Skip to content

chore(security): clear 18 open Dependabot alerts#468

Merged
hbanerjee74 merged 1 commit into
mainfrom
chore/security-bumps
Apr 28, 2026
Merged

chore(security): clear 18 open Dependabot alerts#468
hbanerjee74 merged 1 commit into
mainfrom
chore/security-bumps

Conversation

@hbanerjee74

Copy link
Copy Markdown
Contributor

Summary

Bumps transitive dependencies to clear 18 of the 21 open Dependabot alerts (5 high · 13 medium). The other 3 are either non-applicable (docs/vite — Dependabot's range starts at 8.0.0; we're on 5.4.21) or out-of-scope here (rand low — soundness only at 0.10.0, we're on 0.9.2).

Changes

app/

  • postcss 8.5.8 → 8.5.12 — CVE-2026-41305
  • @xmldom/xmldom 0.8.12 → 0.8.13 — CVE-2026-41672 / 41674 / 41675
  • fast-xml-parser 5.5.7 → 5.7.2 (override widened from >=5.5.7 to ^5.7.0) — CVE-2026-41650
  • uuid 8.3.2 → 14.0.0 via new override — GHSA-w5hq-g745-h8pq. Only used transitively by @azure/msal-node and natural, both via the promptfoo devDep — no app or sidecar runtime usage.

app/sidecar/

  • vite 7.3.1 → 8.0.10 (via npm update, vitest 4.x supports both) — CVE-2026-39363 / 39364 / 39365
  • postcss 8.5.6 → 8.5.12 — CVE-2026-41305
  • hono 4.12.9 → 4.12.15 — CVE-2026-39407 / 39408 / 39409 / 39410, GHSA-26pp-…, GHSA-458j-…
  • @hono/node-server 1.19.12 → 1.19.14 — CVE-2026-39406

docs/

  • postcss 8.5.6 → 8.5.12 — CVE-2026-41305

Not addressed

Test plan

  • cd app && npm install (lock with uuid: ^14, fast-xml-parser: ^5.7.0 overrides resolves cleanly)
  • cd app/sidecar && npm ci && npm run build (sidecar binary still built)
  • cd app/sidecar && npx vitest run — 350 passed
  • cd app && npx tsc --noEmit
  • cd app && npm run test:unit — 649 passed
  • cd app && npm run test:agents:structural — 51 passed
  • CI passes

🤖 Generated with Claude Code

Bring transitive deps in line with the latest patched versions:

app/:
- postcss 8.5.8 -> 8.5.12 (CVE-2026-41305)
- @xmldom/xmldom 0.8.12 -> 0.8.13 (CVE-2026-41672/41674/41675)
- fast-xml-parser 5.5.7 -> 5.7.2 via override (CVE-2026-41650)
- uuid 8.3.2 -> 14.0.0 via override (GHSA-w5hq-g745-h8pq)

app/sidecar/:
- vite 7.3.1 -> 8.0.10 (CVE-2026-39363/39364/39365)
- postcss 8.5.6 -> 8.5.12 (CVE-2026-41305)
- hono 4.12.9 -> 4.12.15 (CVE-2026-39407/39408/39409/39410, GHSA-26pp-/-458j-)
- @hono/node-server 1.19.12 -> 1.19.14 (CVE-2026-39406)

docs/:
- postcss 8.5.6 -> 8.5.12 (CVE-2026-41305)
- vite stays at 5.4.21 (Dependabot range >= 8.0.0 doesn't actually match;
  alert can be dismissed)

Skipping the rand low alert — it's a soundness issue scoped to rand 0.10.0
with a custom logger, and we're on rand 0.9.2.

Verified: cd app/sidecar && npm run build && npx vitest run (350 passed),
cd app && npx tsc --noEmit && npm run test:unit (649 passed) &&
npm run test:agents:structural (51 passed).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hbanerjee74 hbanerjee74 force-pushed the chore/security-bumps branch from c1ecef0 to d5d532e Compare April 28, 2026 13:43
@hbanerjee74 hbanerjee74 merged commit bc1f5ef into main Apr 28, 2026
17 checks passed
@hbanerjee74 hbanerjee74 deleted the chore/security-bumps branch April 28, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant