Skip to content

[Aikido] Fix 69 critical issues in lodash-es, protobufjs, seroval and 19 more#41

Closed
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-63021652-7ezm
Closed

[Aikido] Fix 69 critical issues in lodash-es, protobufjs, seroval and 19 more#41
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-63021652-7ezm

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 9, 2026

Copy link
Copy Markdown

Upgrade dependencies to fix critical RCE vulnerabilities in lodash, protobufjs, seroval, h3, undici, and others including SSE injection, code injection, prototype pollution, and HTTP request smuggling.

⚠️ Incomplete breaking changes analysis (15/22 analyzed)

⚠️ Breaking changes analysis not available for: protobufjs, seroval, solid-js, launchdarkly-js-client-sdk, react-use, @grpc/grpc-js, @rtk-query/graphql-request-base-query

✅ After analyzing the codebase for usage of the upgraded packages and their breaking changes, I found that no breaking changes from the package upgrades affect this codebase:

lodash/lodash-es: The codebase uses lodash.debounce (a separate package) and has a custom omit function implementation in ui/apps/dashboard/src/components/Charts/SimpleLineChart.tsx. No usage of _.unset, _.omit, or _.template from the lodash package was found.

next: While Next.js is used in the UI packages, the codebase uses Next.js v14.2.30 (not upgrading to v15), so the breaking changes listed for v15.x do not apply.

@modelcontextprotocol/sdk: The MCP SDK is used in pkg/devserver/mcp.go (Go code), which returns *mcp.CallToolResult from tool handlers. The breaking change about error handling (returning MCP protocol errors instead of CallToolResult with isError: true) does not affect this code, as there's no usage of isError: true pattern in the implementation.

uuid: The codebase uses uuid v13.0.0 in the dashboard package and imports v4 as uuidv4 from uuid in TypeScript files. The breaking changes in uuid v10.0.0 and v11.0.0 (Node.js version requirements and internal refactoring) do not affect the codebase since Node.js 20.x is already specified in the engines field, which exceeds the minimum requirement.

opentelemetry packages: The Go code uses the Go OpenTelemetry SDK (go.opentelemetry.io/otel/sdk/log), not the JavaScript @opentelemetry/sdk-logs package. The breaking changes in the JavaScript OpenTelemetry packages do not affect the Go implementation.

@clerk/tanstack-react-start: The upgrade from 0.26.10 to 0.29.11 requires TanStack Start 1.157.0+. The codebase uses @tanstack/react-start v1.158.1, which satisfies this requirement.

defu, js-cookie, form-data: No direct imports or usage of these packages were found in the application code (they may be transitive dependencies only).

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.

All breaking changes by upgrading next from version 14.2.35 to 15.5.16 (CHANGELOG)

Version Description
15.0.0
Remove deprecated analyticsId from config, and the corresponding performance-relayer files and tests
15.0.0
Remove squoosh in favor of sharp as optional dependency for next/image
15.0.0
Change default Content-Disposition to attachment for next/image
15.0.0
Error when src has leading or trailing space in next/image
15.0.0
Set upstream timeout to 7 seconds for next/image
15.0.0
Add sharp timeout of 10 seconds
15.0.0
Pages router: Enable strict next/head children reconciler by default
15.0.0
Disable automatic static generation for route handlers
15.0.0
Disable client router cache for page segments
15.0.0
Disable automatic fetch caching
15.0.0
Remove geo and ip from NextRequest
15.0.0
Update Dynamic APIs to be async (cookies, headers, params, searchParams)
15.0.0
Support ESLint v9 in plugin, config and next lint
15.0.0
Bump minimum Node.js version to 18.18 (up from 18.17)
15.1.0
Error on navigation API usage in pages router and middleware: navigation API usage is now forbidden in pages router and middleware, which will cause errors for code that previously used these APIs in those contexts.
15.1.0
Disallow multiple server directives at the same level (file or function): code with multiple server directives (like "use server" and "use cache") at the same level will no longer be allowed.
15.1.0
Forbid this and arguments in server functions: server functions can no longer use this or arguments, which will break existing server functions that rely on these features.
15.1.0
Forbid super in static class methods with server function directives: static class methods with server function directives cannot use super, breaking code that previously did so.
15.1.0
Emit build error when "use cache" is used without dynamicIO enabled: builds will now fail if "use cache" is used without enabling the dynamicIO flag.
15.1.0
Emit build error for unknown cache kinds: builds will fail when encountering unknown cache kinds, which may break builds that previously succeeded with warnings or were silently ignored.
15.1.0
Increase max cache tags to 128: while this is an increase, it establishes a new hard limit that could break code attempting to use more than 128 cache tags.
15.2.0
Removed internal_disableSyncDynamicAPIWarnings flag
15.2.0
Disabled colormin feature from cssnano
15.2.0
Turbopack now uses new backend by default
15.2.0
Removed experimental.reactOwnerStack flag
15.2.0
rootParams() is now a plain Promise (not exotic)
15.2.0
Removed --no-mangling CLI option for next build
15.2.0
Deprecated devIndicators options appIsrStatus and buildActivity
15.2.0
Deprecated devIndicators.buildActivityPosition and renamed to position
15.2.0
Removed old Dev Overlay
15.2.0
Removed the experiment config for overlay (new dev overlay enabled by default)
15.2.0
Streaming metadata enabled by default
15.2.0
Promoted streaming metadata configs to stable
15.2.0
Warning about i18n configuration deprecation in app router
15.2.0
Disabled turbo daemon by default
15.2.0
Error when output: export is used with intercepting routes
...

