Skip to content

Upgrade dependencies (2026-05-24): 7 security fixes, wrangler 4.94.0#168

Merged
pokle merged 3 commits into
masterfrom
claude/fervent-ptolemy-55VDh
May 30, 2026
Merged

Upgrade dependencies (2026-05-24): 7 security fixes, wrangler 4.94.0#168
pokle merged 3 commits into
masterfrom
claude/fervent-ptolemy-55VDh

Conversation

@pokle
Copy link
Copy Markdown
Owner

@pokle pokle commented May 24, 2026

Summary

  • 7 security vulnerabilities fixed: 4 hono (cookie injection, JWT bypass, IPv6 bypass, mount prefix stripping), better-auth (invitation takeover, SSRF, magic link race, OAuth signing), plus transitive qs and ws overrides
  • wrangler 4.87.0 → 4.94.0: TZ=UTC alignment with production, auth stability fixes, D1 improvements, stale tmp cleanup
  • 15 packages upgraded across all workspaces: hono 4.12.22, better-auth 1.6.11, agents 0.13.2, mapbox-gl 3.24.0, vitest-pool-workers 0.16.9, vitest 4.1.7, playwright 1.60.0, katex 0.16.47, and type definitions

Full details in docs/dependency-review-log.md entry for 2026-05-24.

Test plan

  • bun audit — 0 vulnerabilities
  • bun run typecheck:all — all 6 workspace typechecks pass
  • bun run test:all — 411 engine + 251 competition-api + 21 mcp-api tests pass
  • bun run test:e2e — 6 chromium specs pass (comp-creation + user-files-upload)
  • CI branch deploy passes

https://claude.ai/code/session_019G16EEY73BE8QV92YTBWWQ

Generated by Claude Code

claude and others added 2 commits May 24, 2026 21:52
@claude
Upgrade dependencies (2026-05-24): 7 security fixes, wrangler 4.94.0
e52324b 
Security: hono 4.12.22 (cookie injection, JWT bypass, IPv6 bypass,
mount prefix stripping), better-auth 1.6.11 (invitation takeover, SSRF,
magic link race, OAuth signing), qs and ws transitive vuln overrides.

Also bumps wrangler 4.87.0→4.94.0 (TZ=UTC alignment, auth stability),
agents 0.12.3→0.13.2, mapbox-gl 3.24.0, vitest-pool-workers 0.16.9,
vitest 4.1.7, playwright 1.60.0, katex 0.16.47, and type definitions.

See docs/dependency-review-log.md entry for 2026-05-24.

https://claude.ai/code/session_019G16EEY73BE8QV92YTBWWQ
@pokle
Merge branch 'master' into claude/fervent-ptolemy-55VDh
40794a8
@pokle pokle marked this pull request as ready for review May 30, 2026 11:25
@claude
Increase webserver startup timeout from 30s to 60s for e2e tests
54c86f8 
Wrangler 4.94.0 has new startup behavior (agent skills detection) that
can make dev server startup slower on CI runners. The deploy pipeline's
E2E tests fail with 30s timeout while branch-deploy passes — increasing
to 60s gives wrangler more headroom on slow runners.

https://claude.ai/code/session_019G16EEY73BE8QV92YTBWWQ
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 30, 2026

Preview Deployment
https://369eab0a.glidecomp.pages.dev
Commit: 54c86f8

@pokle pokle merged commit 6debf4f into master May 30, 2026
7 checks passed
@pokle pokle deleted the claude/fervent-ptolemy-55VDh branch May 30, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pokle @claude