Skip to content

chore(security): raise production audit gate#141

Open
dhairyashiil wants to merge 3 commits into
calcom:mainfrom
dhairyashiil:codex/security-audit-ci
Open

chore(security): raise production audit gate#141
dhairyashiil wants to merge 3 commits into
calcom:mainfrom
dhairyashiil:codex/security-audit-ci

Conversation

@dhairyashiil

Copy link
Copy Markdown
Member

Summary

Raises the production dependency audit threshold from critical to high and updates/overrides vulnerable production dependency paths so bun audit --prod --audit-level=high passes.

Reviewer notes

  • Upgrades next in apps/chat from 16.1.6 to 16.2.10. Please review this as a production framework upgrade even though the local production build passes.
  • Upgrades @modelcontextprotocol/sdk in apps/mcp-server from 1.12.1 to 1.29.0. MCP tests and build pass, but reviewers should watch SDK behavior in integration/deploy checks.
  • Adds root overrides for picomatch and fast-uri to clear high-severity production audit findings.
  • This intentionally does not address every moderate/low advisory; it raises the CI gate to high as the next meaningful security bar.

Validation

  • bun audit --prod --audit-level=high
  • bun run typecheck
  • bun --filter @calcom/mcp-server test
  • AI_GATEWAY_API_KEY=test SLACK_CLIENT_ID=test SLACK_CLIENT_SECRET=test SLACK_SIGNING_SECRET=test SLACK_ENCRYPTION_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa REDIS_URL=redis://localhost:6379 CALCOM_WEBHOOK_SECRET=test bun --filter @calcom/chat build
  • bun --filter extension build
  • bun --filter @calcom/mcp-server build
  • git diff --check HEAD~1..HEAD

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added config Changes to project configuration files ci Changes to CI/CD workflows and GitHub Actions labels Jul 2, 2026
@dhairyashiil dhairyashiil marked this pull request as ready for review July 2, 2026 21:07
@dhairyashiil dhairyashiil requested a review from a team as a code owner July 2, 2026 21:07
@dhairyashiil dhairyashiil enabled auto-merge (squash) July 2, 2026 21:07

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

Open in Devin Review

Comment thread apps/mcp-server/package.json Outdated
Comment thread apps/mcp-server/package.json

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 5 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread apps/mcp-server/package.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Changes to CI/CD workflows and GitHub Actions config Changes to project configuration files security-hackathon-2026

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants