Skip to content

chore(security): patch 23 Dependabot alerts#1734

Merged
nbouliol merged 1 commit into
mainfrom
security/2026-07-03
Jul 3, 2026
Merged

chore(security): patch 23 Dependabot alerts#1734
nbouliol merged 1 commit into
mainfrom
security/2026-07-03

Conversation

@PMerlet

@PMerlet PMerlet commented Jul 3, 2026

Copy link
Copy Markdown
Member

👋 First-level support: see Handling automated security PRs for how to triage and merge this PR.

Summary

23 fixed, 4 ignored, 4 deferred, 11 resolutions added, 4 resolutions removed. | label: 🔒 security applied

Fixed

Done Alert Package Ecosystem From → To Severity What was bumped
- [ ] #377 shell-quote npm 1.8.3 → 1.9.0 critical resolution **/concurrently/shell-quote (concurrently pins 1.8.3 exact)
- [ ] #380 joi npm 17.12.2 → 17.13.4 medium direct dep in packages/forest-cloud ^17.12.2 → ^17.13.4, + resolution **/forest-cli/joi (forest-cli pins 17.12.2 exact)
- [ ] #381 esbuild npm 0.28.0 → 0.28.1 low resolution **/tsx/esbuild (tsx pins ~0.28.0)
- [ ] #386 ws npm 7.5.10 → 7.5.11 high resolution **/subscriptions-transport-ws/ws
- [ ] #387 @babel/core npm 7.23.3 / 7.28.4 → 7.29.7 low root resolution @babel/core: ^7.29.6 (many toolchain chains)
- [ ] #388 tar npm 7.5.13 → 7.5.19 medium tightened existing root resolution tar >=7.5.11 → >=7.5.16
- [ ] #389 form-data npm 4.0.4 / 4.0.5 → 4.0.6 high direct dep in packages/forest-cloud ^4.0.4 → ^4.0.6, + root resolution form-data: >=4.0.6 (azure/superagent/axios chains)
- [ ] #391 markdown-it npm 14.1.1 → 14.3.0 medium resolution **/typedoc/markdown-it
- [ ] #392 #393 #394 #395 #396 hono npm 4.12.21 → 4.12.27 high/medium bumped existing resolution **/@modelcontextprotocol/sdk/hono ^4.12.18 → ^4.12.25
- [ ] #397 #398 multer npm 2.0.2 → 2.2.0 high/medium resolution **/@nestjs/platform-express/multer (platform-express pins 2.0.2 exact)
- [ ] #399 #400 #402 #403 undici (v7 line) npm 7.16.0 → 7.28.0 medium/low resolution **/@semantic-release/github/undici: ^7.28.0
- [ ] #404 #405 #406 #407 undici (<6.27.0 line) npm 5.29.0 / 6.25.0 → 6.27.0 high/medium/low resolutions **/node-gyp/undici: ^6.27.0 and **/@actions/http-client/undici: ^6.27.0

Ignored

Dismissed Alert Package Reason
- [ ] #384 @nestjs/platform-fastify Dev/test/tooling only + exploit requires untrusted input at runtime. Dependency of the unpublished packages/_example demo app; nothing is shipped to production. The patched version (11.1.24) is a NestJS 10→11 breaking major; _example intentionally pins Nest 10. Same root cause as #385 / #390.
- [ ] #385 @nestjs/platform-fastify Dev/test/tooling only + exploit requires untrusted input at runtime. devDependency of packages/agent, used only in integration tests of the NestJS/Fastify mounting; the published @forestadmin/agent does not ship it (not in dependencies/peerDependencies). The middleware-bypass exploit requires a live Fastify HTTP server receiving untrusted traffic. Fix (11.1.24) requires @nestjs/common/@nestjs/core 11 peers — a breaking major touching test infrastructure.
- [ ] #390 @nestjs/platform-fastify Duplicate of #385 / #384 on the same root cause — the yarn.lock-level alert for the same package/advisory; the only consumers are the agent devDependency and _example.
- [ ] #408 uuid Vulnerable code path unreachable. Alert is on packages/workflow-executor/docker/deps/yarn.lock, where the only consumer of uuid@8.3.2 is sequelize@6 (declares uuid@^8.3.2). The advisory affects v3/v5/v6 when a buf argument is provided; grepping sequelize's sources shows it only calls uuid.v1/uuid.v4, never v3/v5/v6. Sequelize 6 cannot take uuid 11 (patched) without an override, and that lockfile is generated by build-deps-manifest.js which intentionally carries no resolutions.

Deferred

Skipped by the 7-day age gate; next run will pick them up:

  • #413 sigstore (high, created 2026-07-02)
  • #412 js-yaml <3.15.0 (medium, created 2026-06-30)
  • #411 js-yaml 4.x (medium, created 2026-06-30)
  • #409 @sigstore/core (medium, created 2026-06-29)

Resolutions added

All entries live in the root package.json — Yarn 1 does not honor workspace-level resolutions, so parent-scoped root entries are the narrowest honored form.

