deps: periodic dependency update#186
Conversation
Update Arcjet/nosecone packages to 1.5.0 and refresh all dependencies within the 30-day cooldown (latest + minor targets) across all examples. Reverted two incompatible major bumps that the cooldown run proposed: - sveltekit: @sveltejs/vite-plugin-svelte 7.1.2 -> 6.2.4 (v7 requires vite 8) - tanstack-start: @vitejs/plugin-react 6.0.2 -> 5.2.0 (v6 requires vite 8) Co-Authored-By: Claude <noreply@anthropic.com>
…, GHSA-1120907, GHSA-1120909, GHSA-1120965 Bump nuxt (and @nuxt/kit, @nuxt/schema) 4.4.6 -> 4.4.8 to resolve the nuxt-own high advisory and the transitive @babel/core, tar, and @nuxt/vite-builder vulnerabilities. Remaining nuxt vulnerabilities (shell-quote, vite, ws, esbuild, launch-editor) are deep transitives through @nuxt/devtools and are not reachable via npm up / ncu; the Arcjet/typeid-js/uuid chain requires an upstream @arcjet/protocol release. Co-Authored-By: Claude <noreply@anthropic.com>
Refresh the lockfile so qs dedupes from 6.15.0 to 6.15.2 (via express 5.2.1), resolving the qs prototype pollution advisory. package.json unchanged. Co-Authored-By: Claude <noreply@anthropic.com>
Refresh the lockfile so qs dedupes from 6.15.0 to 6.15.2 (via express 5.2.1), resolving the qs prototype pollution advisory. package.json unchanged. Co-Authored-By: Claude <noreply@anthropic.com>
Refresh the lockfile so @react-router/serve's express dedupes from 4.22.1 to 4.22.2, pulling qs 6.15.2 (from 6.14.2) and resolving the qs prototype pollution advisory. @babel/core also cleared as a side effect. package.json unchanged. Co-Authored-By: Claude <noreply@anthropic.com>
Bump vite 7.3.3 -> 7.3.5 to resolve the cross-origin iframe and DOM Clobbering advisories. Co-Authored-By: Claude <noreply@anthropic.com>
Bump vite 7.3.3 -> 7.3.5 to resolve the cross-origin iframe and DOM Clobbering advisories. Co-Authored-By: Claude <noreply@anthropic.com>
Bump vite 7.3.3 -> 7.3.5 to resolve the cross-origin iframe and DOM Clobbering advisories. Co-Authored-By: Claude <noreply@anthropic.com>
…92, GHSA-1120785, GHSA-1120790, GHSA-1120680 Bump astro 6.3.7 -> 6.4.8 and refresh the lockfile (vite dedupes to 7.3.5) to resolve the astro-own high advisory, the js-yaml moderate advisory, the vite high advisories, and the esbuild low advisory. Co-Authored-By: Claude <noreply@anthropic.com>
Raise the supported Node floor from 20 to 22 by setting engines.node to ">=22" in the examples that declare it (firebase-functions moves from the exact "24" to ">=22"). Standardize @types/node to 22.20.0 across the examples that use it, matching the new floor. Co-Authored-By: Claude <noreply@anthropic.com>
…, qs, express past GHSA-1120582, GHSA-1120588, GHSA-1120745, GHSA-1120742, GHSA-1120799, GHSA-1119502 Refresh the lockfile (npm up) so transitive deps dedupe within their existing ranges: @grpc/grpc-js 1.14.2 -> 1.14.4, form-data 2.5.5 -> 2.5.6, protobufjs 7.6.0 -> 7.6.4, and the express/body-parser/qs chain to express 4.22.2 / qs 6.15.2. Resolves the three high-severity advisories and the qs moderate. package.json unchanged. Remaining moderate advisories in the firebase-admin / @Google-Cloud chain require a firebase-admin 13 -> 14 major bump and are not applied. Co-Authored-By: Claude <noreply@anthropic.com>
The cooldown latest sweep bumped typescript to 6.0.3, but TS 6 turns the deprecated moduleResolution "node10" (used by expressjs) into a hard error and breaks builds. The prior periodic updates kept typescript on 5.x, and 5.9.3 is the latest 5.x release. Revert to 5.9.3 across all examples so Docker builds continue to pass. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Bump arcjet 0.7.0 -> 0.8.0, fastapi 0.136.1 -> 0.138.0, pydantic-settings 2.14.1 -> 2.14.2, uvicorn 0.47.0 -> 0.49.0 and refresh the lockfile. Co-Authored-By: Claude <noreply@anthropic.com>
Bump arcjet 0.7.0 -> 0.8.0, gunicorn 25.3.0 -> 26.0.0 and refresh the lockfile. Co-Authored-By: Claude <noreply@anthropic.com>
![arcjet-review[bot]](https://avatars.githubusercontent.com/u/24397786?s=60&v=4){kind=small}
There was a problem hiding this comment.
