Skip to content

chore(security): patch 8 Dependabot alerts#1763

Merged
PMerlet merged 2 commits into
mainfrom
security/2026-07-16
Jul 16, 2026
Merged

chore(security): patch 8 Dependabot alerts#1763
PMerlet merged 2 commits into
mainfrom
security/2026-07-16

Conversation

@PMerlet

@PMerlet PMerlet commented Jul 16, 2026

Copy link
Copy Markdown
Member

👋 First-level support: see Handling automated security PRs for how to triage and merge this PR.

Summary

8 fixed, 0 ignored, 0 deferred, 2 resolutions added, 6 resolutions removed. | label: 🔒 security applied

Fixed

Done Alert Package Ecosystem From → To Severity What was bumped
- [ ] #413 sigstore npm 2.3.1 & 4.0.0 → 4.1.1 high bumped lerna 8.2.3 → 9.0.7 (its pacote 21 / libnpmpublish 11 want sigstore ^4.0.0), removing the 2.x chain; refreshed the semantic-release chain's ^4.0.0 entry to 4.1.1
- [ ] #412 js-yaml (3.x) npm 3.14.1 → 3.15.0 medium lockfile refresh — all 3.x consumers declare caret ranges
- [ ] #411 js-yaml (4.x) npm 4.1.0 → 4.3.0 medium lockfile refresh for ^4.1.0 consumers + scoped resolution **/lerna/js-yaml (lerna pins js-yaml exact, 4.1.1 even in v9)
- [ ] #409 @sigstore/core npm 1.1.0 & 3.0.0 → 3.2.1 medium same lerna 8 → 9 bump (removes the 1.x chain) + lockfile refresh of the ^3.x entries
- [ ] #408 uuid npm 8.3.2 → 11.1.1 (docker deps lockfile) medium scoped resolution **/sequelize/uuid in the generated Docker deps manifest; deps/yarn.lock regenerated via the documented procedure
- [ ] #390 @nestjs/platform-fastify npm 10.4.20 → 11.1.28 high bumped all four @nestjs/* deps ^10.4.16^11.1.24 (root yarn.lock manifestation of the two bumps below)
- [ ] #385 @nestjs/platform-fastify npm ^10.4.16 → ^11.1.24 high direct devDependency bump in packages/agent/package.json (with @nestjs/common, core, platform-express — peer-dep siblings must move together)
- [ ] #384 @nestjs/platform-fastify npm ^10.4.16 → ^11.1.24 high direct dependency bump in packages/_example/package.json (same four-package move); _example is not the only manifest pulling this package, so the example-pinning exemption does not apply

Note: the advisory (GHSA-6v32-fjc9-9qf6) has a single patched version, 11.1.24 — no 10.x backport — so the major bump is required to close the alerts.

Ignored

None.

Deferred

None — all 8 open alerts are older than 7 days.

Resolutions added

Alert Package + pin Parent chain tried Why a bump wasn't viable File Form
#411 **/lerna/js-yaml: ^4.2.0 lerna 8.2.3 → 9.0.7 (done anyway for sigstore) lerna pins js-yaml exact in every release (4.1.0 in v8, 4.1.1 in v9 — both vulnerable); no published lerna resolves ≥ 4.2.0 naturally root package.json scoped (Yarn **/parent/pkg)
#408 **/sequelize/uuid: ^11.1.1 sequelize (latest v6 = 6.37.8 still pins uuid ^8.3.2; v7 is not GA) no sequelize 6 release pulls a patched uuid packages/workflow-executor/docker/build-deps-manifest.js (the deps package.json is generated by this script; only the lockfile is committed) scoped

The root repo already forces uuid ^11.1.1 globally (existing resolution), so sequelize-on-uuid-11 is a combination the monorepo's CI already exercises.

Resolutions removed

All six were redundant: verified one at a time by removing the entry, re-running yarn install, and confirming every remaining lockfile entry for the package still resolves ≥ the old pin.

File Entry Reason
root package.json @babel/core: ^7.29.6 redundant — all consumers declare carets that naturally resolve to 7.29.7
root package.json **/@modelcontextprotocol/sdk/hono: ^4.12.25 redundant — the SDK's own range ^4.11.4 naturally resolves ≥ 4.12.27
root package.json form-data: >=4.0.6 redundant — all consumers naturally resolve to 4.0.6
root package.json **/@nestjs/platform-express/multer: ^2.2.0 redundant — platform-express 11 depends on multer 2.2.0 itself
root package.json **/typedoc/markdown-it: ^14.2.0 redundant — typedoc's ^14.1.1 naturally resolves to 14.3.0
root package.json **/tsx/esbuild: ^0.28.1 redundant — tsx's ~0.28.0 naturally resolves to 0.28.1

Risks

  • @nestjs/* 10 → 11 (packages/agent devDeps + packages/_example): the biggest change in this PR. Nest 11 requires Node ≥ 20 (repo runs 24.x, fine), @nestjs/platform-express 11 moves to Express 5, and @nestjs/platform-fastify 11 moves to Fastify 5. In agent these are dev-only (framework-mounter tests that mount the agent onto a Nest app); in _example they're runtime for the example app only. The agent's Nest integration tests are the most likely place for breakage — CI will surface it.
  • lerna 8 → 9: dev tooling only (used for lerna run build / lerna exec eslint; releasing goes through multi-semantic-release, not lerna publish). Lerna 9 keeps run/exec/repair and requires Node ≥ 20. Verified locally that lerna exec works after a clean install.
  • js-yaml 4.1.x → 4.3.0 / 3.14.1 → 3.15.0: minor bumps within major, dev tooling only (lerna, eslint, cosmiconfig, jest chains). No behavior change beyond the patched vuln expected.
  • sigstore 4.0.0 → 4.1.1 / @sigstore/core → 3.2.1: patch/minor within major on the semantic-release publish chain. The old 2.x/1.x copies existed only under lerna 8's unused publish machinery and are gone entirely.
  • uuid 8.3.2 → 11.1.1 under sequelize (Docker image only): mirrors the root repo's existing global uuid ^11.1.1 resolution, which datasource-sequelize CI already runs against. The Docker image build (docker-publish workflow) validates the regenerated lockfile on this PR.

Manual testing

Covered by CI (including the Docker image build, which triggers on changes to the executor's docker files and validates the regenerated deps lockfile with --frozen-lockfile).

Validation

✅ CI green

- lerna 8 -> 9 (drops vulnerable sigstore 2.x / @sigstore/core 1.x chains)
- @nestjs/* 10 -> 11 in agent (dev) and _example (fastify middleware bypass)
- js-yaml refreshed to 3.15.0 / 4.3.0 (+ scoped resolution for lerna's exact pin)
- uuid pinned >= 11.1.1 under sequelize in the Docker deps manifest
- removed 6 redundant root resolutions (natural resolution now satisfies them)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qltysh

qltysh Bot commented Jul 16, 2026

Copy link
Copy Markdown

Qlty


Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help
  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@PMerlet
PMerlet merged commit 84b27e8 into main Jul 16, 2026
37 checks passed
@PMerlet
PMerlet deleted the security/2026-07-16 branch July 16, 2026 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants