v0.24.1 — pin qs + hono past their advisories (bun audit: 10 → 0)
bun audit: 10 findings → zero
qs and hono are now pinned past their advisories via an overrides block.
Both arrived transitively through @modelcontextprotocol/sdk:
sdk › express › body-parser › qs moderate — remotely triggerable DoS
sdk › @hono/node-server › hono 1 high + 8 moderate
The high was GHSA-88fw-hqm2-52qc — hono's CORS middleware reflecting any Origin with credentials when origin defaults to the wildcard.
Reachability — checked before fixing, not assumed
Neither package is ever loaded by captain-memo.
- We import exactly two SDK entrypoints:
server/stdio.js(the MCP server) andserver/webStandardStreamableHttp.js(the worker gateway). Neither imports express or hono — the WebStandard transport is plain fetchRequest/Response. - The SDK's express-dependent code lives in
server/express.jsandserver/auth/*, which we never import. - The gateway is served by
Bun.serve, not express. - No file under
src/orbin/references express, hono, or qs.
So these advisories were not exploitable here.
Fixed anyway
"Unreachable today" is a property of the current import graph, not a guarantee. A future HTTP or auth code path would have silently inherited a known-vulnerable CORS middleware, and nothing would have flagged it. The overrides block makes the fix hold regardless of what we import later — and it keeps bun audit at zero, so a real finding can't hide among ten dismissible ones.
Bumping the SDK wouldn't have helped: it's already at latest (1.29.0) and still resolves the vulnerable ranges. Both overrides are semver-compatible patches within the existing major (qs 6.15.1 → 6.15.3, hono 4.12.18 → 4.12.30).
Suite: 1095/1095. Typecheck clean.