Alert Entry Form Parent chain tried / why a bump wasn't viable
#404#407 **/node-gyp/undici: ^6.27.0 scoped sqlite3 > node-gyp@12 > undici@^6.25.0; node-gyp is pulled by sqlite3's build — no ancestor bump pulls 6.27.0. Minor bump.
#404#407 **/@actions/http-client/undici: ^6.27.0 scoped @qiwi/multi-semantic-release > semantic-release > @semantic-release/npm > @actions/core > @actions/http-client@^3.0.0 > undici@^5.28.5; no @actions/http-client release on a patched undici. Note: this is an undici 5→6 major inside dev release tooling — see Risks.
#399#403 **/@semantic-release/github/undici: ^7.28.0 scoped @semantic-release/github > undici@^7.0.0; parent range already allows 7.28.0, resolution forces the lockfile refresh. Minor bump.
#397 #398 **/@nestjs/platform-express/multer: ^2.2.0 scoped _example > @nestjs/platform-express@10 > multer@2.0.2 (exact pin); bumping platform-express to a version on multer 2.2 would be a Nest major. Minor bump of multer.
#391 **/typedoc/markdown-it: ^14.2.0 scoped typedoc > markdown-it@^14.1.1; range allows it, resolution forces refresh.
#386 **/subscriptions-transport-ws/ws: ^7.5.11 scoped forest-cloud > subscriptions-transport-ws@0.9 > ws@^5||^6||^7; parent is unmaintained, no bump available. Patch bump of ws.
#381 **/tsx/esbuild: ^0.28.1 scoped workflow-executor-example > tsx > esbuild@~0.28.0; patch bump.
#377 **/concurrently/shell-quote: ^1.8.4 scoped _example > concurrently@9 > shell-quote@1.8.3 (exact pin); no concurrently release on 1.8.4 yet. Resolved to 1.9.0.
#380 **/forest-cli/joi: ^17.13.4 scoped forest-cloud > forest-cli > joi@17.12.2 (exact pin); direct bump in forest-cloud covers only its own copy. Minor bump.
#389 form-data: >=4.0.6 unconditional Multiple unrelated chains share it (@azure/core-rest-pipeline, superagent, axios, @types/superagent, forest-cloud direct). Patch bump.
#387 @babel/core: ^7.29.6 unconditional Two resolved copies (7.23.3, 7.28.4) across many jest/ts-jest/babel toolchain chains — no single parent. Minor bump within ^7.

Also modified existing entries: tar >=7.5.11 → >=7.5.16 (#388), **/@modelcontextprotocol/sdk/hono ^4.12.18 → ^4.12.25 (#392#396).

Resolutions removed

File Entry Reason
package.json (root) axios: >=1.16.0 Redundant — all declared ranges (^1.8.3, ^1.16.0) now naturally resolve to ≥1.16.0 (latest 1.x is 1.18.1); verified by removing + reinstalling, lockfile stays at 1.17.0.
package.json (root) @hono/node-server: ^1.19.13 Redundant — sole declared range ^1.19.9 naturally resolves to 1.19.14 ≥ pin; verified by removing + reinstalling (stays 1.19.14).
package.json (root) **/ajv/fast-uri: ^3.1.2 Redundant — ajv declares fast-uri@^3.0.1, which naturally resolves to 3.1.3 ≥ 3.1.2 (the ^2.x consumers are still covered by the remaining **/@fastify/ajv-compiler/fast-uri and **/fast-json-stringify/fast-uri entries); verified by removing + reinstalling (stays 3.1.2).
packages/agent/package.json overrides: { @paralleldrive/cuid2: 2.2.2 } Redundant/no-op — npm-style overrides are ignored by Yarn 1 entirely, and packages/agent already pins @paralleldrive/cuid2: 2.2.2 as an exact direct dependency; verified by removing + reinstalling (stays 2.2.2).

Kept (still active): lerna/**/glob (forces 9.x/10.x ranges up), semantic-release ^25 (forces ^21 range up), qs >=6.15.2 (a qs@6.13.0 exact pin exists), langsmith ^0.6.0 (holds langchain's >=0.5.0 <1.0.0 below 0.7), lodash ^4.18.0 (a lodash@4.17.23 exact pin exists), uuid ^11.1.1 (forces 8.x/9.x/10.x ranges), tmp >=0.2.6 (a ^0.0.33 range exists), **/express-rate-limit/ip-address ^10.1.1 (parent pins 10.1.0 exact), **/@aws-sdk/xml-builder/fast-xml-parser ^5.7.0 (parent pins 5.5.8 exact), **/@fastify/ajv-compiler/fast-uri, **/fast-json-stringify/fast-uri (parents on ^2.x).

Risks

  • undici 5.29.0 → 6.27.0 under @actions/http-client — the only cross-major forced bump. Blast radius is the semantic-release publish tooling (dev-only, runs in release CI). undici 6 kept the request/ProxyAgent API surface http-client uses, but if the release workflow breaks, revert the **/@actions/http-client/undici entry.
  • shell-quote 1.8.3 → 1.9.0 and markdown-it 14.1.1 → 14.3.0 resolved past the minimum patched version (caret ranges); both are minor releases of stable libs used by dev tooling (concurrently, typedoc).
  • joi 17.12.2 → 17.13.4 inside forest-cli — forest-cli pinned joi exactly; minor bump, no API removals in 17.13.
  • All other bumps (multer, hono, form-data, tar, ws, esbuild, @babel/core, undici v7 line) are patch/minor within the parents' expected major — no behavior change expected beyond the patched vulns.
  • Removed resolutions were verified no-ops at the current lockfile state; on a future full lockfile regeneration, natural resolution stays at or above every removed pin.

Manual testing

Covered by CI. If the release pipeline is exercised before the next scheduled release, keep an eye on the semantic-release GitHub/npm publish steps (undici bump).

Validation

✅ CI green

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qltysh

qltysh Bot commented Jul 3, 2026

Copy link
Copy Markdown

Qlty


Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help
  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@nbouliol nbouliol merged commit 0d93aca into main Jul 3, 2026
38 checks passed
@nbouliol nbouliol deleted the security/2026-07-03 branch July 3, 2026 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants