chore(security): close dependabot alerts q2

[nicktrn]

Closes ~80 dependabot alerts (3 critical, ~25 high, ~31 medium) by bumping direct deps where possible and narrowly overriding the rest. Cloud uses resend email transport and Node 20 - all bumps are safe for both cloud and self-hosters.

Direct upgrades

Package	Where	From	To	Why
vite	root devDeps	^5.4.21	(removed)	dead pin; vitest pulls vite transitively
dompurify	apps/webapp	^3.2.6	^3.4.1	XSS CVEs
effect	apps/webapp	^3.11.7	^3.21.2	AsyncLocalStorage CVE in Effect fibers
nodemailer	internal-packages/emails	^7.0.11	^8.0.6	SMTP CRLF injection (only affects self-hosters w/ smtp/aws-ses transport)
uuid	apps/webapp	^9.0.0	^14.0.0	buffer bounds check; ESM-only but bundled by Remix
uuid + @types/uuid	packages/trigger-sdk	^9.0.0	(removed)	dead deps, no usage
@types/uuid	apps/webapp	^9.0.0	(removed)	uuid 14 ships its own types
tar	packages/cli-v3	^7.5.4	^7.5.13	path traversal CVEs
testcontainers + @testcontainers/postgresql + @testcontainers/redis	internal-packages/testcontainers	^10.28.0	^11.14.0	dev/test cleanup; one-line API fix for RedisContainer(image)
rimraf	webapp + 6 packages	^3.0.2 / ^5.0.7	^6.0.1	dev/build tool consolidation

Scoped overrides

All bound by both >= and < to avoid major-version yanks.

Override	Closes
tar@>=7 <7.5.11 → ^7.5.11	supervisor's @kubernetes/client-node 1.0.0 chain
axios@>=1.0.0 <1.15.0 → ^1.15.0	replaces older 1.9.0 pin
systeminformation@>=5.0.0 <5.31.0 → ^5.31.0	bumps existing 5.27.14 pin
lodash@>=4.0.0 <4.18.0 → ^4.18.0	bumps existing 4.17.23 pin
lodash-es@>=4.0.0 <4.18.0 → ^4.18.0	new (mirrors lodash)
dompurify@>=3 <3.4.0 → ^3.4.1	catches transitive dompurify via mermaid
vite@>=5.0.0 <6.4.2 → ^6.4.2	path traversal; vite 5 has no patch
rollup@>=4 <4.59.0 → ^4.59.0	path traversal in vite/vitest chain
flatted@>=3 <3.4.2 → ^3.4.2	prototype pollution in eslint flat-cache
picomatch@>=2 <2.3.2 → ^2.3.2	ReDoS in 2.x branch (transitive)
picomatch@>=4 <4.0.4 → ^4.0.4	ReDoS in 4.x branch (vitest/tinyglobby)
minimatch@>=3 <3.1.3 → ^3.1.3	ReDoS in eslint 8 chain
protobufjs@>=7 <7.5.5 → ^7.5.5	critical RCE via @opentelemetry/otlp-transformer
fast-xml-parser@>=4 <4.5.5 → ^4.5.5	DOCTYPE bypass + others (4.x branch via aws-sdk in supervisor)
fast-xml-parser@>=5 <5.7.0 → ^5.7.0	critical + others (5.x branch via aws-sdk in webapp)
path-to-regexp@>=0.1 <0.1.13 → ^0.1.13	ReDoS in express 4 / @remix-run/express
ajv@>=8 <8.18.0 → ^8.18.0	DoS
socket.io-parser@>=4 <4.2.6 → ^4.2.6	DoS in @trigger.dev/core's socket.io
postcss@>=8 <8.5.10 → ^8.5.10	XSS via stringify
yaml@>=2 <2.8.3 → ^2.8.3	DoS
semver@>=5 <5.7.2 → ^5.7.2	ReDoS in 5.x
defu@>=6 <6.1.5 → ^6.1.5	prototype pollution via proto in @prisma/config c12 chain

Dismissed (~47)

