Skip to content

Commit 6fa8860

Browse files
Lykhoydaclaude
Lykhoyda
and
claude
authored
fix(deps): clear 12 medium-severity Dependabot alerts (hono, ip-address, astro, postcss) (#172)
Closes 12 medium-severity Dependabot alerts: - #6: astro <6.1.6 — XSS in define:vars via incomplete </script> sanitization - #7: postcss <8.5.10 — XSS via unescaped </style> in CSS Stringify output - #8, #17: ip-address <=10.1.0 — XSS in Address6 HTML-emitting methods - #9, #10, #18, #19: hono <4.12.16 — bodyLimit() bypass + JSX tag injection - #12, #14, #22, #24: hono <4.12.18 — cache Vary header + JSX CSS injection Strategy mirrors PR #170 (the highs): - Root workspace: added `overrides` block (`ip-address >=10.1.1`, `hono >=4.12.18`) + `npm update` to re-resolve. express-rate-limit pins `ip-address: 10.1.0` exactly, so the override is required — `npm update` alone couldn't bump it. - scripts/cdp-bridge (published lockfile, detached from workspace resolver): patched `node_modules/hono` and `node_modules/ip-address` entries directly with new tarball + sha512 integrity, mirroring the fast-uri approach. Added matching overrides to cdp-bridge/package.json so a fresh `npm install rn-dev-agent-cdp` from the published tarball doesn't regress. - docs-site: `npm update astro postcss` was sufficient (astro is a direct dep with `^6.0.1` range that satisfies the patched 6.1.6+; postcss is a transitive via vite with a permissive range). Bumped: astro 6.1.5 → 6.3.3, postcss 8.5.9 → 8.5.14. Real-world exploit surface for the hono advisories is essentially zero in our usage — we use hono only as an MCP-transport transitive of `@modelcontextprotocol/sdk` and never invoke `c.cache()`, `bodyLimit()`, or `hono/jsx`. The bumps are about clearing the dashboard, not patching an active vulnerability. Verified: - cdp-bridge unit suite: 1464/1464 passing - docs-site `npm run build`: 159 pages built in 5.29s, 0 errors Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
1 parent ad37702 commit 6fa8860

5 files changed

Lines changed: 154 additions & 76 deletions

File tree

docs-site/package-lock.json

Lines changed: 123 additions & 55 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package-lock.json

Lines changed: 18 additions & 14 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,9 @@
1414
},
1515
"devDependencies": {
1616
"@changesets/cli": "^2.27.10"
17+
},
18+
"overrides": {
19+
"ip-address": ">=10.1.1",
20+
"hono": ">=4.12.18"
1721
}
1822
}

scripts/cdp-bridge/package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)