All breaking changes by upgrading @modelcontextprotocol/sdk from version 1.18.1 to 1.26.0 (CHANGELOG)

Version Description
1.21.0
Non-existent tool, disabled tool and inputSchema validation now return MCP protocol level errors instead of CallToolResult with isError: true
1.22.0
Implementation of SEP-986 specifies format for tool names, which may restrict previously valid tool name formats
1.23.0
Scope management adjusted to line up with SEP-835, which may change authorization behavior
1.25.0
Remove loose/passthrough types not allowed/defined by MCP spec + Task types - strict spec compliance enforcement removes previously accepted types

All breaking changes by upgrading @clerk/tanstack-react-start from version 0.26.10 to 0.29.11 (CHANGELOG)

Version Description
0.29.0
Bumped minimum required TanStack Start dependencies to 1.157.0+ and removed usage of deprecated json() in favor of standard Web APIs.

All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)

Version Description
v6.1.5
Inherited enumerable properties are now ignored, which may affect code that previously relied on merging inherited properties from prototype chains

All breaking changes by upgrading @opentelemetry/auto-instrumentations-node from version 0.67.2 to 0.75.0 (CHANGELOG)

Version Description
0.72.0
Removal of instrumentation-fastify from auto-instrumentations-node package

All breaking changes by upgrading js-cookie from version 3.0.5 to 3.0.7 (CHANGELOG)

Version Description
3.0.7
Prevent cookie attribute injection: CVE-2026-46625 - this security fix may restrict previously working behavior that involved cookie attribute injection

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.
✅ 61 CVEs resolved by this upgrade, including 6 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-33128
🚨 CRITICAL
[h3] createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization, allowing attackers who control SSE message fields to inject arbitrary events to connected clients.
CVE-2026-4800
🚨 CRITICAL
[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465
MEDIUM
[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950
MEDIUM
[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-41242
🚨 CRITICAL
[protobufjs] Arbitrary code injection vulnerability in protobuf type fields allows attackers to execute malicious code during object decoding. This enables remote code execution (RCE) when processing untrusted protobuf definitions.
CVE-2026-44293
HIGH
[protobufjs] A vulnerability in protobuf schema compilation allows attackers to inject arbitrary code into generated JavaScript functions through crafted bytes field default values. This enables remote code execution when processing malicious protobuf descriptors.
CVE-2026-44291
HIGH
[protobufjs] Prototype pollution vulnerability allows attackers to inject malicious strings into generated JavaScript code through polluted Object.prototype, enabling arbitrary code execution during protobuf encoding and decoding operations.
CVE-2026-44289
HIGH
[protobufjs] Unbounded recursion during protobuf decoding allows a crafted binary payload to exhaust the JavaScript call stack, causing a denial of service. The vulnerability affects both unknown group field skipping and nested message field decoding.
CVE-2026-44290
HIGH
[protobufjs] A prototype pollution vulnerability allows attackers to write to global JavaScript constructor properties through crafted protobuf schemas, corrupting built-in functionality and potentially enabling remote code execution. The flaw exists in schema option path handling that fails to properly restrict property traversal during option application.
CVE-2026-45740
HIGH
[protobufjs] Unbounded recursion in JSON descriptor parsing allows attackers to exhaust the JavaScript call stack by providing deeply nested namespace definitions, causing a denial of service during descriptor loading.
CVE-2026-48712
HIGH
[protobufjs] A lack of recursion depth limits in message-to-object conversion allows attackers to exhaust the JavaScript call stack via deeply nested protobuf messages, causing a denial of service during JSON conversion.
AIKIDO-2026-10467
MEDIUM
[protobufjs] Prototype pollution vulnerability in message initialization allows attackers to inject malicious properties via the proto field, enabling prototype chain manipulation and unintended property injection across the application.
CVE-2026-44288
MEDIUM
[protobufjs] A UTF-8 decoder vulnerability allows attackers to bypass application-level checks by decoding overlong UTF-8 byte sequences into canonical characters, potentially enabling malicious strings to pass validation filters. This could lead to security bypasses in protobuf message processing.
CVE-2026-44292
MEDIUM
[protobufjs] Prototype pollution vulnerability in message constructors allows attackers to modify the prototype of message instances by providing a malicious proto property, potentially enabling arbitrary code execution or object manipulation.
CVE-2026-44294
MEDIUM
[protobufjs] Unescaped control characters in field names can be embedded into generated JavaScript functions, causing code injection that breaks encode, decode, verify, or conversion functions during compilation. An attacker can exploit this via a crafted schema or JSON descriptor to cause denial of service.
CVE-2026-23736
🚨 CRITICAL
[seroval] Improper input validation in JSON deserialization allows malicious object keys to cause prototype pollution, enabling attackers to modify object prototypes and potentially execute arbitrary code or manipulate application behavior.
CVE-2026-23737
HIGH
[seroval] Improper input handling in JSON deserialization allows arbitrary JavaScript code execution through constant value and error deserialization overrides. Attackers can exploit fromJSON and fromCrossJSON functions via multiple requests to achieve RCE in client-to-server scenarios.
CVE-2026-23957
HIGH
[seroval] A denial of service vulnerability exists where attackers can override encoded array lengths with excessively large values, causing the deserialization process to consume significant processing time and resources.
CVE-2026-24006
HIGH
[seroval] A stack overflow vulnerability occurs when serializing deeply nested objects, causing denial of service. The vulnerability is mitigated by introducing a configurable depth limit parameter that throws an error when exceeded.
CVE-2026-1525
🚨 CRITICAL
[undici] Duplicate HTTP Content-Length headers with case-variant names are allowed, creating malformed requests that can cause denial of service or enable HTTP request smuggling attacks in inconsistent header interpretation scenarios.
CVE-2026-1526
HIGH
[undici] A malicious WebSocket server can send compressed frames that expand to extremely large sizes in memory without limits, causing denial-of-service through memory exhaustion and process crash. The vulnerability stems from unbounded decompression in the permessage-deflate extension without size validation.
CVE-2026-1528
HIGH
[undici] A server can send a WebSocket frame with an extremely large 64-bit length value, causing ByteParser integer overflow that results in a fatal TypeError and process termination (DoS).
CVE-2026-2229
HIGH
[undici] A malicious WebSocket server can crash the client process by sending an invalid server_max_window_bits parameter in the permessage-deflate extension, causing an uncaught RangeError when creating a zlib decompressor with an out-of-range value.
CVE-2026-22036
HIGH
[undici] An unbounded decompression chain vulnerability allows a malicious server to insert thousands of compression steps, causing excessive CPU usage and memory allocation. This results in denial of service through resource exhaustion.
AIKIDO-2026-10022
MEDIUM
[undici] A malicious server can send HTTP responses with excessive layered Content-Encoding headers, forcing the client into recursive decompression that exhausts CPU and memory resources, causing denial-of-service. This was mitigated by limiting the encoding chain to a maximum of 5 layers.
CVE-2026-1527
MEDIUM
[undici] HTTP request smuggling vulnerability allowing CRLF injection through the upgrade option, enabling arbitrary header injection and premature request termination to smuggle data to non-HTTP services.
AIKIDO-2026-10369
LOW
[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.
CVE-2026-41248
🚨 CRITICAL
[@clerk/shared] A route matcher bypass vulnerability allows crafted requests to skip middleware gating and reach downstream handlers, potentially enabling unauthorized access to protected resources.
CVE-2026-42349
HIGH
[@clerk/shared] Authorization predicates can incorrectly return true for combined checks (reverification with role/permission/feature/plan, or billing with role/permission), allowing unauthorized access to gated actions when conditions should fail.
CVE-2026-44578
HIGH
[next] Self-hosted applications are vulnerable to server-side request forgery (SSRF) through crafted WebSocket upgrade requests, allowing attackers to proxy requests to arbitrary destinations and potentially expose internal services or cloud metadata. Vercel-hosted deployments are unaffected.
AIKIDO-2026-10758
HIGH
[next] A WebSocket upgrade proxying vulnerability allows attackers to craft requests that trigger outbound connections to arbitrary destinations, enabling server-side request forgery and potential exposure of internal services. This affects self-hosted deployments and can be exploited to reach internal or external targets.
GHSA-q4gf-8mx6-v5v3
HIGH
[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
AIKIDO-2026-10762
HIGH