Reason	Cluster	Count
not_used	langsmith + next 15.x in references/*	10
not_used	minimatch 8.x via prisma-generator-ts-enums (references/prisma-6)	3
not_used	basic-ftp via puppeteer in references/hello-world + references/seed	2
not_used	hono / @hono/node-server / express-rate-limit / path-to-regexp 8.x / @modelcontextprotocol/sdk - all via mcp-sdk chain (dormant in webapp; dev-only localhost in cli-v3)	22
not_used	fastify / @fastify/static / file-type via evalite devDep	5
tolerable_risk	rollup 3 + minimatch 5/8/9/10 dev/build tooling	13

Notes

• mcp-sdk chain: @vercel/sdk in webapp imports Vercel API client only; mcp-server/* subpath isn't loaded at runtime. cli-v3's MCP server runs only via trigger mcp on developer machines. Bumping @modelcontextprotocol/sdk to latest (1.29.0) wouldn't close these alerts anyway - it ships hono ^4.11.4 which is still vulnerable - so dismissal is the cleaner call.
• References ignore list: confirmed with current dependabot ignore config; added references/seed/package.json (only gap).
• undici alerts (CVE-2026-1527, 4 alerts) will auto-close: lockfile already at 6.25.0 > patched 6.24.0; just needs Dependabot rescan.
• Effect 3.20 fix is a runtime-only scheduler fix, no public API changes - verified with research agent against our four effect/* imports.
• uuid 14 is ESM-only; we only call validate/version (no crypto needed) so Node 20 requirement isn't load-bearing for us.

Public packages (packages/*)

Minimal surface, deliberately. None of these change published runtime behaviour - all changesets-worthy public package changes are deferred to a regular release pass.

Package	Change	Runtime impact
packages/trigger-sdk	Removed dead uuid dep (no source imports)	None - dep was unused
packages/cli-v3	tar ^7.5.4 → ^7.5.13	Patch bump within already-allowed 7.x range; nothing CLI consumers see
packages/core / packages/build / packages/python / packages/rsc / packages/react-hooks / packages/schema-to-json	rimraf ^3.0.2 → ^6.0.1 in devDeps	Build-time only, no runtime change

No changeset added because nothing in these packages affects what published consumers run.

Validation

• Webapp typecheck (forced, no cache) passes after every commit
• Smoke-tested testcontainers v11 changes via real postgresTest + redisTest (sync.test.ts, releaseConcurrency.test.ts) - both pass
• Webapp built + verified require("uuid") no longer in CJS server output (now bundled inline)
• Test env webapp deployed at dependabot-q2.rc0 (cloud#740) - no issues observed
• Test suite run with package prerelease passed

[changeset-bot]

⚠️ No Changeset found

Latest commit: 92eb872

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request updates dependency versions and pnpm overrides across the monorepo. Changes include runtime bumps in apps/webapp (dompurify, effect, uuid), removal of @types/dompurify and @types/uuid, multiple rimraf devDependency upgrades, nodemailer and its types update in internal-packages/emails, testcontainers devDependency bumps, CLI tar bump, and many new/widened root pnpm.overrides. It pins the Redis test container image to redis:7.2 and increases test container stop timeouts (to millisecond values). remix.config.js now lists uuid in serverDependenciesToBundle.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(security): close dependabot alerts q2' accurately and concisely summarizes the main change—closing Dependabot security alerts.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive and follows the repository template with all required sections completed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/dependabot-alerts-q2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

internal-packages/testcontainers/src/utils.ts (1)

78-80: Test Redis version (7.2) differs slightly from production default (7.x). Production uses floating redis:7 tag, which resolves to the latest 7.x release (currently 7.4+), while tests pin to redis:7.2. Since both are floating tags and the minor version difference is acceptable in test infrastructure, no change is required. However, worth confirming this version choice was intentional if redis:7 would better mirror production.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal-packages/testcontainers/src/utils.ts` around lines 78 - 80, The test
uses a pinned Redis image "redis:7.2" when production uses the floating
"redis:7" tag; locate the RedisContainer instantiation (new
RedisContainer("redis:7.2") in utils.ts) and either update the image to
"redis:7" to mirror production or add a comment documenting why 7.2 was chosen
intentionally for tests (e.g., reproducible CI behavior); ensure the change only
touches the string passed to RedisContainer and/or adds a brief in-line comment
next to .withStartupTimeout to explain the decision.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal-packages/testcontainers/src/utils.ts`:
- Around line 78-80: The test uses a pinned Redis image "redis:7.2" when
production uses the floating "redis:7" tag; locate the RedisContainer
instantiation (new RedisContainer("redis:7.2") in utils.ts) and either update
the image to "redis:7" to mirror production or add a comment documenting why 7.2
was chosen intentionally for tests (e.g., reproducible CI behavior); ensure the
change only touches the string passed to RedisContainer and/or adds a brief
in-line comment next to .withStartupTimeout to explain the decision.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1e7a6d74-2e71-404e-ae1c-97cd0ceade56

