chore(deps-npm): bump next 14.2.15 → 14.2.35 + postcss override (Phase 5, partial #41)#194
Merged
Merged
Conversation
…e 5, partial #41) Partial progress on issue #41 (Next.js 14.2 → 16 CVE refresh) via a within-branch patch bump that closes the 8 advisories #41 originally itemized at filing time, without breaking-change migration. Changes: - frontend/package.json: next 14.2.15 → 14.2.35 - frontend/package.json: eslint-config-next 14.2.15 → 14.2.35 (lockstep with next minor; same major-pin convention) - frontend/package.json: postcss 8.4.38 → 8.5.15 (direct devDep) - frontend/package.json: new "overrides": { "postcss": "8.5.15" } (forces next's nested exact-pin postcss@8.4.31 to lift transitively — closes XSS advisory GHSA-qx2v-qp2m-jg93) - frontend/package-lock.json: regenerated (147 lines, net -91 via dedupe) CVEs closed by this PR (8 of next's original advisories): - GHSA-7m27-7ghc-44w9 DoS Server Actions (fix <14.2.21) - Info exposure in dev server (fix <14.2.30) - Cache key confusion next/image (fix <14.2.31) - Improper middleware redirect SSRF (fix <14.2.32) - Content injection next/image (fix <14.2.31) - Race condition cache poisoning (fix <14.2.24) - DoS Server Components CVSS 7.5 (fix <14.2.34) - DoS Server Components incomplete-fix follow-up (fix <14.2.35) - postcss XSS via </style> stringify (fix <8.5.10) Issue #41 STAYS OPEN. 14 new `next` advisories surfaced on the npm advisory DB between 2026-05-13 (issue filed) and 2026-05-22 (this PR), ALL requiring `<15.5.16` to fix — none have a 14.2.x backport. All 14 target SSR / Server-Components / middleware / runtime features QuantRank doesn't use (we ship static export only, no SSR runtime, no middleware, no rewrites). Real exploitability for the static-export site remains zero per #41's own original risk rating, but `npm audit` cannot infer the static-export posture so the advisories still surface in CI. The remaining 14 → 16 migration (App Router async APIs + React 18 → 19 typing + Node 20+ + eslint-config-next 16.x) is release-tag-cleanliness, not security-critical. Dependency-auditor verdict 2026-05-22: SAFE-TO-MERGE as a focused patch PR. Confirmed zero breaking changes in 14.2.15 → 14.2.35 range (Next.js public changelog: 14.2.x is security-only releases; no App Router API changes, no next.config.js renames, no static- export pipeline changes). Verification: - ruff check . — clean - python -m pytest tests/ -m "not network" -q — 1059/1059 passed - npx tsc --noEmit — clean - npx next build — clean, all 506 static routes generated - npm install — lockfile regenerated without conflict - npm audit --omit=dev — original 8 + postcss CVEs all closed No compute / schema / scoring / valuation / Python code change — frontend dep-bump only. CLAUDE.md + AGENTS.md lockstep entries added; two prior in-flight entries (PR #185 dependabot config) updated to "merged".
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
3 tasks
dackclup
pushed a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries.
dackclup
pushed a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries.
