Skip to content

fix(deps): clear 12 medium-severity Dependabot alerts (hono, ip-address, astro, postcss)#172

Merged
Lykhoyda merged 1 commit into
mainfrom
fix/dependabot-medium-severity
May 18, 2026
Merged

fix(deps): clear 12 medium-severity Dependabot alerts (hono, ip-address, astro, postcss)#172
Lykhoyda merged 1 commit into
mainfrom
fix/dependabot-medium-severity

Conversation

@Lykhoyda
Copy link
Copy Markdown
Owner

@Lykhoyda Lykhoyda commented May 18, 2026

Summary

Closes all 12 open medium-severity Dependabot alerts on main. Follow-up to #170 (the highs).

# Package Manifest Vulnerable → Patched Advisory
6 astro docs-site/package-lock.json 6.1.5 → 6.3.3 XSS in define:vars
7 postcss docs-site/package-lock.json 8.5.9 → 8.5.14 XSS in CSS Stringify
8, 17 ip-address both lockfiles 10.1.0 → 10.2.0 XSS in Address6 HTML methods
9, 10, 18, 19 hono both lockfiles 4.12.14 → 4.12.19 bodyLimit() bypass + JSX tag injection
12, 14, 22, 24 hono both lockfiles 4.12.14 → 4.12.19 cache Vary header + JSX CSS injection

How

Mirrors the strategy from #170, with one new wrinkle: express-rate-limit pins ip-address to exactly 10.1.0 (not a range), so npm update alone can't bump it. Required an overrides entry.

Root workspace (package.json + root lockfile)

Added a new overrides block:

\"overrides\": {
  \"ip-address\": \">=10.1.1\",
  \"hono\": \">=4.12.18\"
}

Then npm update ip-address hono --package-lock-only re-resolved against the override. Result: ip-address 10.2.0, hono 4.12.19 in root lockfile.

Published scripts/cdp-bridge/package-lock.json

Detached from the workspace resolver (consumers npm install rn-dev-agent-cdp against this exact lockfile), so the same approach as #170's fast-uri:

  1. Patched node_modules/hono and node_modules/ip-address entries directly (new tarball URL + sha512 integrity).
  2. Added overrides to scripts/cdp-bridge/package.json so fresh consumer installs can't regress.

docs-site

`npm update astro postcss --package-lock-only` was sufficient — astro is a direct dep with `^6.0.1` range that satisfies 6.1.6+, and postcss is a transitive via vite with a permissive range.

Real-world exploit surface

Worth saying explicitly: we don't actually invoke any of the vulnerable APIs.

  • hono advisories all require us to call c.cache(), bodyLimit(), or use hono/jsx. We use hono only as an MCP-transport transitive — none of those code paths are exercised.
  • ip-address advisories target Address6.inspect() HTML output. We never call that — we use ip-address only for IPv4/IPv6 parsing inside express-rate-limit.
  • astro + postcss advisories require attacker-controlled input flowing into define:vars or postcss.stringify(). Our docs site is fully static-generated from in-repo Markdown.

The bumps are about closing the dashboard, not patching an active exploit path.

Test plan

  • cdp-bridge unit suite: 1464/1464 passing locally with patched lockfile + new hono/ip-address
  • docs-site `npm run build`: 159 pages built in 5.29s, 0 errors
  • CI green on this PR (CodeQL + Build & Test)
  • Dependabot auto-closes the 12 alerts once merged

🤖 Generated with Claude Code

@Lykhoyda @claude
fix(deps): clear 12 medium-severity Dependabot alerts (hono, ip-addre…
0a9a067 
…ss, astro, postcss)

Closes 12 medium-severity Dependabot alerts:

- #6: astro <6.1.6 — XSS in define:vars via incomplete </script> sanitization
- #7: postcss <8.5.10 — XSS via unescaped </style> in CSS Stringify output
- #8, #17: ip-address <=10.1.0 — XSS in Address6 HTML-emitting methods
- #9, #10, #18, #19: hono <4.12.16 — bodyLimit() bypass + JSX tag injection
- #12, #14, #22, #24: hono <4.12.18 — cache Vary header + JSX CSS injection

Strategy mirrors PR #170 (the highs):

- Root workspace: added `overrides` block (`ip-address >=10.1.1`, `hono >=4.12.18`)
  + `npm update` to re-resolve. express-rate-limit pins `ip-address: 10.1.0`
  exactly, so the override is required — `npm update` alone couldn't bump it.

- scripts/cdp-bridge (published lockfile, detached from workspace resolver):
  patched `node_modules/hono` and `node_modules/ip-address` entries directly
  with new tarball + sha512 integrity, mirroring the fast-uri approach.
  Added matching overrides to cdp-bridge/package.json so a fresh
  `npm install rn-dev-agent-cdp` from the published tarball doesn't regress.

- docs-site: `npm update astro postcss` was sufficient (astro is a direct
  dep with `^6.0.1` range that satisfies the patched 6.1.6+; postcss is a
  transitive via vite with a permissive range). Bumped: astro 6.1.5 → 6.3.3,
  postcss 8.5.9 → 8.5.14.

Real-world exploit surface for the hono advisories is essentially zero in
our usage — we use hono only as an MCP-transport transitive of
`@modelcontextprotocol/sdk` and never invoke `c.cache()`, `bodyLimit()`,
or `hono/jsx`. The bumps are about clearing the dashboard, not patching
an active vulnerability.

Verified:
- cdp-bridge unit suite: 1464/1464 passing
- docs-site `npm run build`: 159 pages built in 5.29s, 0 errors

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Lykhoyda Lykhoyda merged commit 6fa8860 into main May 18, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Lykhoyda