[Snyk] Security upgrade vectordb from 0.4.20 to 0.21.2

[sestinj]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• binary/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	HTTP Response Splitting SNYK-JS-AXIOS-16298058	848

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

Summary by cubic

Upgrade vectordb from 0.4.20 to 0.21.2 to fix the axios HTTP Response Splitting vulnerability (SNYK-JS-AXIOS-16298058). Change is limited to binary/package.json.

^{Written for commit f436c2d. Summary will update on new commits.}

[continue]

Docs Review

No documentation updates needed for this PR.

This is a security upgrade of the vectordb dependency (0.4.20 → 0.21.2) to address a transitive axios vulnerability. The change is limited to binary/package.json and has no impact on:

• User-facing APIs or configuration options
• Installation or setup instructions
• Feature behavior or usage patterns

Internal dependency updates like this don't require docs changes.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="binary/package.json">

<violation number="1" location="binary/package.json:58">
P1: Update the vectordb version in the core manifest too; changing only binary/package.json does not affect the code path that uses it, so the vulnerable 0.4.20 copy can still be installed and bundled.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P1: Update the vectordb version in the core manifest too; changing only binary/package.json does not affect the code path that uses it, so the vulnerable 0.4.20 copy can still be installed and bundled.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At binary/package.json, line 58:

<comment>Update the vectordb version in the core manifest too; changing only binary/package.json does not affect the code path that uses it, so the vulnerable 0.4.20 copy can still be installed and bundled.</comment>

<file context>
@@ -55,7 +55,7 @@
     "undici": "^7.24.0",
     "uuid": "^9.0.1",
-    "vectordb": "0.4.20",
+    "vectordb": "0.21.2",
     "win-ca": "^3.5.1"
   }
</file context>