dackclup
added a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors (#195) Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries. Co-authored-by: Claude <noreply@anthropic.com>
5 tasks
dackclup
added a commit
that referenced
this pull request
May 23, 2026
…literature-searcher injection guard) (#226) * docs+agent: post-Dependabot-wave doc fixes (W1 FORM4_FETCH_SKIP + W3 literature-searcher prompt-injection guard) Output from the post-PR-#225 parallel dependency-auditor + security-reviewer spawn (2026-05-23, session 3) — actionable follow-ups from the 15-vuln Dependabot triage. 15-vuln triage outcome (no code change needed): - All 15 are next@14.2.35 SSR / middleware / Server-Actions / Image-optimization / API-route advisories → ALL route to issue #41 (Next 14→16 migration tracker) - Static-export exploitability = effectively zero (no SSR runtime, no middleware, no Server Actions, no Image endpoint, no API routes; Vercel CDN serves pre-built static HTML) - CVE baseline: 25 open (1C/8H/12M/4L) → 15 open (0C/6H/7M/2L) after PR #194's next 14.2.15→14.2.35 + postcss override closed 10 - 14 GHSA IDs confirmed; 1 (7th MODERATE) needs API confirmation when token access is restored — to be appended on issue #41 separately security-reviewer findings — 0 CRITICAL + 4 WARN; 2 land here, 2 deferred: - W1 (this PR) — FORM4_FETCH_SKIP=1 operational escape hatch was undocumented anywhere user-facing. Added §Gotchas entry in CLAUDE.md + §Security considerations entry in AGENTS.md describing the env var, where it's set (pre-merge-prod-sim.yml), and the safe default (absence = no skip) - W3 (this PR) — .claude/agents/literature-searcher.md Hard Constraints lacked an explicit untrusted-content guard against prompt injection in fetched papers / SEC HTML. Added a constraint that treats every WebFetch result as data to QUOTE + CITE, never to execute — handles "ignore previous instructions" / "fetch this other URL" / "modify your output" injection vectors - W2 deferred — compute-rankings.yml workflow-level contents:write is pre-existing + justified (commit-JSON step is the only writer); narrowing to job-scope is a future optimization - W4 deferred — log-bash.sh logs raw bash command (including inline env-var values) to gitignored .claude/session.log; severity low because file is gitignored + local-only; optional sed-scrub later Doc-only — no compute / schema / scoring / valuation / frontend / Python / TS code change. CLAUDE.md + AGENTS.md lockstep satisfied (both touched; §Phase status in-flight note added). https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4 * docs(CLAUDE): polish #226 review nit — future-tense → present-tense + date docs-reviewer verdict on PR #226 (commit 35942ea) was PASS-AS-IS with one optional clarity nit (CLAUDE.md §Phase status in-flight block, line 1447): before: "1 (the 7th MODERATE) needs Dependabot-alerts-API confirmation when token access is restored." after: "1 (the 7th MODERATE) — Dependabot-alerts-API confirmation pending (token access unavailable as of 2026-05-23)." §Conventions rule: replace future-tense for unfinished work with present-tense + date so the doc doesn't rot when the "when X happens" clause becomes irrelevant. No substance change. No new file touched. https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4 --------- Co-authored-by: Claude <noreply@anthropic.com>
This was referenced May 24, 2026
Merged
dackclup
added a commit
that referenced
this pull request
May 27, 2026
…AUDE.md (#271) Refactors a user-shared research report (Master Prompt + 6 phase sub-prompts + CLAUDE.md template) into the existing doc surface without creating a new .claude/skills/agentic-6-phase/ skill. The report's underlying logic is already implemented in the 18 subagents + CLAUDE.md §Auto-routing; what was genuinely missing was a 6-phase mapping table a new session can scan in < 30 sec on top of the 9 phases. Scope (2 substance files + 1 INFLIGHT entry): - WORKFLOW.md — new section "Agentic 6-Phase Cadence" between §"Tools You'll Use Daily" and §"Phase Overview". Mapping table (Step × Fire trigger × Subagent(s) × Done when) over Planning → Code Gen → Integration → Test → Deploy → Monitor + 5 cadence invariants. Reuses the 18 standing subagents — no new agent files. Session-start protocol cites schema 