Commit e84a995
chore: fix security vulnerabilities in dependencies (#488)
* chore: fix security vulnerabilities in dependencies
- Bump next 16.2.1 -> 16.2.3 (DoS via Server Components, GHSA-q4gf-8mx6-v5v3)
- Bump better-auth 1.5.6 -> 1.6.2 (prototype pollution in defu, removes vitest prod dep)
- Bump vite ^8.0.0 -> ^8.0.5 (fs.deny bypass, arbitrary file read, path traversal)
- Override hono >=4.12.12 (cookie validation, IP matching, path traversal, middleware bypass)
- Override @hono/node-server >=1.19.13 (middleware bypass via repeated slashes)
- Override defu >=6.1.5 (prototype pollution via __proto__ key)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update pnpm-lock.yaml for security fixes
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: use caret ranges for security overrides
Constrain hono, @hono/node-server, and defu overrides to their
current major version to prevent unexpected major bumps.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 9fc7341 commit e84a995
2 files changed
Lines changed: 271 additions & 257 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
55 | | - | |
| 55 | + | |
56 | 56 | | |
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
| 63 | + | |
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
| |||
101 | 101 | | |
102 | 102 | | |
103 | 103 | | |
104 | | - | |
| 104 | + | |
105 | 105 | | |
106 | 106 | | |
107 | 107 | | |
| |||
116 | 116 | | |
117 | 117 | | |
118 | 118 | | |
119 | | - | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
120 | 122 | | |
121 | 123 | | |
122 | 124 | | |
| |||
0 commit comments