit fix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ceotjoe
Copy link
Copy Markdown
Collaborator Author

ceotjoe commented May 31, 2026

@accius I tried to fix a few dep findings, in case you think it is too risky for the next release leave it.

accius
accius approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@accius accius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the diff. All changes are pure package-lock.json updates within already-declared semver ranges — no package.json or app code touched, which is the right scope for a Dependabot-style triage.

  • axios 1.15.2 → 1.16.1: closes the prototype-pollution / proxy-bypass advisories
  • ws 8.19.0 → 8.21.0: closes the uninitialized-memory disclosure
  • express 4.22.1 → 4.22.2 / qs / body-parser bumps: closes the qs DoS chain
  • Transitive brace-expansion and ip-address picked up in the same pass — fine

One thing worth knowing: the axios bump pulls in a transitive https-proxy-agent@5.0.1 + agent-base@6.0.2 under node_modules/axios/. That's axios narrowing its own proxy path; nothing in our code wires HTTPS_PROXY, so it's effectively dormant.

CI is green, no app diff. Good to merge.

K0CJH

@accius accius merged commit 1d251c1 into accius:Staging Jun 1, 2026
6 checks passed
@accius accius mentioned this pull request Jun 2, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@accius accius accius approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ceotjoe @accius