Skip to content

fix(deps): resolve high-severity audit findings (fixes DOC-311)#1085

Merged
scopsy merged 3 commits into
mainfrom
cursor/package-security-vulnerabilities-e9b2
May 10, 2026
Merged

fix(deps): resolve high-severity audit findings (fixes DOC-311)#1085
scopsy merged 3 commits into
mainfrom
cursor/package-security-vulnerabilities-e9b2

Conversation

@cursor
Copy link
Copy Markdown
Contributor

@cursor cursor Bot commented May 10, 2026

Linear

DOC-311 — Docs: resolve pnpm audit vulnerabilities (seroval, next, @novu/api)

Summary

Addresses three high severity items from pnpm audit using the strategies noted below. pnpm build succeeds on Next.js 15.5.18.

1. seroval (transitive via @novu/jssolid-js)

  • Advisories: multiple GHSA entries for seroval < 1.4.1 (e.g. GHSA-66fc-rw6m-c2q6).
  • Strategy: Bpnpm.overrides: "seroval@<1.4.1": "^1.4.1" (lockfile resolves to 1.5.4).

2. next

  • Advisories: including GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3, and other patched Next.js advisories cleared by 15.5.x.
  • Strategy: A — direct updates: next 15.2.8 → 15.5.18, eslint-config-next 15.5.18, @next/third-parties ^15.5.18.

3. @novu/api

  • Advisory: GHSA-4x48-cgf9-q33f (patched >=3.15.0).
  • Strategy: A — direct update 3.14.4 → 3.15.0.

Verification

  • pnpm audit --json: targeted advisory IDs for the above packages are no longer reported for those dependency paths.
  • pnpm build: completed successfully.

Commits

Three conventional commits on this branch, each scoped to one vulnerability area.

Open in Web View Automation 

cursoragent and others added 3 commits May 10, 2026 06:02
@cursoragent @scopsy
fix(root): resolve high seroval vulnerability fixes DOC-311
4b5c821 
Advisory: GHSA-66fc-rw6m-c2q6 (and related seroval GHSA entries).
Strategy B: pnpm override seroval@<1.4.1 -> ^1.4.1 for transitive chain via @novu/js > solid-js.

Co-authored-by: Dima Grossman <dima@grossman.io>
@cursoragent @scopsy
fix(root): resolve high next vulnerability fixes DOC-311
b8af6a8 
Advisories: GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3 (and related patched Next.js advisories).
Strategy A: direct dependency update next 15.2.8 -> 15.5.18, eslint-config-next and @next/third-parties aligned.

Co-authored-by: Dima Grossman <dima@grossman.io>
@cursoragent @scopsy
fix(root): resolve high @novu/api vulnerability fixes DOC-311
5d7e228 
Advisory: GHSA-4x48-cgf9-q33f
Strategy A: direct dependency update @novu/api 3.14.4 -> 3.15.0.

Co-authored-by: Dima Grossman <dima@grossman.io>
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 10, 2026

DOC-311

@netlify
Copy link
Copy Markdown

netlify Bot commented May 10, 2026
edited
Loading

Deploy Preview for docs-novu ready!

Name Link
🔨 Latest commit 5d7e228
🔍 Latest deploy log https://app.netlify.com/projects/docs-novu/deploys/6a00205e11eb330008064bd6
😎 Deploy Preview https://deploy-preview-1085--docs-novu.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@scopsy scopsy marked this pull request as ready for review May 10, 2026 06:38
@scopsy scopsy merged commit 6f4087e into main May 10, 2026
7 checks passed
@scopsy scopsy deleted the cursor/package-security-vulnerabilities-e9b2 branch May 10, 2026 06:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scopsy scopsy scopsy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scopsy @cursoragent