Arcjet Review — 🟡 Medium Risk
Decision: Reviewers Assigned
Rationale: This PR updates a large set of dependency versions across example applications and changes several Node.js engine requirements. The dependency-changes escalation trigger fires because many package.json files were modified. Most updates appear to be pinned exact-version minor or patch updates to established ecosystem packages, and no hardcoded secrets or direct application-code security issues are visible in the diff. However, the breadth of updates, several major-version dev tooling changes, and runtime engine changes make automated confidence limited. Human review is recommended; no specific escalation reviewers are configured.
Summary of Changes
Periodic dependency update across example apps, including Arcjet packages from 1.4.0 to 1.5.0, Python Arcjet from 0.7.0 to 0.8.0, framework/tooling updates for Astro, FastAPI, Flask, Fastify, Firebase Functions, NestJS, Next.js, Nuxt, React Router, SvelteKit, and TanStack Start, plus multiple Node engine changes to >=22.
Escalation Triggers
- Dependency Changes: Multiple package.json files were modified with dependency and devDependency updates across example applications.
Review Focus Areas
- Verify the fastify-cli 7.4.1 to 8.0.0 major-version upgrade is compatible with this example's scripts and TypeScript configuration.
Major dev-tooling upgrades can introduce breaking CLI behavior or changed defaults even when application code is unchanged. - Check compatibility for @vitejs/plugin-react 4.7.0 to 5.2.0 and vite-tsconfig-paths 5.1.4 to 6.1.1, especially with the current Vite and TanStack Start versions.
These are major-version upgrades in the build toolchain and may affect local development or production builds. - Confirm that changing engines.node from "24" to ">=22" is accepted by Firebase Functions deployment tooling and selects the intended runtime.
Serverless platforms often require specific runtime declarations; broad semver ranges can behave differently from exact runtime values. - Run the existing build and Playwright test scripts after the AI SDK, React, zod, react-hook-form, and Playwright updates.
This example has the broadest dependency surface and includes runtime dependencies plus e2e tooling, so compatibility should be validated in CI or locally. - Verify corresponding lock files are intentionally absent or updated elsewhere if this repository uses lockfile-based installs.
Manifest-only dependency updates can lead to non-reproducible installs or CI drift if lock files are expected.
Notes
Security checklist applied: no secrets, auth changes, injection surfaces, cryptography changes, or direct OWASP issues were visible in the diff. The main risk is dependency and runtime compatibility rather than source-code security.
Path filtering: 17 files excluded by ignore paths. 17 of 34 files included in review.
Review: f9dcc2e2 | Model: openai/gpt-5.5 | Powered by Arcjet Review
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
Ignoring alerts on:
|
|
@SocketSecurity ignore npm/@electric-sql/pglite@0.3.16 Pre-existing transitive dep (via firebase-tools) bumped 0.3.14 → 0.3.16. WASM build of Postgres (electric-sql/pglite), ~10M downloads/week, published 2026-03-10. Obfuscation flag is a false positive on the wasm bundle. @SocketSecurity ignore npm/@emnapi/runtime@1.11.1 Pre-existing transitive dep (via astro) bumped 1.5.0 → 1.11.1. emnapi WASM N-API binding, ~79M downloads/week. Obfuscation flag is a false positive on the wasm runtime. @SocketSecurity ignore npm/astro@6.4.8 The astro framework itself, bumped 6.3.6 → 6.4.8 (security fix for GHSA-1120914 et al.). Obfuscation flag is a false positive on astro's minified dist. Published 2026-06-17. @SocketSecurity ignore npm/firebase-tools@15.18.0 Pre-existing dev dep bumped 15.15.0 → 15.18.0. Official Firebase CLI, obfuscation flag is a false positive on its minified bundle. Published 2026-05-13. @SocketSecurity ignore npm/js-yaml@4.2.0 Pre-existing transitive dep bumped 4.1.1 → 4.2.0. Widely-used YAML parser, obfuscation flag is a false positive on minified output. Published 2026-05-31. @SocketSecurity ignore npm/libsodium@0.7.16 Pre-existing transitive dep (via firebase-tools) bumped 0.7.15 → 0.7.16. WASM build of libsodium, maintained by jedisct1 (the libsodium author), ~2.8M downloads/week. Obfuscation flag is a false positive on the wasm/crypto bundle. @SocketSecurity ignore npm/re2@1.25.0 Pre-existing transitive dep (via firebase-tools) bumped 1.22.3 → 1.25.0. Native binding to Google's RE2 regex engine (uhop/node-re2), ~2.6M downloads/week. Obfuscation flag is a false positive on the compiled native binding. Published 2026-06-16. @SocketSecurity ignore npm/validator@13.15.35 Pre-existing transitive dep (via class-validator) bumped 13.15.23 → 13.15.35. Popular string validator library, obfuscation flag is a false positive on minified output. @SocketSecurity ignore