[next] A deserialization vulnerability in server function endpoints allows attackers to consume excessive CPU through crafted input, causing denial of service by exhausting request handling capacity and degrading application availability.
AIKIDO-2026-10757
HIGH
[next] A vulnerability in Pages Router with i18n allows attackers to bypass middleware authorization checks by accessing locale-less data routes, enabling unauthorized access to protected page data through alternate paths.
CVE-2026-44573
HIGH
[next] A vulnerability allows unauthorized access to protected page data in applications using Pages Router with i18n configuration, as middleware authorization checks are bypassed for locale-less data route requests. An attacker can retrieve sensitive SSR JSON data without passing authorization checks, resulting in information disclosure.
GHSA-8h8q-6873-q5fj
HIGH
[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
CVE-2026-29057
MEDIUM
[next] HTTP request smuggling vulnerability in Next.js rewrites with chunked DELETE/OPTIONS requests allows attackers to bypass route restrictions and access unintended backend endpoints. An attacker could smuggle malicious requests to internal or admin routes through request boundary disagreement between proxy and backend.
AIKIDO-2026-10755
MEDIUM
[next] Inline beforeInteractive script serialization insufficiently escapes untrusted input, allowing attackers to break script boundaries and execute arbitrary JavaScript in the browser when untrusted data is passed to script props.
CVE-2026-44580
MEDIUM
[next] A cross-site scripting (XSS) vulnerability exists in applications using beforeInteractive scripts with untrusted content, where serialized script content is not properly escaped, allowing attackers to execute arbitrary JavaScript in visitors' browsers.
AIKIDO-2026-10754
MEDIUM
[next] The Image Optimization API fails to enforce consistent maximum-size limits when loading local images into memory, allowing attackers to exhaust process memory through large local assets and cause denial of service in self-hosted configurations.
CVE-2026-44577
MEDIUM
[next] A memory exhaustion vulnerability in the Image Optimization API allows attackers to trigger out-of-memory conditions by requesting large local assets through the /_next/image endpoint without size limits. This can cause denial of service by consuming excessive server memory.
CVE-2026-44572
MEDIUM
[next] A vulnerability allows attackers to send a crafted x-nextjs-data header on requests to middleware-handled paths, causing the redirect response to use an internal header instead of the standard Location header, which browsers cannot follow. If deployed behind a caching CDN or reverse proxy, this can poison the cache and cause denial of service for affected redirect paths.
AIKIDO-2026-10753
MEDIUM
[next] A cache poisoning vulnerability allows attackers to cause incorrect React Server Component payloads to be cached and served to users under shared-cache conditions, potentially returning malformed responses and compromising application functionality.
CVE-2026-44576
MEDIUM
[next] Applications using React Server Components are vulnerable to cache poisoning due to improper response variant partitioning in shared caches, allowing attackers to serve component payloads instead of HTML and poison cache entries for subsequent visitors. This enables unauthorized content injection and potential remote code execution through malicious component payloads.
AIKIDO-2026-10756
MEDIUM
[next] A vulnerability in App Router allows malformed CSP nonce values from request headers to be reflected into HTML, potentially poisoning cached content and enabling script execution for other users in shared-cache deployments.
CVE-2026-44581
MEDIUM
[next] App Router applications using CSP nonces are vulnerable to stored cross-site scripting when deployed behind shared caches, as malformed nonce values from request headers can be unsafely reflected into HTML, allowing attackers to poison cached responses and execute scripts for subsequent visitors.
AIKIDO-2026-10752
LOW
[next] RSC cache-busting values can collide in shared cache deployments, allowing attackers to poison cache variants and serve incorrect component responses to users. This vulnerability stems from insufficient collision resistance in response variant separation.
AIKIDO-2026-10751
LOW
[next] A vulnerability in middleware redirect handling allows attackers to manipulate redirect responses and poison caches by spoofing internal-data headers, causing subsequent users to receive broken cached redirects until expiry.
CVE-2026-44582
LOW
[next] React Server Component responses are vulnerable to cache poisoning due to insufficient response partitioning, allowing attackers to manipulate cache entries and serve incorrect content to users. This can lead to information disclosure or content manipulation through collisions in cache-busting values.
CVE-2026-42047
HIGH
[inngest] Unauthenticated attackers can exfiltrate environment variables via PATCH, OPTIONS, or DELETE requests to the serve() HTTP handler, exposing secrets and credentials. This occurs because unhandled HTTP methods return diagnostic information containing process.env contents.
CVE-2025-66414
HIGH
[@modelcontextprotocol/sdk] DNS rebinding vulnerability in HTTP-based MCP servers allows malicious websites to bypass same-origin policy and invoke tools or access resources on unauthenticated localhost servers. The vulnerability requires DNS rebinding protection to be explicitly enabled, as it is disabled by default.
CVE-2026-25536
HIGH
[@modelcontextprotocol/sdk] A cross-client response data leak vulnerability occurs when a single McpServer instance and transport are reused across multiple client connections, allowing responses intended for one client to be leaked to others. This enables information disclosure and potential unauthorized access to sensitive data between clients.
CVE-2026-35209
HIGH
[defu] Prototype pollution vulnerability in the defu function allows attackers to override default object properties through crafted __proto__ payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.
CVE-2026-41907
HIGH
[uuid] A buffer overflow vulnerability allows v3, v5, and v6 UUID functions to write beyond caller-provided buffer boundaries when given small buffers or large offsets, causing silent data corruption. This can lead to memory corruption and potential code execution or information disclosure.
AIKIDO-2026-10892
MEDIUM
[uuid] UUID functions v3(), v5(), and v6() can write past the end of a caller-provided buffer due to missing offset validation, enabling buffer overflow attacks. The fix adds bounds checks to prevent out-of-range writes.
CVE-2026-44902
HIGH
[@opentelemetry/auto-instrumentations-node] A malformed HTTP request to the Prometheus metrics endpoint causes an uncaught TypeError, crashing the Node.js process due to missing error handling in URL parsing. This results in a Denial of Service vulnerability.
CVE-2026-45736
HIGH
[ws] is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
CVE-2026-46625
HIGH
[js-cookie] A prototype pollution vulnerability allows attackers to inject malicious cookie attributes (domain, secure, samesite, expires, path) by exploiting unsafe property copying from JSON-parsed objects. This enables attackers to bypass cookie security restrictions set by developers.
CVE-2026-48068
HIGH
[@grpc/grpc-js] Invalid HTTP/2 stream initiation can crash server processes, causing denial of service. All gRPC servers are affected by this vulnerability.
CVE-2026-48069
HIGH
[@grpc/grpc-js] An invalid incoming compressed message can cause a client or server process to crash, resulting in a denial of service affecting all users of the library.
CVE-2026-12143
HIGH
[form-data] A CRLF injection vulnerability in the field and filename arguments allows attackers to inject headers or multipart parts into requests, potentially enabling form field manipulation or bypass attacks when untrusted input is used as field names or filenames.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7822282. Configure here.

