Skip to content

fix(deps): pin fast-uri to 3.1.2 to close GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc#909

Merged
hittyt merged 1 commit into
alibaba:mainfrom
Pangjiping:fix/deps-fast-uri-cve-2026-6321
May 18, 2026
Merged

fix(deps): pin fast-uri to 3.1.2 to close GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc#909
hittyt merged 1 commit into
alibaba:mainfrom
Pangjiping:fix/deps-fast-uri-cve-2026-6321

Conversation

@Pangjiping
Copy link
Copy Markdown
Collaborator

@Pangjiping Pangjiping commented May 18, 2026

Summary

Add a pnpm override so the transitive fast-uri (pulled in via openapi-typescript > @redocly/openapi-core > @redocly/ajv) resolves to 3.1.2. The previously locked 3.1.0 is affected by two high-severity advisories:

pnpm audit now reports 0 vulnerabilities for the sdks workspace. docs/ and tests/javascript/ audits are already clean.

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

@Pangjiping @claude
fix(deps): pin fast-uri to 3.1.2 to close GHSA-q3j6-qgpj-74h6 / GHSA-…
b3bcb07 
…v39h-62p7-jpjc

Add a pnpm override so the transitive `fast-uri` (pulled in via
`openapi-typescript > @redocly/openapi-core > @redocly/ajv`) resolves to
3.1.2. The previously locked 3.1.0 is affected by two high-severity
advisories:

- CVE-2026-6321 (GHSA-q3j6-qgpj-74h6): path traversal via percent-encoded
  dot segments in `normalize()` / `equal()`.
- CVE-2026-6322 (GHSA-v39h-62p7-jpjc): host confusion via percent-encoded
  authority delimiters.

`pnpm audit` now reports 0 vulnerabilities for the sdks workspace.
`docs/` and `tests/javascript/` audits are already clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
hittyt
hittyt approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@hittyt hittyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hittyt hittyt merged commit de4414a into alibaba:main May 18, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hittyt hittyt hittyt approved these changes

@ninan-nn ninan-nn Awaiting requested review from ninan-nn ninan-nn is a code owner

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

Assignees

@ninan-nn ninan-nn

Labels

sdk/js

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Pangjiping @hittyt @ninan-nn