0.10.5-phase4.5e (PRs #264 + #265; cron #4 still at 0.10.4, next cron Wed 2026-05-27 re-renders at 0.10.5), defense layer 33 declared = 7 vetoes + 26 annotates, tag v1.3.0-phase4.5e, CVE baseline 15 open (0C / 6H / 7M / 2L) after PR #194 patch + PR #226 triage. - CLAUDE.md — new §Conventions bullet "Session-start phase identification" (~5 lines) pointing readers at PHASE_STATUS.md §"Current state" + WORKFLOW.md §"Agentic 6-Phase Cadence" using the standing 18 subagents. - PHASE_STATUS_INFLIGHT.md — new in-flight entry per PR #237 side-file lockstep convention. Out of scope (deliberately NOT done per user direction 2026-05-27): - NO .claude/skills/agentic-6-phase/ — overhead exceeds benefit - NO Master Prompt / phase sub-prompts copied into the repo - NO edits to any of the 18 subagent files under .claude/agents/ - NO AGENTS.md substance edit — the cadence is Claude-Code-subagent- specific; cross-tool agents would route differently. INFLIGHT entry satisfies §Conventions "ship with every PR" lockstep. docs-reviewer verdict (2026-05-27, agent id a2c87ed3679f55fe5): NEEDS-CROSS-REF-FIX — both items applied in this commit: 1. CVE attribution: "after PR #226 triage" → "after PR #194 patch + PR #226 triage" (PR #194 closed the 10 advisories; PR #226 documented the resulting state) 2. Step 4 fire-trigger col: "Sections A-J" → "Sections A-L" (Section L added by PR #221 OSAP proxy invariant; internal match with the same row's Done-when col) All else passes: 4 cited numbers, 18 agent names, 3 cross-refs, token budget (WORKFLOW ≤ 1 page, CLAUDE ≤ 5 lines), Rule 16 + Rule 18 no contradiction. Pre-existing SKILL.md schema-version table gap (rows for 0.10.5-phase4.5e PR #264 + valuation_output_anomalous rename PR #265 missing) escalated to schema-sentinel as separate doc-only PR per docs-reviewer recommendation — not blocking on this scope. Verification: - ruff check . — N/A (no Python) - python -m compute.output.schema_check — N/A (no schemas) - pytest tests/ -m "not network" — N/A (no test surface) - docs-reviewer subagent — PASS after the 2 fixes above Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Partial progress on issue #41 (Next.js 14.2 → 16 CVE refresh) via a within-branch patch bump. Closes the 8 advisories #41 originally itemized at filing time without any breaking-change migration.
nexteslint-config-nextnextminor (same exact-pin convention)postcss(devDep)<8.5.10advisory flooroverridesblock{ "postcss": "8.5.15" }postcss@8.4.31to lift transitivelyCVEs closed by this PR
8
nextadvisories + 1 postcss advisory — all on production deps:GHSA-7m27-7ghc-44w9DoS Server Actions (fix <14.2.21)GHSA-qx2v-qp2m-jg93postcss XSS via</style>stringify (fix <8.5.10)Issue #41 STAYS OPEN
14 new
nextadvisories surfaced on the npm advisory DB between 2026-05-13 (issue filed) and 2026-05-22 (this PR), ALL requiring<15.5.16to fix — none with a 14.2.x backport. All 14 target SSR / Server-Components / middleware / runtime features QuantRank doesn't use (static export only — no SSR runtime, no middleware, no rewrites). Real exploitability remains zero per #41's own original risk rating, butnpm auditcan't infer the static-export posture so the advisories still surface.The remaining 14 → 16 migration (App Router async APIs + React 18 → 19 typing + Node 20+ + eslint-config-next 16.x) is release-tag-cleanliness, not security-critical.
dependency-auditorverdict (2026-05-22)SAFE-TO-MERGE as a focused patch PR. Confirmed zero breaking changes in 14.2.15 → 14.2.35 range (Next.js 14.2.x is security-only releases; no App Router API changes, no
next.config.jsrenames, no static-export pipeline changes).Test plan
ruff check .— cleanpython -m pytest tests/ -m "not network" -q— 1059/1059 passedcd frontend && npx --no -- tsc --noEmit— cleancd frontend && npx --no -- next build— clean, all 506 static routes generatednpm install— lockfile regenerated without conflict (net -91 lines via dedupe)npm audit --omit=dev— original 8 + postcss CVEs all closed (1 high residual = the 14 new post-filing CVEs requiring Bump Next.js 14.2 → 16 (security CVEs + dep refresh) #41's 15+ migration)CLAUDE.md + AGENTS.md lockstep
Both touched. Two prior in-flight entries (PR #185 dependabot config) updated to "merged".
https://claude.ai/code/session_01HHo4UHKc9iKKytkKfxfVnA
Generated by Claude Code