Skip to content

fix: update nitropack to resolve CVE-2026-44372 and CVE-2026-44373#82

Merged
dannyneira merged 3 commits into
mainfrom
independabot/nitropack-CVE-2026-44372-CVE-2026-44373
May 26, 2026
Merged

fix: update nitropack to resolve CVE-2026-44372 and CVE-2026-44373#82
dannyneira merged 3 commits into
mainfrom
independabot/nitropack-CVE-2026-44372-CVE-2026-44373

Conversation

@dannyneira
Copy link
Copy Markdown
Member

@dannyneira dannyneira commented May 16, 2026

Summary

  • Updated transitive npm dependency nitropack from 2.13.3 to 2.13.4 in package-lock.json.
  • Resolves the grouped Dependabot alerts for CVE-2026-44372 and CVE-2026-44373.
  • No direct dependency or override was added; this is a lockfile-only transitive update.

Security alerts

Advisories

Verification

  • npm audit no longer reports nitropack.
  • npm run build passed.
  • npm run typecheck passed with 0 errors and existing hints only.
  • npm run lint could not run in this sandbox because trunk is not installed.

Conversation: https://staging.warp.dev/conversation/afca70f9-a90b-442c-80fd-2d073799a893
Run: https://oz.staging.warp.dev/runs/019e3184-3c43-7402-ad9b-0a6cc3a2ba17
This PR was generated with Oz.

@dannyneira dannyneira requested a review from rachaelrenk May 16, 2026 16:09
@cla-bot cla-bot Bot added the cla-signed label May 16, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment May 26, 2026 10:14pm

Request Review

@dannyneira dannyneira marked this pull request as ready for review May 26, 2026 22:06
@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented May 26, 2026
edited
Loading

@dannyneira

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR updates the transitive nitropack lockfile entry from 2.13.3 to 2.13.4, with corresponding nested dependency resolution changes in package-lock.json, to address the referenced Dependabot CVEs.

Concerns

No material correctness, spec-alignment, or security concerns were found in the annotated diff. The provided spec context indicates no approved repository spec exists for this PR.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@dannyneira dannyneira merged commit 5b1a821 into main May 26, 2026
6 of 7 checks passed
@dannyneira dannyneira deleted the independabot/nitropack-CVE-2026-44372-CVE-2026-44373 branch May 26, 2026 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@rachaelrenk rachaelrenk rachaelrenk approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dannyneira @rachaelrenk