chore(security): patch 8 Dependabot alerts#1763
Merged
Merged
Conversation
- lerna 8 -> 9 (drops vulnerable sigstore 2.x / @sigstore/core 1.x chains) - @nestjs/* 10 -> 11 in agent (dev) and _example (fastify middleware bypass) - js-yaml refreshed to 3.15.0 / 4.3.0 (+ scoped resolution for lerna's exact pin) - uuid pinned >= 11.1.1 under sequelize in the Docker deps manifest - removed 6 redundant root resolutions (natural resolution now satisfies them) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
# Conflicts: # packages/agent/package.json
|
Coverage Impact This PR will not change total coverage. 🚦 See full report on Qlty Cloud »🛟 Help
|
matthv
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
8 fixed, 0 ignored, 0 deferred, 2 resolutions added, 6 resolutions removed. | label: 🔒 security applied
Fixed
lerna8.2.3 → 9.0.7 (its pacote 21 / libnpmpublish 11 wantsigstore ^4.0.0), removing the 2.x chain; refreshed the semantic-release chain's^4.0.0entry to 4.1.1^4.1.0consumers + scoped resolution**/lerna/js-yaml(lerna pins js-yaml exact, 4.1.1 even in v9)lerna8 → 9 bump (removes the 1.x chain) + lockfile refresh of the^3.xentries**/sequelize/uuidin the generated Docker deps manifest;deps/yarn.lockregenerated via the documented procedure@nestjs/*deps^10.4.16→^11.1.24(root yarn.lock manifestation of the two bumps below)packages/agent/package.json(with@nestjs/common,core,platform-express— peer-dep siblings must move together)packages/_example/package.json(same four-package move);_exampleis not the only manifest pulling this package, so the example-pinning exemption does not applyNote: the advisory (GHSA-6v32-fjc9-9qf6) has a single patched version, 11.1.24 — no 10.x backport — so the major bump is required to close the alerts.
Ignored
None.
Deferred
None — all 8 open alerts are older than 7 days.
Resolutions added
**/lerna/js-yaml: ^4.2.0package.json**/parent/pkg)**/sequelize/uuid: ^11.1.1uuid ^8.3.2; v7 is not GA)packages/workflow-executor/docker/build-deps-manifest.js(the depspackage.jsonis generated by this script; only the lockfile is committed)The root repo already forces
uuid ^11.1.1globally (existing resolution), so sequelize-on-uuid-11 is a combination the monorepo's CI already exercises.Resolutions removed
All six were redundant: verified one at a time by removing the entry, re-running
yarn install, and confirming every remaining lockfile entry for the package still resolves ≥ the old pin.package.json@babel/core: ^7.29.6package.json**/@modelcontextprotocol/sdk/hono: ^4.12.25^4.11.4naturally resolves ≥ 4.12.27package.jsonform-data: >=4.0.6package.json**/@nestjs/platform-express/multer: ^2.2.0package.json**/typedoc/markdown-it: ^14.2.0^14.1.1naturally resolves to 14.3.0package.json**/tsx/esbuild: ^0.28.1~0.28.0naturally resolves to 0.28.1Risks
@nestjs/*10 → 11 (packages/agent devDeps + packages/_example): the biggest change in this PR. Nest 11 requires Node ≥ 20 (repo runs 24.x, fine),@nestjs/platform-express11 moves to Express 5, and@nestjs/platform-fastify11 moves to Fastify 5. Inagentthese are dev-only (framework-mounter tests that mount the agent onto a Nest app); in_examplethey're runtime for the example app only. The agent's Nest integration tests are the most likely place for breakage — CI will surface it.lerna8 → 9: dev tooling only (used forlerna run build/lerna exec eslint; releasing goes through multi-semantic-release, notlerna publish). Lerna 9 keepsrun/exec/repairand requires Node ≥ 20. Verified locally thatlerna execworks after a clean install.uuid ^11.1.1resolution, which datasource-sequelize CI already runs against. The Docker image build (docker-publish workflow) validates the regenerated lockfile on this PR.Manual testing
Covered by CI (including the Docker image build, which triggers on changes to the executor's docker files and validates the regenerated deps lockfile with
--frozen-lockfile).Validation
✅ CI green