npm/yargs@17.7.2 Pre-existing transitive dep (via @astrojs/check). Well-known CLI parser, published 2023-04-27. Obfuscation flag is a false positive on minified output. @SocketSecurity ignore npm/@jest/snapshot-utils AI-signal alert on a pre-existing transitive dep (via firebase-functions-test). Part of the Jest test framework; heuristic only, no advisory. @SocketSecurity ignore npm/@oxc-parser/binding-wasm32-wasi@0.133.0 Pre-existing transitive dep (via nuxt) bumped 0.131.0 → 0.133.0. WASM binding for the oxc parser (oxc-project), ~794K downloads/week. AI-signal heuristic only, no advisory. @SocketSecurity ignore npm/@sveltejs/kit@2.61.0 Pre-existing direct dep bumped 2.57.1 → 2.61.0. Socket "Potential vulnerability" heuristic only — not present in @SocketSecurity ignore npm/node-gyp Pre-existing transitive dep (via firebase-tools). Socket "Potential vulnerability" heuristic only — not present in @SocketSecurity ignore npm/playwright-core AI-signal alert on a pre-existing transitive dep (via @playwright/test). Core of the Playwright test framework; heuristic only, no advisory. @SocketSecurity ignore npm/vite-plugin-checker AI-signal alert on a pre-existing transitive dep (via nuxt). Heuristic only, no advisory. @SocketSecurity ignore npm/@babel/core AI-signal "code anomaly" on a pre-existing transitive dep (via @vitejs/plugin-react). Standard Babel compiler; heuristic flag on generated code, no advisory. @SocketSecurity ignore npm/@babel/helper-module-imports AI-signal "code anomaly" on a pre-existing transitive Babel helper. Heuristic only, no advisory. @SocketSecurity ignore npm/@babel/helper-module-transforms AI-signal "code anomaly" on a pre-existing transitive Babel helper. Heuristic only, no advisory. @SocketSecurity ignore npm/@babel/helper-string-parser AI-signal "code anomaly" on a pre-existing transitive Babel helper. Heuristic only, no advisory. @SocketSecurity ignore npm/@babel/helpers AI-signal "code anomaly" on a pre-existing transitive Babel helper. Heuristic only, no advisory. Triage of the Socket alerts below. Every flagged package was already present on |
|
@SocketSecurity ignore npm/yargs@17.7.3 Triage of the 21 current alerts. All are Socket AI-signal / code-anomaly / heuristic flags — no confirmed CVEs. Every flagged package pre-existed on
Bottom line: all 21 are ignorable — pre-existing transitive deps, routine cooldown bumps, canonical repos, AI/heuristic flags with no confirmed CVE. |
|
@SocketSecurity ignore npm/ajv@8.20.0 Triage of the 20 current alerts. All are Low-severity "Potential code anomaly (AI signal)" — Socket ML heuristic flags on minified/native/wasm bundles; no confirmed CVEs. Every flagged package pre-existed on
Bottom line: all 20 ignorable — pre-existing transitive deps, routine cooldown bumps, canonical repos, Low-severity AI/heuristic flags with no confirmed CVE. The only within-7-days package is |
|
@SocketSecurity ignore npm/@nuxt/vite-builder@4.4.8 Triage of the 19 current alerts. All flagged packages pre-existed on High — investigated
Medium — investigated
Low — heuristic flags (pre-existing, >7d unless noted)
Bottom line: all 19 ignorable. The 3 High alerts resolve to (1) an expected data license, (2) a Socket misclassification (package is actually MIT), and (3) normal maintainer rotation. The 2 Medium are a native-binding postinstall (expected) and a co-maintainer publisher change. The 14 Low are heuristic flags on pre-existing mainstream packages. The two within-7d packages ( |
|
@SocketSecurity ignore pypi/gunicorn@26.0.0 Triage of the 5 pypi alerts (missed in earlier npm-scoped passes — these are the Python examples). All flagged packages pre-existed on
Bottom line: all 5 ignorable — pre-existing canonical packages, >7d cooldown, heuristic/false-positive flags. No genuine supply-chain risk. |
1 participant
Periodic dependency update across all examples.
1.4.0 -> 1.5.0(all npm + deno examples); pythonarcjet 0.7.0 -> 0.8.0.engines.node>=22);@types/nodepinned to22.20.0.qs-> 6.15.2 in expressjs/nestjs/react-router (GHSA-1119502);vite-> 7.3.5 in react-router/sveltekit/tanstack-start (GHSA-1120785, 1120790); astro 6.4.8 (GHSA-1120914 et al.); firebase-functions@grpc/grpc-js/form-data/protobufjs/qs/express(GHSA-1120582, 1120588, 1120745, 1120742, 1120799, 1119502).typescript 6.0.3 -> 5.9.3: TS 6 breaks the expressjs build (moduleResolution: "node10"becomes a hard error). 5.9.3 is the latest 5.x.@sveltejs/vite-plugin-svelte 7 -> 6.2.4, tanstack-start@vitejs/plugin-react 6 -> 5.2.0(both require vite 8).docker build.Unresolved (need upstream releases, not fixable from examples):
@arcjet/protocol->typeid-js->uuid <11.1.1(GHSA-1119441), all examples.firebase-admin 13 -> 14major).shell-quote/vite/ws(deep transitives via@nuxt/devtools).multer(GHSA-1121089, 1121091) —@nestjs/platform-expresspins multer 2.1.1; fixed multer 2.2.0 exists but is unreachable without an override.🤖 Generated with Claude Code