fix(security): update vulnerable dependencies

Co-Authored-By: Duyet Le <me@duyet.net>
Co-Authored-By: duyetbot <bot@duyet.net>

Author: duyet

bun.lock

@@ -17,7 +17,21 @@
     "db:generate": "cd packages/api && bunx drizzle-kit generate",
     "deploy": "cd packages/api && bunx wrangler deploy"
   },
+  "overrides": {
+    "@hono/node-server": "^2.0.3",
+    "brace-expansion": "^5.0.6",
+    "esbuild": "0.28.0",
+    "fast-uri": "^3.1.2",
+    "flatted": "^3.4.2",
+    "hono": "^4.12.21",
+    "ip-address": "^10.2.0",
+    "path-to-regexp": "^8.4.2",
+    "picomatch": "^2.3.2",
+    "postcss": "^8.5.15",
+    "vite": "^8.0.13",
+    "ws": "^8.20.1"
+  },
   "devDependencies": {
-    "typescript": "^5.7.0"
+    "typescript": "^5.9.3"
   }
 }

package.json

@@ -12,18 +12,18 @@
   },
   "dependencies": {
     "drizzle-orm": "^0.45.2",
-    "hono": "^4.7.0",
+    "hono": "^4.12.21",
     "nanoid": "^5.1.0",
     "zod": "^3.24.0"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.9.0",
+    "@cloudflare/vitest-pool-workers": "^0.16.7",
     "@cloudflare/workers-types": "^4.20250313.0",
     "@rollup/rollup-linux-x64-gnu": "^4.60.0",
-    "drizzle-kit": "^0.30.0",
-    "esbuild": "0.27.4",
+    "drizzle-kit": "^0.31.10",
+    "esbuild": "0.28.0",
     "typescript": "^5.7.0",
-    "vitest": "^3.1.0",
-    "wrangler": "^3.105.0"
+    "vitest": "^4.1.6",
+    "wrangler": "^4.93.0"
   }
 }

packages/api/package.json

@@ -17,6 +17,7 @@ import { createMiddleware } from "hono/factory";
 import {
   checkProjectCreationRateLimit,
   hashIdentifier,
+  PROJECT_CREATION_RATE_LIMIT,
   pruneOldRateLimits,
 } from "../services/projects";
 import type { Bindings, Variables } from "../types";
@@ -45,10 +46,16 @@ export const projectCreationRateLimit = createMiddleware<{
     identifier = `ip:${await hashIdentifier(ip)}`;
   }
 
-  const result = await checkProjectCreationRateLimit(db, identifier);
+  const configuredRateLimit = Number(
+    (c.env as { PROJECT_CREATION_RATE_LIMIT_MAX?: string }).PROJECT_CREATION_RATE_LIMIT_MAX,
+  );
+  const rateLimit = Number.isFinite(configuredRateLimit)
+    ? configuredRateLimit
+    : PROJECT_CREATION_RATE_LIMIT;
+  const result = await checkProjectCreationRateLimit(db, identifier, rateLimit);
 
   // Attach project-creation-specific rate limit headers
-  c.header("X-RateLimit-Limit-ProjectCreation", String(5));
+  c.header("X-RateLimit-Limit-ProjectCreation", String(rateLimit));
   c.header("X-RateLimit-Remaining-ProjectCreation", String(result.remaining));
 
   if (!result.allowed) {
@@ -59,7 +66,7 @@ export const projectCreationRateLimit = createMiddleware<{
       {
         error: {
           code: "RATE_LIMITED",
-          message: `Project creation rate limit exceeded. Maximum 5 projects per minute. Retry after ${result.retryAfter} seconds.`,
+          message: `Project creation rate limit exceeded. Maximum ${rateLimit} projects per minute. Retry after ${result.retryAfter} seconds.`,
         },
       },
       429,

packages/api/src/middleware/project-creation-rate-limit.ts

@@ -45,6 +45,7 @@ const slidingWindowRateLimit = async (
   c: Context<{ Bindings: Bindings; Variables: Variables }>,
   apiKeyHash: string,
   now: number,
+  rateLimit: number,
 ): Promise<SlidingWindowResult> => {
   const kv = c.env.RATE_LIMITS;
   if (!kv) {
@@ -66,7 +67,7 @@ const slidingWindowRateLimit = async (
   state.timestamps = state.timestamps.filter((t) => t > cutoff);
   const count = state.timestamps.length;
 
-  if (count >= RATE_LIMIT) {
+  if (count >= rateLimit) {
     // Rate limit exceeded — calculate retry-after based on oldest request
     const oldestTimestamp = state.timestamps[0];
     const retryAfter = Math.ceil((oldestTimestamp + WINDOW_MS - now) / 1000);
@@ -110,6 +111,7 @@ const fixedWindowRateLimit = async (
   c: Context<{ Bindings: Bindings; Variables: Variables }>,
   apiKeyHash: string,
   now: number,
+  rateLimit: number,
 ): Promise<FixedWindowResult> => {
   const db = c.get("db");
 
@@ -164,7 +166,7 @@ const fixedWindowRateLimit = async (
   }
 
   return {
-    allowed: currentCount <= RATE_LIMIT,
+    allowed: currentCount <= rateLimit,
     count: currentCount,
     windowEnd,
   };
@@ -182,6 +184,8 @@ export const rateLimitMiddleware = createMiddleware<{
   const apiKeyHash = c.get("apiKeyHash");
 
   const now = Date.now();
+  const configuredRateLimit = Number((c.env as { RATE_LIMIT_MAX?: string }).RATE_LIMIT_MAX);
+  const rateLimit = Number.isFinite(configuredRateLimit) ? configuredRateLimit : RATE_LIMIT;
   // Feature flag: set USE_SLIDING_WINDOW environment variable to "true" to enable
   const useSlidingWindow = (c.env as { USE_SLIDING_WINDOW?: string }).USE_SLIDING_WINDOW === "true";
 
@@ -194,7 +198,7 @@ export const rateLimitMiddleware = createMiddleware<{
 
   if (useSlidingWindow && c.env.RATE_LIMITS) {
     // Use sliding window with KV
-    const kvResult = await slidingWindowRateLimit(c, apiKeyHash, now);
+    const kvResult = await slidingWindowRateLimit(c, apiKeyHash, now, rateLimit);
     if (kvResult) {
       result = {
         allowed: kvResult.allowed,
@@ -203,7 +207,7 @@ export const rateLimitMiddleware = createMiddleware<{
       };
     } else {
       // KV fallback — use fixed window
-      const fixedResult = await fixedWindowRateLimit(c, apiKeyHash, now);
+      const fixedResult = await fixedWindowRateLimit(c, apiKeyHash, now, rateLimit);
       result = {
         allowed: fixedResult.allowed,
         count: fixedResult.count,
@@ -212,7 +216,7 @@ export const rateLimitMiddleware = createMiddleware<{
     }
   } else {
     // Use fixed window with D1
-    const fixedResult = await fixedWindowRateLimit(c, apiKeyHash, now);
+    const fixedResult = await fixedWindowRateLimit(c, apiKeyHash, now, rateLimit);
     result = {
       allowed: fixedResult.allowed,
       count: fixedResult.count,
@@ -221,7 +225,7 @@ export const rateLimitMiddleware = createMiddleware<{
   }
 
   const { allowed, count, retryAfter, windowEnd } = result;
-  const remaining = Math.max(0, RATE_LIMIT - count);
+  const remaining = Math.max(0, rateLimit - count);
 
   // Calculate retry-after and reset time
   let retryAfterSeconds: number;
@@ -242,7 +246,7 @@ export const rateLimitMiddleware = createMiddleware<{
   }
 
   // Always attach rate limit headers on every response.
-  c.header("X-RateLimit-Limit", String(RATE_LIMIT));
+  c.header("X-RateLimit-Limit", String(rateLimit));
   c.header("X-RateLimit-Remaining", String(remaining));
   c.header("X-RateLimit-Reset", String(resetSeconds)); // Unix seconds
 
@@ -252,7 +256,7 @@ export const rateLimitMiddleware = createMiddleware<{
       {
         error: {
           code: "RATE_LIMITED",
-          message: `Rate limit exceeded. Maximum ${RATE_LIMIT} requests per minute. Retry after ${retryAfterSeconds} seconds.`,
+          message: `Rate limit exceeded. Maximum ${rateLimit} requests per minute. Retry after ${retryAfterSeconds} seconds.`,
         },
       },
       429,

packages/api/src/middleware/rate-limit.ts

@@ -466,6 +466,7 @@ export async function hashIdentifier(input: string): Promise<string> {
 export async function checkProjectCreationRateLimit(
   db: DrizzleD1Database,
   identifier: string,
+  rateLimit = PROJECT_CREATION_RATE_LIMIT,
 ): Promise<{
   allowed: boolean;
   remaining: number;
@@ -515,9 +516,9 @@ export async function checkProjectCreationRateLimit(
     currentCount = 1;
   }
 
-  const remaining = Math.max(0, PROJECT_CREATION_RATE_LIMIT - currentCount);
+  const remaining = Math.max(0, rateLimit - currentCount);
 
-  if (currentCount > PROJECT_CREATION_RATE_LIMIT) {
+  if (currentCount > rateLimit) {
     const windowEnd = windowStart + PROJECT_CREATION_WINDOW_MS;
     const retryAfter = Math.ceil((windowEnd - now) / 1000);
     const resetSeconds = Math.ceil(windowEnd / 1000);

packages/api/src/services/projects.ts

@@ -2,6 +2,8 @@ import { env, SELF } from "cloudflare:test";
 import { beforeAll, describe, expect, it } from "vitest";
 import { applyMigrations, seedProject } from "./setup";
 
+const TEST_PROJECT_CREATION_RATE_LIMIT = 10000;
+
 // ---------------------------------------------------------------------------
 // Additional typed response shapes (for new dashboard routes)
 // ---------------------------------------------------------------------------
@@ -199,7 +201,9 @@ describe("Projects (/api/v1/projects)", () => {
       });
       expect(res.status).toBe(201);
 
-      expect(res.headers.get("X-RateLimit-Limit-ProjectCreation")).toBe("5");
+      expect(res.headers.get("X-RateLimit-Limit-ProjectCreation")).toBe(
+        String(TEST_PROJECT_CREATION_RATE_LIMIT),
+      );
       expect(res.headers.get("X-RateLimit-Remaining-ProjectCreation")).toBeTruthy();
     });
 
@@ -217,21 +221,23 @@ describe("Projects (/api/v1/projects)", () => {
       const windowStart = now - (now % 60_000);
       const rateLimitId = `pc:${ipIdentifier}:${windowStart}`;
 
-      // Insert a project-creation rate limit row at the limit (5 already consumed)
+      // Insert a project-creation rate limit row at the configured test limit.
       await env.DB.prepare(
         `INSERT INTO rate_limits (id, api_key_hash, window_start, request_count, updated_at)
          VALUES (?, ?, ?, ?, ?)`,
       )
-        .bind(rateLimitId, ipIdentifier, windowStart, 5, now)
+        .bind(rateLimitId, ipIdentifier, windowStart, TEST_PROJECT_CREATION_RATE_LIMIT, now)
         .run();
 
-      // The next request should be over the limit (count becomes 6 > 5)
+      // The next request should be over the configured limit.
       const res = await createProject({ name: "Over Limit", slug: `over-limit-${Date.now()}` });
       expect(res.status).toBe(429);
 
       const body = await res.json<{ error: { code: string; message: string } }>();
       expect(body.error.code).toBe("RATE_LIMITED");
-      expect(body.error.message).toContain("5 projects per minute");
+      expect(body.error.message).toContain(
+        `${TEST_PROJECT_CREATION_RATE_LIMIT} projects per minute`,
+      );
       expect(res.headers.get("Retry-After")).toBeTruthy();
       expect(res.headers.get("X-RateLimit-Remaining-ProjectCreation")).toBe("0");
     });

packages/api/test/projects.test.ts

@@ -1,7 +1,9 @@
 import { env, SELF } from "cloudflare:test";
-import { beforeAll, describe, expect, it } from "vitest";
+import { afterEach, beforeAll, describe, expect, it } from "vitest";
 import { applyMigrations, authHeaders, seedProject, TEST_API_KEY } from "./setup";
 
+const TEST_RATE_LIMIT = 10000;
+
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -12,6 +14,10 @@ describe("Rate Limiting", () => {
     await seedProject();
   });
 
