Skip to content

fix(deps): close 5 high-severity Dependabot alerts (fast-uri + devalue)#170

Merged
Lykhoyda merged 1 commit into
mainfrom
fix/dependabot-high-severity
May 18, 2026
Merged

fix(deps): close 5 high-severity Dependabot alerts (fast-uri + devalue)#170
Lykhoyda merged 1 commit into
mainfrom
fix/dependabot-high-severity

Conversation

@Lykhoyda
Copy link
Copy Markdown
Owner

@Lykhoyda Lykhoyda commented May 18, 2026

Summary

Closes all 5 open high-severity Dependabot alerts on main:

# Package Manifest Vulnerable → Patched CVE / Advisory
11 fast-uri scripts/cdp-bridge/package-lock.json 3.1.0 → 3.1.2 path traversal via percent-encoded dot segments
15 fast-uri scripts/cdp-bridge/package-lock.json 3.1.0 → 3.1.2 host confusion via percent-encoded authority delimiters
20 fast-uri package-lock.json 3.1.0 → 3.1.2 path traversal
21 fast-uri package-lock.json 3.1.0 → 3.1.2 host confusion
25 devalue docs-site/package-lock.json 5.7.1 → 5.8.1 DoS via sparse array deserialization

How

Both packages reach us transitively — patches sit inside the parent's existing semver range, so no package.json API change is required.

  • fast-uri: pulled in via @modelcontextprotocol/sdk → ajv@8.18.0 (^3.0.1). 3.1.2 already satisfies that range.
    • Root lockfile bumped via npm update fast-uri --package-lock-only.
    • scripts/cdp-bridge/package-lock.json is a published lockfile (shipped to npm consumers); it can't be re-resolved through the workspace root, so I patched its node_modules/fast-uri entry directly (version + resolved + integrity sha512). I also added a defensive "fast-uri": ">=3.1.2" override in scripts/cdp-bridge/package.json so a fresh npm install rn-dev-agent-cdp on a future ajv release that pins an older fast-uri can't regress.
  • devalue: pulled in via astro@6.1.5. npm update devalue --package-lock-only in docs-site/ handled it cleanly.

Test plan

  • cdp-bridge unit suite: 1464/1464 passing locally with patched lockfile
  • Lockfile internally consistent (npm install in cdp-bridge clean, no integrity errors)
  • CI green (CodeQL + Build & Test) on this PR
  • Dependabot auto-closes the 5 alerts once merged to main

🤖 Generated with Claude Code

@Lykhoyda @claude
fix(deps): bump fast-uri >=3.1.2 and devalue >=5.8.1 to clear Dependa…
837888f 
…bot HIGHs

Closes 5 high-severity Dependabot alerts:
- #11, #15: fast-uri path traversal (scripts/cdp-bridge/package-lock.json)
- #20, #21: fast-uri host confusion (root package-lock.json)
- #25: devalue DoS via sparse array deserialization (docs-site/package-lock.json)

fast-uri reaches us transitively via @modelcontextprotocol/sdk → ajv@8.18.0,
which accepts ^3.0.1 — patched 3.1.2 already in range, just needed lockfile
re-resolution. Added a defensive `>=3.1.2` override in scripts/cdp-bridge/
package.json so a fresh install on the published tarball can't regress.

devalue 5.7.1 → 5.8.1 is the same shape via astro@6.1.5 (^5.x range satisfies).

Verified: cdp-bridge unit suite passes (1464/1464).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Lykhoyda Lykhoyda merged commit cb11d34 into main May 18, 2026
7 checks passed
@Lykhoyda Lykhoyda mentioned this pull request May 18, 2026
Merged
4 tasks
Lykhoyda added a commit that referenced this pull request May 18, 2026
@Lykhoyda @claude
fix(deps): clear 12 medium-severity Dependabot alerts (hono, ip-addre…
6fa8860 
…ss, astro, postcss) (#172)

Closes 12 medium-severity Dependabot alerts:

- #6: astro <6.1.6 — XSS in define:vars via incomplete </script> sanitization
- #7: postcss <8.5.10 — XSS via unescaped </style> in CSS Stringify output
- #8, #17: ip-address <=10.1.0 — XSS in Address6 HTML-emitting methods
- #9, #10, #18, #19: hono <4.12.16 — bodyLimit() bypass + JSX tag injection
- #12, #14, #22, #24: hono <4.12.18 — cache Vary header + JSX CSS injection

Strategy mirrors PR #170 (the highs):

- Root workspace: added `overrides` block (`ip-address >=10.1.1`, `hono >=4.12.18`)
  + `npm update` to re-resolve. express-rate-limit pins `ip-address: 10.1.0`
  exactly, so the override is required — `npm update` alone couldn't bump it.

- scripts/cdp-bridge (published lockfile, detached from workspace resolver):
  patched `node_modules/hono` and `node_modules/ip-address` entries directly
  with new tarball + sha512 integrity, mirroring the fast-uri approach.
  Added matching overrides to cdp-bridge/package.json so a fresh
  `npm install rn-dev-agent-cdp` from the published tarball doesn't regress.

- docs-site: `npm update astro postcss` was sufficient (astro is a direct
  dep with `^6.0.1` range that satisfies the patched 6.1.6+; postcss is a
  transitive via vite with a permissive range). Bumped: astro 6.1.5 → 6.3.3,
  postcss 8.5.9 → 8.5.14.

Real-world exploit surface for the hono advisories is essentially zero in
our usage — we use hono only as an MCP-transport transitive of
`@modelcontextprotocol/sdk` and never invoke `c.cache()`, `bodyLimit()`,
or `hono/jsx`. The bumps are about clearing the dashboard, not patching
an active vulnerability.

Verified:
- cdp-bridge unit suite: 1464/1464 passing
- docs-site `npm run build`: 159 pages built in 5.29s, 0 errors

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Lykhoyda