fix: refresh yarn.lock to upgrade ip-address to ^10.2.0 (CVE-2026-42338)

[brendan-kellam]

Fixes SOU-1031

Summary

Addresses CVE-2026-42338 (XSS in ip-address < 10.1.1) by refreshing the lockfile entries that pinned vulnerable transitive versions. No package.json change, no resolutions override.

Why a lockfile refresh, not a resolution override

yarn why ip-address --recursive showed two chains pinning a vulnerable version:

• @sourcebot/backend → @sentry/profiling-node → … → socks-proxy-agent → socks@2.8.4 → ip-address@9.0.5
• @sourcebot/web → @modelcontextprotocol/sdk → express-rate-limit@8.3.2 → ip-address@10.1.0 (still < 10.1.1, still vulnerable)

The existing source ranges in those chains (socks: ^2.8.3, express-rate-limit: ^8.2.1) already admit patched versions. The lockfile was simply stale — written before the patched versions existed.

Per CLAUDE.md step 2 (lockfile refresh before resolution override), the fix is to drop the two stale yarn.lock entries and re-resolve:

Before	After
socks@2.8.4 (deps ip-address@^9.0.5)	socks@2.8.9 (deps ip-address@^10.1.1)
express-rate-limit@8.3.2 (deps ip-address@10.1.0)	express-rate-limit@8.5.1 (deps ip-address@^10.2.0)

Verification

$ yarn why ip-address
├─ express-rate-limit@npm:8.5.1
│  └─ ip-address@npm:10.2.0 (via npm:^10.2.0)
├─ express-rate-limit@npm:8.5.1 [0cb09]
│  └─ ip-address@npm:10.2.0 (via npm:^10.2.0)
└─ socks@npm:2.8.9
   └─ ip-address@npm:10.2.0 (via npm:^10.1.1)

All three instances on the patched 10.2.0.

Note on the prior approach

The prior commits on this branch (a socks resolution override) only addressed the socks chain — the express-rate-limit chain still pinned ip-address@10.1.0, which is < 10.1.1 and still vulnerable per the GHSA. This commit replaces that with a complete fix.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Addressed a security vulnerability in a transitive dependency to enhance application security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6950cc35-5ba6-4551-9b77-2a0fcfe4ec99

📥 Commits

Reviewing files that changed from the base of the PR and between 82660ef and 1fc23a8.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

A single changelog entry documents a transitive ip-address dependency upgrade to ^10.2.0 addressing CVE-2026-42338 under the Unreleased/Fixed section.

Changes

Changelog Security Update

Layer / File(s)	Summary
Changelog Documentation CHANGELOG.md	Entry added under [Unreleased] → Fixed documenting ip-address dependency upgrade to ^10.2.0 for CVE-2026-42338 (PR #1189).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: refreshing yarn.lock to upgrade the ip-address dependency to ^10.2.0 to fix CVE-2026-42338.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-cve-2026-42338-1031

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2067
Resolved (non-standard)	19
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE file
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE file
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE file
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry license field (Functional Source License with MIT future grant)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry license field for current published versions
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source LICENSE file
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry license field for current published versions
map-stream	0.1.0	UNKNOWN	MIT	npm registry license field for current published versions
memorystream	0.3.1	UNKNOWN	MIT	npm registry licenses object: {"type":"MIT","url":"..."}
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js LICENSE file (Apache License 2.0)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url LICENSE file