📥 Commits

Reviewing files that changed from the base of the PR and between 5146f79 and 78bd3b9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• internal-packages/testcontainers/src/utils.ts
• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (28)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: typecheck / typecheck

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

Files:

• internal-packages/testcontainers/src/utils.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

Add crumbs as you write code using // @Crumbs comments or `// `#region` `@crumbs blocks. These are temporary debug instrumentation and must be stripped using agentcrumbs strip before merge.

Files:

• internal-packages/testcontainers/src/utils.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

• internal-packages/testcontainers/src/utils.ts

**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

• internal-packages/testcontainers/src/utils.ts

**/*.ts{,x}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from @trigger.dev/sdk when writing Trigger.dev tasks. Never use @trigger.dev/sdk/v3 or deprecated client.defineJob.

Files:

• internal-packages/testcontainers/src/utils.ts

🧠 Learnings (7)

📓 Common learnings

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/redis-worker/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:43.173Z
Learning: Applies to packages/redis-worker/**/redis-worker/**/*.{test,spec}.{ts,tsx} : Use testcontainers for Redis in test files for redis-worker

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/executing-commands.mdc:0-0
Timestamp: 2025-11-27T16:26:44.496Z
Learning: Execute most monorepo commands using `pnpm run` from the root directory, with `--filter` flag for specific packages (e.g., `pnpm run dev --filter webapp`)

📚 Learning: 2026-03-02T12:43:43.173Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/redis-worker/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:43.173Z
Learning: Applies to packages/redis-worker/**/redis-worker/**/*.{test,spec}.{ts,tsx} : Use testcontainers for Redis in test files for redis-worker

Applied to files:

• internal-packages/testcontainers/src/utils.ts

📚 Learning: 2026-03-02T12:43:25.254Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: internal-packages/run-engine/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:25.254Z
Learning: Applies to internal-packages/run-engine/src/engine/tests/**/*.test.ts : Implement tests for RunEngine in `src/engine/tests/` using testcontainers for Redis and PostgreSQL containerization

Applied to files:

• internal-packages/testcontainers/src/utils.ts

📚 Learning: 2026-04-15T15:39:06.868Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T15:39:06.868Z
Learning: Applies to **/*.test.{ts,tsx} : For Redis/PostgreSQL tests in vitest, use testcontainers helpers: `redisTest`, `postgresTest`, or `containerTest` imported from `internal/testcontainers`.

Applied to files:

• internal-packages/testcontainers/src/utils.ts

📚 Learning: 2026-01-15T10:48:02.687Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Applies to **/*.test.{ts,tsx,js,jsx} : Tests should avoid mocks or stubs and use the helpers from `internal/testcontainers` when Redis or Postgres are needed

Applied to files:

• internal-packages/testcontainers/src/utils.ts

📚 Learning: 2026-03-22T13:26:12.060Z

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

• internal-packages/testcontainers/src/utils.ts

📚 Learning: 2026-03-22T19:24:14.403Z

Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

• internal-packages/testcontainers/src/utils.ts

🔇 Additional comments (1)

internal-packages/testcontainers/src/utils.ts (1)

102-102: Timeout unit migration looks correct.

Both stop-timeout call sites correctly preserve the prior wall-clock behavior under testcontainers v11's seconds→milliseconds change: 30 → 30_000 (Line 102) and 10 → 10_000 (Line 242), and the comment on Line 241 now accurately documents the unit. No drift in cleanup semantics.

Also applies to: 241-242

[devin-ai-integration]

Devin Review found 2 potential issues.

View 3 additional findings in Devin Review.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 3 additional findings in Devin Review.