chore(deps): security update — 0c 11h 16m 1l → 0c 3h 4m 1l#11
Merged
Conversation
VickyXAI
force-pushed
the
chore/dep-security
branch
from
78ad9fb to
952f0f5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency security update
Conservative, in-range dependency remediation. Review + QA before merge.
What changed
npm update— semver-safe, in-range refresh of the dependency tree. This notably bumped theopenclawdevDependency2026.4.21 → 2026.5.7, which clears the bulk of the advisories (most were transitive through openclaw's tree:@anthropic-ai/sdk,basic-ftp,hono,fast-xml-*, etc.).overridestopackage.json:ws→^8.21.0(clears the vulnerablewsnested underviem— memory-exhaustion DoS GHSA-96hv-2xvq-fx4p)postcss→^8.5.10(floor; already resolves to 8.5.16)package.json+package-lock.jsonare committed.Not changed (deliberate, documented residual)
vitestleft at^4.1.3(already newer than any security floor — no downgrade).next/@vitest/coverage-v8present.uuidleft at v9-line (v9→v11 is a risky major; transitive via openclaw dev tooling).Audit: before → after
Residual advisories are all dev-only, transitive through the
openclawdevDependency toolchain and require breaking/major bumps:esbuild,markdown-it,tar,undici,uuid,@mariozechner/pi-coding-agent. None affect the published runtime deps (@scure/*,@solana/kit,@x402/*,viem).Build / test status
npm run build/ tsup — clean ESM + DTS).test/integration/security-scanner.test.ts(result.findingsisundefined). Root cause: the in-rangeopenclaw 2026.4.21 → 2026.5.7bump changed the shape of openclaw's security-scanner result. This is a dev-only integration test against openclaw's API, not a runtime/build/compile failure, and not caused by any next/vitest bump (none applied here).security-scanner.test.tsfor openclaw 2026.5.7's new scanner result shape, or pinopenclawback to2026.4.21(which would re-introduce some of the cleared dev-tree advisories).