},
"dependencies": {
"@clerk/tanstack-react-start": "^0.26.5",
"@clerk/tanstack-react-start": "^0.29.11",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clerk upgraded without TanStack Start

High Severity

Updating @clerk/tanstack-react-start to ^0.29.11 creates a version mismatch with @tanstack/react-router and @tanstack/react-start (pinned at 1.134.x). Clerk 0.29.x requires TanStack ^1.157.0, which may cause build or runtime failures for auth middleware and server functions in the support app.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7822282. Configure here.

Comment thread ui/package.json
"nodemon>brace-expansion": "1.1.11"
"nodemon>brace-expansion": "1.1.11",
"lodash-es@<=4.18.1": "4.18.1",
"protobufjs@<=7.6.1": "7.6.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

protobufjs override misses 8.x

Medium Severity

The new pnpm override protobufjs@<=7.6.17.6.1 only remediates the 7.x line. The lockfile still resolves protobufjs@8.0.1 for OpenTelemetry’s OTLP transformer, which is outside that range, so protobuf-related CVE fixes from this PR may not apply to that dependency path.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7822282. Configure here.

@aikido-autofix

Copy link
Copy Markdown
Author

Closed by Aikido: a new AutoFix has been created → #42

@aikido-autofix aikido-autofix Bot closed this Jul 10, 2026
@aikido-autofix aikido-autofix Bot deleted the fix/aikido-security-update-packages-63021652-7ezm branch July 10, 2026 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants