Skip to content

Commit 88d5c46

Browse files
security: Upgrade @clerk/nextjs to 6.39.2 (GHSA-vqx2-fgx2-5wq9) (#97)
* ci: use centralized vuln remediation workflow from infra Made-with: Cursor * ci: replace custom config with socket.yml Made-with: Cursor * ci: point vuln remediation at kernel/security-workflows Made-with: Cursor * Upgrade @clerk/nextjs to 6.39.2 to fix middleware route protection bypass Addresses GHSA-vqx2-fgx2-5wq9 (CVSS 9.1): createRouteMatcher could be bypassed via percent-encoded URLs and double-slash path manipulation. Our middleware uses the safe allowlist (isPublicRoute) pattern so we are not actively exploitable, but the underlying createPathMatcher now normalizes paths with decodeURI and slash collapsing — upgrading as recommended by Clerk. Made-with: Cursor
1 parent 864b2ee commit 88d5c46

4 files changed

Lines changed: 29 additions & 14 deletions

File tree

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
name: Vulnerability Remediation
2+
3+
on:
4+
schedule:
5+
- cron: '0 3 * * 3'
6+
workflow_dispatch:
7+
8+
permissions:
9+
contents: write
10+
pull-requests: write
11+
12+
jobs:
13+
remediate:
14+
uses: kernel/security-workflows/.github/workflows/vuln-remediation.yml@main
15+
with:
16+
setup-bun: true
17+
secrets: inherit

bun.lock

Lines changed: 10 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
},
3131
"dependencies": {
3232
"@clerk/mcp-tools": "^0.1.1",
33-
"@clerk/nextjs": "^6.32.0",
33+
"@clerk/nextjs": "^6.39.2",
3434
"@clerk/themes": "^2.4.19",
3535
"@mcp-ui/server": "^5.10.0",
3636
"@modelcontextprotocol/sdk": "1.26.0",

socket.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
version: 2

0 commit comments

Comments
 (0)