Skip to content

v0.24.1 — pin qs + hono past their advisories (bun audit: 10 → 0)

Choose a tag to compare

@kalinbogatzevski kalinbogatzevski released this 14 Jul 21:46

bun audit: 10 findings → zero

qs and hono are now pinned past their advisories via an overrides block.

Both arrived transitively through @modelcontextprotocol/sdk:

sdk › express › body-parser › qs      moderate — remotely triggerable DoS
sdk › @hono/node-server › hono        1 high + 8 moderate

The high was GHSA-88fw-hqm2-52qc — hono's CORS middleware reflecting any Origin with credentials when origin defaults to the wildcard.

Reachability — checked before fixing, not assumed

Neither package is ever loaded by captain-memo.

  • We import exactly two SDK entrypoints: server/stdio.js (the MCP server) and server/webStandardStreamableHttp.js (the worker gateway). Neither imports express or hono — the WebStandard transport is plain fetch Request/Response.
  • The SDK's express-dependent code lives in server/express.js and server/auth/*, which we never import.
  • The gateway is served by Bun.serve, not express.
  • No file under src/ or bin/ references express, hono, or qs.

So these advisories were not exploitable here.

Fixed anyway

"Unreachable today" is a property of the current import graph, not a guarantee. A future HTTP or auth code path would have silently inherited a known-vulnerable CORS middleware, and nothing would have flagged it. The overrides block makes the fix hold regardless of what we import later — and it keeps bun audit at zero, so a real finding can't hide among ten dismissible ones.

Bumping the SDK wouldn't have helped: it's already at latest (1.29.0) and still resolves the vulnerable ranges. Both overrides are semver-compatible patches within the existing major (qs 6.15.1 → 6.15.3, hono 4.12.18 → 4.12.30).

Suite: 1095/1095. Typecheck clean.