[Aikido] Fix 69 critical issues in lodash-es, protobufjs, seroval and 19 more#41
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7822282. Configure here.
| }, | ||
| "dependencies": { | ||
| "@clerk/tanstack-react-start": "^0.26.5", | ||
| "@clerk/tanstack-react-start": "^0.29.11", |
There was a problem hiding this comment.
Clerk upgraded without TanStack Start
High Severity
Updating @clerk/tanstack-react-start to ^0.29.11 creates a version mismatch with @tanstack/react-router and @tanstack/react-start (pinned at 1.134.x). Clerk 0.29.x requires TanStack ^1.157.0, which may cause build or runtime failures for auth middleware and server functions in the support app.
Reviewed by Cursor Bugbot for commit 7822282. Configure here.
| "nodemon>brace-expansion": "1.1.11" | ||
| "nodemon>brace-expansion": "1.1.11", | ||
| "lodash-es@<=4.18.1": "4.18.1", | ||
| "protobufjs@<=7.6.1": "7.6.1", |
There was a problem hiding this comment.
protobufjs override misses 8.x
Medium Severity
The new pnpm override protobufjs@<=7.6.1 → 7.6.1 only remediates the 7.x line. The lockfile still resolves protobufjs@8.0.1 for OpenTelemetry’s OTLP transformer, which is outside that range, so protobuf-related CVE fixes from this PR may not apply to that dependency path.
Reviewed by Cursor Bugbot for commit 7822282. Configure here.
|
Closed by Aikido: a new AutoFix has been created → #42 |


Upgrade dependencies to fix critical RCE vulnerabilities in lodash, protobufjs, seroval, h3, undici, and others including SSE injection, code injection, prototype pollution, and HTTP request smuggling.
✅ After analyzing the codebase for usage of the upgraded packages and their breaking changes, I found that no breaking changes from the package upgrades affect this codebase:
lodash/lodash-es: The codebase uses
lodash.debounce(a separate package) and has a customomitfunction implementation inui/apps/dashboard/src/components/Charts/SimpleLineChart.tsx. No usage of_.unset,_.omit, or_.templatefrom the lodash package was found.next: While Next.js is used in the UI packages, the codebase uses Next.js v14.2.30 (not upgrading to v15), so the breaking changes listed for v15.x do not apply.
@modelcontextprotocol/sdk: The MCP SDK is used in
pkg/devserver/mcp.go(Go code), which returns*mcp.CallToolResultfrom tool handlers. The breaking change about error handling (returning MCP protocol errors instead ofCallToolResultwithisError: true) does not affect this code, as there's no usage ofisError: truepattern in the implementation.uuid: The codebase uses
uuidv13.0.0 in the dashboard package and importsv4 as uuidv4from uuid in TypeScript files. The breaking changes in uuid v10.0.0 and v11.0.0 (Node.js version requirements and internal refactoring) do not affect the codebase since Node.js 20.x is already specified in the engines field, which exceeds the minimum requirement.opentelemetry packages: The Go code uses the Go OpenTelemetry SDK (
go.opentelemetry.io/otel/sdk/log), not the JavaScript@opentelemetry/sdk-logspackage. The breaking changes in the JavaScript OpenTelemetry packages do not affect the Go implementation.@clerk/tanstack-react-start: The upgrade from 0.26.10 to 0.29.11 requires TanStack Start 1.157.0+. The codebase uses
@tanstack/react-startv1.158.1, which satisfies this requirement.defu, js-cookie, form-data: No direct imports or usage of these packages were found in the application code (they may be transitive dependencies only).
All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)
_.unset/_.omit:constructorandprototypeare now blocked unconditionally as non-terminal path keys. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.template:importskeys containing forbidden identifier characters now throw"Invalid imports option passed into _.template"error, where previously they were accepted.All breaking changes by upgrading next from version 14.2.35 to 15.5.16 (CHANGELOG)
squooshin favor ofsharpas optional dependency for next/imageContent-Dispositiontoattachmentfor next/imagesrchas leading or trailing space in next/imagenext/headchildren reconciler by defaultgeoandipfromNextRequestnext lint"use server"and"use cache") at the same level will no longer be allowed.thisandargumentsin server functions: server functions can no longer usethisorarguments, which will break existing server functions that rely on these features.superin static class methods with server function directives: static class methods with server function directives cannot usesuper, breaking code that previously did so."use cache"is used withoutdynamicIOenabled: builds will now fail if"use cache"is used without enabling thedynamicIOflag.internal_disableSyncDynamicAPIWarningsflagcolorminfeature fromcssnanoexperimental.reactOwnerStackflagrootParams()is now a plain Promise (not exotic)--no-manglingCLI option fornext builddevIndicatorsoptionsappIsrStatusandbuildActivitydevIndicators.buildActivityPositionand renamed topositionoutput: exportis used with intercepting routesAll breaking changes by upgrading @modelcontextprotocol/sdk from version 1.18.1 to 1.26.0 (CHANGELOG)
All breaking changes by upgrading @clerk/tanstack-react-start from version 0.26.10 to 0.29.11 (CHANGELOG)
json()in favor of standard Web APIs.All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)
All breaking changes by upgrading @opentelemetry/auto-instrumentations-node from version 0.67.2 to 0.75.0 (CHANGELOG)
All breaking changes by upgrading js-cookie from version 3.0.5 to 3.0.7 (CHANGELOG)
All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)
_.unset/_.omitnow blockconstructorandprototypeas non-terminal path keys unconditionally. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.templatenow throws"Invalid imports option passed into _.template"whenimportskeys contain forbidden identifier characters, which were previously allowed.✅ 61 CVEs resolved by this upgrade, including 6 critical 🚨 CVEs
This PR will resolve the following CVEs:
protofield, enabling prototype chain manipulation and unintended property injection across the application.__proto__orconstructor, potentially influencing application behavior or enabling further attacks.DELETE/OPTIONSrequests allows attackers to bypass route restrictions and access unintended backend endpoints. An attacker could smuggle malicious requests to internal or admin routes through request boundary disagreement between proxy and backend.beforeInteractivescript serialization insufficiently escapes untrusted input, allowing attackers to break script boundaries and execute arbitrary JavaScript in the browser when untrusted data is passed to script props.__proto__payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.