Commit cb11d34
fix(deps): bump fast-uri >=3.1.2 and devalue >=5.8.1 to clear Dependabot HIGHs (#170)
Closes 5 high-severity Dependabot alerts:
- #11, #15: fast-uri path traversal (scripts/cdp-bridge/package-lock.json)
- #20, #21: fast-uri host confusion (root package-lock.json)
- #25: devalue DoS via sparse array deserialization (docs-site/package-lock.json)
fast-uri reaches us transitively via @modelcontextprotocol/sdk → ajv@8.18.0,
which accepts ^3.0.1 — patched 3.1.2 already in range, just needed lockfile
re-resolution. Added a defensive `>=3.1.2` override in scripts/cdp-bridge/
package.json so a fresh install on the published tarball can't regress.
devalue 5.7.1 → 5.8.1 is the same shape via astro@6.1.5 (^5.x range satisfies).
Verified: cdp-bridge unit suite passes (1464/1464).
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>1 parent d44d313 commit cb11d34
4 files changed
Lines changed: 24 additions & 37 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
| 29 | + | |
29 | 30 | | |
30 | 31 | | |
0 commit comments