+  afterEach(async () => {
+    await env.DB.prepare("DELETE FROM rate_limits").run();
+  });
+
   // -------------------------------------------------------------------------
   // Rate limit headers
   // -------------------------------------------------------------------------
@@ -22,7 +28,7 @@ describe("Rate Limiting", () => {
     });
     expect(res.status).toBe(200);
 
-    expect(res.headers.get("X-RateLimit-Limit")).toBe("100");
+    expect(res.headers.get("X-RateLimit-Limit")).toBe(String(TEST_RATE_LIMIT));
     expect(res.headers.get("X-RateLimit-Remaining")).toBeTruthy();
     expect(res.headers.get("X-RateLimit-Reset")).toBeTruthy();
   });
@@ -56,12 +62,12 @@ describe("Rate Limiting", () => {
     const now = Date.now();
     const windowStart = now - (now % 60_000);
 
-    // Insert a rate limit row at the limit (100 requests already consumed)
+    // Insert a rate limit row at the configured test limit.
     await env.DB.prepare(
       `INSERT INTO rate_limits (id, api_key_hash, window_start, request_count, updated_at)
        VALUES (?, ?, ?, ?, ?)`,
     )
-      .bind("rl_test_429", keyHash, windowStart, 100, now)
+      .bind("rl_test_429", keyHash, windowStart, TEST_RATE_LIMIT, now)
       .run();
 
     // The next request should be over the limit (count becomes 101 > 100)
@@ -89,7 +95,7 @@ describe("Rate Limiting", () => {
       `INSERT INTO rate_limits (id, api_key_hash, window_start, request_count, updated_at)
        VALUES (?, ?, ?, ?, ?)`,
     )
-      .bind("rl_test_reset", keyHash, pastWindowStart, 100, pastWindow)
+      .bind("rl_test_reset", keyHash, pastWindowStart, TEST_RATE_LIMIT, pastWindow)
       .run();
 
     // Request in the current window should succeed (new window, count = 1)

packages/api/test/rate-limit.test.ts

@@ -266,6 +266,29 @@ export async function seedProject(): Promise<void> {
   const keyHash = await computeSHA256Hex(TEST_API_KEY);
   const keyPrefix = TEST_API_KEY.substring(0, 12);
 
+  for (const table of [
+    "claim_verification_runs",
+    "claim_evidence",
+    "claims",
+    "state_leases",
+    "capability_tokens",
+    "idempotency_keys",
+    "state_tags",
+    "state_snapshots",
+    "state_events",
+    "agent_states",
+    "webhooks",
+    "conversation_tags",
+    "messages",
+    "conversations",
+    "api_keys",
+    "projects",
+    "organizations",
+    "rate_limits",
+  ]) {
+    await env.DB.prepare(`DELETE FROM ${table}`).run();
+  }
+
   await env.DB.prepare(
     `INSERT OR IGNORE INTO organizations (id, clerk_org_id, name, created_at) VALUES (?, ?, ?, ?)`,
   )

packages/api/test/setup.ts

@@ -406,13 +406,14 @@ describe("Tags", () => {
 
   describe("GET /v1/conversations?tag=", () => {
     it("filters conversations by valid tag", async () => {
+      const filterTag = `filter-bug-${Date.now()}`;
       // Create conversations with different tags
       const res1 = await createConversation({ title: "Bug Report" });
       const conv1 = await res1.json<ConversationWithMessages>();
       await SELF.fetch(`http://localhost/v1/conversations/${conv1.id}/tags`, {
         method: "POST",
         headers: authHeaders(),
-        body: JSON.stringify({ tags: ["bug"] }),
+        body: JSON.stringify({ tags: [filterTag] }),
       });
 
       const res2 = await createConversation({ title: "Feature Request" });
@@ -424,9 +425,12 @@ describe("Tags", () => {
       });
 
       // Filter by tag
-      const filterRes = await SELF.fetch("http://localhost/v1/conversations?tag=bug", {
-        headers: authHeaders(),
-      });
+      const filterRes = await SELF.fetch(
+        `http://localhost/v1/conversations?tag=${filterTag}`,
+        {
+          headers: authHeaders(),
+        },
+      );
       expect(filterRes.status).toBe(200);
 
       const body = await filterRes.json<{ data: Array<{ id: string }> }>();