Skip to content

chore(security): patch pnpm audit vulnerabilities via overrides#376

Merged
jamesbhobbs merged 1 commit into
mainfrom
chore/pnpm-audit-fast-uri-hono-ip-address
May 14, 2026
Merged

chore(security): patch pnpm audit vulnerabilities via overrides#376
jamesbhobbs merged 1 commit into
mainfrom
chore/pnpm-audit-fast-uri-hono-ip-address

Conversation

@jamesbhobbs

@jamesbhobbs jamesbhobbs commented May 14, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Bumps pnpm overrides to resolve all 6 vulnerabilities reported by pnpm audit (2 high, 3 moderate, 1 low). All are transitive dependencies of @modelcontextprotocol/sdk in packages/mcp.

Package Before After Advisories
fast-uri 3.1.0 >=3.1.2 path traversal (GHSA-q3j6-qgpj-74h6), host confusion (GHSA-v39h-62p7-jpjc)
hono 4.12.16 >=4.12.18 CSS declaration injection (GHSA-qp7p-654g-cw7p), cross-user cache leakage (GHSA-p77w-8qqv-26rm), improper JWT NumericDate validation (GHSA-hm8q-7f3q-5f36)
ip-address 10.1.0 >=10.1.1 XSS in Address6 HTML-emitting methods (GHSA-v2v4-37r5-5v8g)

Resolved versions in the lockfile: [email protected], [email protected], [email protected].

Follows the same approach as #368.

Test plan

  • pnpm install updates the lockfile cleanly
  • pnpm auditNo known vulnerabilities found

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated core dependency version constraints for improved stability and compatibility.

Review Change Stack

@jamesbhobbs @claude
chore(security): patch pnpm audit vulnerabilities via overrides
d50a0b5 
Bump pnpm overrides to resolve all 6 vulnerabilities reported by
`pnpm audit` (2 high, 3 moderate, 1 low). All are transitive deps of
`@modelcontextprotocol/sdk` in `packages/mcp`:

- fast-uri >=3.1.2 (GHSA-q3j6-qgpj-74h6 path traversal,
  GHSA-v39h-62p7-jpjc host confusion)
- hono >=4.12.18 (GHSA-qp7p-654g-cw7p CSS declaration injection,
  GHSA-p77w-8qqv-26rm cross-user cache leakage,
  GHSA-hm8q-7f3q-5f36 improper JWT NumericDate validation)
- ip-address >=10.1.1 (GHSA-v2v4-37r5-5v8g XSS in Address6)

`pnpm audit` now reports no known vulnerabilities.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@coderabbitai

coderabbitai Bot commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 92f8c943-45e4-4672-afe6-86a83156213f

📥 Commits

Reviewing files that changed from the base of the PR and between c5572c7 and d50a0b5.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

This PR updates the pnpm.overrides block in package.json with three changes: bumping hono from >=4.12.14 to >=4.12.18, adding a new override for fast-uri at >=3.1.2, and adding a new override for ip-address at >=10.1.1. No other package metadata or scripts were modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

Suggested reviewers

  • dinohamzic
🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: patching security vulnerabilities via pnpm overrides.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Updates Docs ✅ Passed PR is a security patch (dependency version bumps), not a feature implementation. Documentation updates aren't required for transitive dependency vulnerability patches.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.24%. Comparing base (c5572c7) to head (d50a0b5).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #376   +/-   ##
=======================================
  Coverage   82.24%   82.24%           
=======================================
  Files         144      144           
  Lines        5868     5868           
  Branches     1142     1142           
=======================================
  Hits         4826     4826           
  Misses       1042     1042

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jamesbhobbs jamesbhobbs marked this pull request as ready for review May 14, 2026 15:47
@jamesbhobbs jamesbhobbs requested a review from a team as a code owner May 14, 2026 15:47
@jamesbhobbs jamesbhobbs enabled auto-merge (squash) May 14, 2026 15:53
@jamesbhobbs jamesbhobbs merged commit d47b00c into main May 14, 2026
21 checks passed
@jamesbhobbs jamesbhobbs deleted the chore/pnpm-audit-fast-uri-hono-ip-address branch May 14, 2026 16:50
@tkislan tkislan mentioned this pull request Jun 3, 2026
Merged
@jamesbhobbs jamesbhobbs mentioned this pull request Jun 4, 2026
Closed
@coderabbitai coderabbitai Bot mentioned this pull request Jun 5, 2026
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Jun 16, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

+1 more reviewer

@saltenasl saltenasl saltenasl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesbhobbs @saltenasl