Skip to content

chore(deps): resolve Dependabot critical/high/moderate alerts#119

Merged
pasevin merged 1 commit into
mainfrom
chore/dependabot-batch
Jun 6, 2026
Merged

chore(deps): resolve Dependabot critical/high/moderate alerts#119
pasevin merged 1 commit into
mainfrom
chore/dependabot-batch

Conversation

@pasevin

@pasevin pasevin commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Single-PR sweep of open Dependabot advisories on role-manager. Knocks out 3 criticals, 16 highs, and most moderates by bumping direct deps and migrating + adding workspace pnpm overrides.

Direct dep bumps

  • vitest + @vitest/coverage-v8 ^3.2.4^4.1.0 (root) — patches GHSA-5xrq-8626-4rwp (arbitrary file read/exec via Vitest UI server). Resolves to 4.1.8.
  • react-router-dom ^7.14.0^7.15.0 (apps/role-manager) — covers three react-router CVEs in one bump:

Override migration: package.json#pnpmpnpm-workspace.yaml

pnpm v11 silently ignores package.json#pnpm.overrides. `minimumReleaseAge` + `minimumReleaseAgeExclude` also need to live in the workspace yaml to take effect. `vitest` / `@vitest/*` added to the exclude list since some of their dist metadata is missing the `time` field.

New security overrides

Advisory(ies) Package Fix
15× axios CVEs (prototype pollution, SSRF, ReDoS, header injection, …) `axios` `<1.16.0` → `^1.16.0`
~10× hono CVEs `hono` `<4.12.21` → `^4.12.21`
8× protobufjs CVEs (RCE, DoS, prototype pollution) `protobufjs` `<7.5.8` → `^7.5.8`
GHSA-q6x5-8v7m-xcrf `@protobufjs/utf8` `<1.1.1` → `^1.1.1`
GHSA-ph9p-34f9-6g65 `tmp` `<0.2.6` → `^0.2.6`
GHSA-r5fr / f23m / xxjr `lodash` `<4.18.0` → `^4.18.0`
GHSA-v39h / q3j6 `fast-uri` `<=3.1.1` → `^3.1.2`
GHSA-qj3p-xc97-xw74 `@metamask/sdk` + `…-communication-layer` `<0.33.1` → `^0.33.1`
GHSA-v2v4-37r5-5v8g `ip-address` `<=10.1.0` → `^10.1.1`
GHSA-58qx-3vcg-4xpx `ws` `>=8.0.0 <8.20.1` → `^8.20.1`

Not fixed in this PR (justifications for dismissal in Security tab)

Alert Reason
`uuid` 8.3.2 / 9.0.1 — GHSA-w5hq-g745-h8pq CVE only affects `v3/v5/v6(buf)`. Solana web3.js / MetaMask utils call `v4()` only. Patched `uuid@11.1.1` is already resolved alongside the older versions; forcing `^11` everywhere breaks `@solana/web3.js` peer constraints.
`elliptic` 6.6.1 — GHSA-848j-6mx2-7j84 No upstream patch exists.

Test plan

  • `pnpm install` succeeds; lockfile regenerated cleanly
  • `pnpm -r typecheck` passes
  • `pnpm -r test` — all 1,181 tests pass across the workspace on vitest 4.1.8 (apps/role-manager 1181 / 1181, packages/components and packages/hooks have no tests)
  • Verified vulnerable copies purged from `pnpm-lock.yaml`:
    • axios 1.13.6 → only 1.16.1
    • hono 4.12.12 → 4.12.23
    • protobufjs 7.4.0 → 7.6.2
    • tmp 0.0.33 → 0.2.7
    • lodash 4.17.21 → 4.18.1 only
    • fast-uri 3.1.0 → 3.1.2
    • ip-address 10.1.0 → 10.2.0
    • @metamask/sdk* 0.32.0 → 0.33.1 only
    • ws 8.18.x / 8.20.0 → only 8.21.0 (+ unaffected 7.5.10)
    • @protobufjs/utf8 1.1.0 → 1.1.1
    • react-router 7.14.0 → 7.17.0

Pre-existing test failure in `.pnpmfile.test.cjs` (5/9 failing) exists on `main` already and is unrelated to this PR.

@pasevin
chore(deps): resolve Dependabot critical/high/moderate alerts
6fc488d 
Direct bumps:
- vitest + @vitest/coverage-v8 ^3.2.4 → ^4.1.0 in root (patches
  GHSA-5xrq-8626-4rwp, critical, arbitrary file read/exec via Vitest UI
  server). Resolves to 4.1.8.
- react-router-dom ^7.14.0 → ^7.15.0 in apps/role-manager. Patches
  three react-router CVEs in one bump:
  - GHSA-49rj-9fvp-4h2h (high, RCE via turbo-stream TYPE_ERROR
    deserialization) — patched 7.14.2
  - GHSA-2j2x-hqr9-3h42 (medium, open redirect via // protocol-relative
    URL) — patched 7.14.1
  - GHSA-8x6r-g9mw-2r78 (high, DoS via unbounded path expansion in
    __manifest endpoint) — patched 7.15.0
  react-router resolves to 7.17.0.

Override migration: package.json#pnpm → pnpm-workspace.yaml.
pnpm v11 silently ignores package.json#pnpm.overrides; minimumReleaseAge
and minimumReleaseAgeExclude also need to live in the workspace yaml to
take effect. vitest / @vitest/* added to the exclude list since some of
their dist metadata is missing the `time` field.

New security overrides:
- axios <1.16.0 → ^1.16.0 (15 advisories: prototype pollution, SSRF,
  header/CRLF injection, ReDoS, etc.)
- hono <4.12.21 → ^4.12.21 (~10 advisories: cookie injection, JWT
  issues, cache leakage, IP restriction bypass, etc.)
- protobufjs <7.5.8 → ^7.5.8 (8 advisories: RCE, DoS, prototype
  pollution)
- @protobufjs/utf8 <1.1.1 → ^1.1.1 (overlong UTF-8 decoding)
- tmp <0.2.6 → ^0.2.6 (path traversal via symlink)
- lodash <4.18.0 → ^4.18.0 (code injection, prototype pollution)
- fast-uri <=3.1.1 → ^3.1.2 (host confusion, path traversal)
- @metamask/sdk + @metamask/sdk-communication-layer <0.33.1 → ^0.33.1
  (malicious debug@4.4.2 transitive)
- ip-address <=10.1.0 → ^10.1.1 (XSS in Address6 HTML)
- ws >=8.0.0 <8.20.1 → ^8.20.1 (uninitialized memory disclosure)

Not fixed in this PR (justifications for dismissal in Security tab):
- uuid <11.1.1 (GHSA-w5hq) — CVE only affects v3/v5/v6(buf); our chain
  uses v4(). Forcing ^11 elsewhere breaks @solana/web3.js peer
  constraints, and v11.1.1 is already present alongside the older
  versions in this lockfile.
- elliptic 6.6.1 (GHSA-848j) — no upstream patch exists.
@pasevin pasevin merged commit 501abbe into main Jun 6, 2026
11 checks passed
@pasevin pasevin deleted the chore/dependabot-batch branch June 6, 2026 15:56
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 6, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

cla: allowlist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pasevin