fix(deps): patch security vulnerabilities, bump ponder to 0.16.6#1897
fix(deps): patch security vulnerabilities, bump ponder to 0.16.6#1897
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 22 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR updates several dependencies across the monorepo: Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR patches moderate+ security vulnerabilities in three dependencies — Key changes:
Confidence Score: 5/5Safe to merge — targeted security patch upgrades with no logic changes, confirmed by 1325 passing tests and a clean typecheck All changes are dependency version bumps with accompanying lock file updates. The upgrade strategy (direct bumps + pnpm.overrides for transitive pins) is consistent with the repo's established pattern. The lock file confirms all three patched packages resolve to their new minimums. The sole finding is a P2 style suggestion to update the stale floor in an existing override, which does not block merge. package.json — the
|
| Filename | Overview |
|---|---|
| package.json | Adds drizzle-orm@<0.45.2: ^0.45.2 override to force the patched version for ponder's transitive dependency; the existing ponder>@hono/node-server@<1.19.10: ^1.19.10 override is now stale but harmless since ponder resolves to 1.19.13 in the lock file |
| pnpm-workspace.yaml | Catalog versions bumped — drizzle-orm 0.41.0 → 0.45.2 and hono ^4.12.7 → ^4.12.12 — straightforward and correct |
| packages/ponder-subgraph/package.json | Pins drizzle-orm direct dep at 0.45.2 (was 0.41.0); still an exact pin rather than a range, which means future security patches require manual updates, but this is consistent with the pre-existing pattern |
| apps/ensapi/package.json | Bumps @hono/node-server from ^1.19.10 to ^1.19.13 to patch serveStatic bypass vulnerability |
| apps/ensrainbow/package.json | Bumps @hono/node-server from ^1.19.10 to ^1.19.13 to patch serveStatic bypass vulnerability |
| apps/fallback-ensapi/package.json | Bumps @hono/node-server from ^1.19.10 to ^1.19.13 to patch serveStatic bypass vulnerability |
| pnpm-lock.yaml | Lock file correctly reflects all bumped versions — hono@4.12.12, @hono/node-server@1.19.13, drizzle-orm@0.45.2 — across all importers and snapshots including ponder's transitive dependencies |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[pnpm audit --audit-level=moderate] --> B{Vulnerabilities Found}
B --> C[drizzle-orm 0.41.0\nSQL injection GHSA-gpj5-g38j-94v9]
B --> D[hono 4.12.7\ncookie and path traversal issues]
B --> E[hono-node-server 1.19.10\nserveStatic bypass GHSA-92pp-h63x-v22m]
C --> F[ponder-subgraph package.json\ndrizzle-orm 0.41.0 to 0.45.2]
C --> G[pnpm-workspace.yaml catalog\ndrizzle-orm 0.41.0 to 0.45.2]
C --> H[root package.json overrides\ndrizzle-orm lt 0.45.2 forces 0.45.2\ncovers ponder transitive dep]
D --> I[pnpm-workspace.yaml catalog\nhono 4.12.7 to 4.12.12]
E --> J[apps/ensapi package.json\n1.19.10 to 1.19.13]
E --> K[apps/ensrainbow package.json\n1.19.10 to 1.19.13]
E --> L[apps/fallback-ensapi package.json\n1.19.10 to 1.19.13]
F & G & H & I & J & K & L --> M[pnpm-lock.yaml updated\nAll deps resolve to patched versions]
M --> N[pnpm audit: 0 moderate+ vulnerabilities]
Reviews (1): Last reviewed commit: "fix(deps): patch drizzle-orm, hono, and ..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Updates vulnerable dependencies across the monorepo to versions that address pnpm audit moderate+ findings, primarily by bumping shared catalog versions and adding a pnpm override to break a transitive pin.
Changes:
- Bump
drizzle-ormto0.45.2andhonoto^4.12.12via the workspace catalog. - Bump
@hono/node-serverto^1.19.13in affected apps. - Add a pnpm override to force
drizzle-ormresolution to>=0.45.2even when transitively pinned lower.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Updates catalog-pinned versions for drizzle-orm and hono. |
| package.json | Adds a pnpm override to force drizzle-orm upgrades for vulnerable transitive ranges. |
| pnpm-lock.yaml | Lockfile refresh reflecting updated drizzle-orm, hono, and @hono/node-server resolutions + overrides. |
| packages/ponder-subgraph/package.json | Updates direct drizzle-orm dependency to 0.45.2. |
| apps/fallback-ensapi/package.json | Bumps @hono/node-server to ^1.19.13. |
| apps/ensrainbow/package.json | Bumps @hono/node-server to ^1.19.13. |
| apps/ensapi/package.json | Bumps @hono/node-server to ^1.19.13. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
shrugs
force-pushed
the
worktree-fix+deps
branch
from
5b4f1a7 to
839daf3
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/ponder-subgraph/package.json`:
- Line 47: The package.json currently pins "drizzle-orm" to "0.45.2"; replace
that hard-coded version with the workspace catalog reference used elsewhere in
this repo (follow the same pattern as `@ponder/client` and `@types/node`) so the
dependency consumes the centralized pnpm catalog entry for drizzle-orm; update
the "drizzle-orm" entry in package.json accordingly.
In `@pnpm-workspace.yaml`:
- Around line 22-23: Add `@hono/node-server` to the workspace catalog and switch
the three app manifests (ensapi, ensrainbow, fallback-ensapi) to consume it via
the catalog entry; specifically, add an entry for "@hono/node-server" in the
catalog block with the desired version (match the currently pinned version used
in those apps), then replace the direct pinned dependency in each app manifest
with "catalog:`@hono/node-server`" so all packages use the centralized version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d5cbfc92-00fa-434e-bdb5-11c6e1eeadb6
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (6)
apps/ensapi/package.jsonapps/ensrainbow/package.jsonapps/fallback-ensapi/package.jsonpackage.jsonpackages/ponder-subgraph/package.jsonpnpm-workspace.yaml
- hono: ^4.12.7 → ^4.12.12 (cookie, IP matching, path traversal, serveStatic bypass) - @hono/node-server: ^1.19.10 → ^1.19.13 (serveStatic middleware bypass) - ponder: 0.16.3 → 0.16.6, @ponder/client: 0.16.3 → 0.16.6, @ponder/utils: 0.2.16 → 0.2.18 - updated stale ponder>@hono/node-server override floor to match patched minimum - ignored CVE-2026-39356 (drizzle-orm SQL injection via dynamic identifiers) — not exploitable in ENSNode since we use only static Ponder schema objects Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shrugs
force-pushed
the
worktree-fix+deps
branch
from
839daf3 to
21dcf60
Compare
shrugs
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
lightwalker-eth
left a comment
lightwalker-eth
left a comment
There was a problem hiding this comment.
@shrugs Looks good, thanks 🫡
Summary
patches moderate+ vulnerabilities reported by
pnpm auditand bumps ponder to latest:ponder>@hono/node-serveroverride floor to match patched minimum (1.19.13)ignored
sql.identifier()or.as(). ignored viapnpm.auditConfig.ignoreCvesto avoid a fragile drizzle version bump that breaks ponder-subgraph DTS generation.Test plan
pnpm audit --audit-level=moderateexits 0 (1 ignored, 0 actionable)pnpm typecheckpasses all packagespnpm testpasses (118 files, 1325 tests)🤖 Generated with Claude Code