security: bump vulnerable npm dependencies#108
Conversation
Bump flagged packages to patched, pinned versions to clear the dependency
security advisories. All picks respect the repo's 3-day minimumReleaseAge;
`bun install` and a full `turbo typecheck` (13/13 packages) pass.
Direct deps
- turbo 2.8.13 -> 2.10.4
- vite (catalog) 7.1.4 -> 7.3.6
- dompurify (catalog + ui) 3.3.1 -> 3.4.11
- @hey-api/openapi-ts 0.90.10 -> 0.97.3 (packages/sdk/js)
- @opentelemetry/core + sdk-trace-base 2.6.1 -> 2.9.0 (packages/bcode-laminar)
- nitro 3.0.1-alpha.1 -> 3.0.260610-beta (enterprise, stats/app, console/app, console/support)
Transitive (root overrides)
- esbuild 0.25.12, postcss 8.5.16, tar 7.5.19
- js-yaml 4.3.0, picomatch 4.0.5, uuid 11.1.1, ws 8.21.0
- @opentelemetry/{core,sdk-trace-base,resources,sdk-trace-node} 2.9.0
(unify the OTel stable set, dropping the vulnerable 2.6.1 pulled in by
the exporters/sdk-node)
Left as follow-ups
- astro (5.7.13): the advisory needs >=6.4.6, but the coordinated 5->6
migration is blocked by toolbeam-docs-theme (astro peer ^5.7.13, no v6
release yet); starlight/cloudflare/solid also need bumping in lockstep.
- transitive vite <7.3.5 inside dev tooling (@jsx-email/cli vite@4,
astro vite@6, solid-start/vitest vite@7.1): can't be blanket-forced
without breaking those majors.
- node-forge: not present in the dependency tree.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f0549a4689
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
All reported issues were addressed across 9 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
…rides - Drop the global `esbuild` override: it forced vite@7.3.6 below its declared `^0.27.0 || ^0.28.0` range. Natural resolution now gives vite esbuild@0.28.1 (>= the 0.25 CVE floor); only @jsx-email/cli's build-time esbuild 0.18/0.19 remains (email tooling, dev-server-only CVE, low risk). - Drop the global `uuid` override: it downgraded Effect's already-safe uuid@14 to 11.1.1. Instead bump @opencode-ai/desktop's @actions/artifact 4.0.0 -> 5.0.1, which drops @azure/core-http (the only source of the vulnerable uuid@8.3.2). uuid now resolves to a single 14.0.1. - titlebar.tsx: null-check VITE_OPENCODE_CHANNEL (declared optional in env.d.ts); vite 7.3's stricter import.meta.env typing surfaced the pre-existing unsafe access. Full `bun turbo typecheck` passes (25/25).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d037d1bbf2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Codex flagged js-yaml, and the same reasoning applies to picomatch/ws: each global override forced a consumer past its declared major. - js-yaml@4.3.0 broke gray-matter@4.0.3 (declares js-yaml ^3.13.1, calls the safeLoad/safeDump APIs removed in v4). gray-matter drives markdown frontmatter parsing in core config/skill loading, so it threw at runtime (invisible to typecheck). Verified fixed: a clean install links gray-matter -> js-yaml@3.15.0 and matter(...) parses again. - picomatch@4.0.5 forced onto micromatch@4.0.8 (^2.3.1; even latest micromatch pins picomatch 2). - ws@8.21.0 forced onto @slack/socket-mode@1.3.6 (^7). ws@7.5.11 is already patched for CVE-2024-37890; getting ws 8 there needs @slack/bolt 3 -> 4 (a Slack-bot API migration). Each override only ever targeted a consumer that requires the old major, so removing them just restores natural, working resolution. The remaining sub-floor transitives (js-yaml 3 / picomatch 2 / ws 7 / esbuild 0.19) are documented as follow-ups needing parent bumps or replacements. Full bun turbo typecheck passes (25/25).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c7b614b64c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
What & why
Bumps npm dependencies flagged by our security scan to patched, pinned versions. Every version respects the repo's 3-day
minimumReleaseAgeguard, and I picked the newest patch within the lowest safe major to minimize breakage.Direct deps
packages/uipackages/sdk/jspackages/bcode-laminarpackages/desktop@azure/core-http→ kills vulnerableuuid@8.3.2)Transitive (root
overrides) — safe, same-major onlypostcss8.5.16,tar7.5.19@opentelemetry/{core,sdk-trace-base,resources,sdk-trace-node}2.9.0 — unifies the OTel stable set and drops the vulnerable2.6.1the OTLP exporters /sdk-node@0.214.0pull in (they exact-pin 2.6.1). Within OTel major 2.x, so semver-safe.esbuild & uuid — fixed at source, not via global override
esbuild ^0.27||^0.28; a global pin can't also satisfy sdks/vscode (^0.25.3) or @jsx-email/cli (^0.19). vite now resolvesesbuild@0.28.1naturally (≥ the 0.25 CVE floor).@actions/artifactbump removes@azure/core-http, the sole source ofuuid@8.3.2; uuid resolves to a single14.0.1and Effect keeps its^14.js-yaml / picomatch / ws — intentionally NOT overridden (see review)
Each of these only ever appears in the tree under a consumer that requires the old major, so a global override would break that consumer, not fix anything:
gray-matter@4.0.3pinsjs-yaml ^3.13.1and callssafeLoad/safeDump(removed in v4). It drives markdown frontmatter parsing in core config/skill loading, so forcing v4 threw at runtime (thanks @chatgpt-codex-connector for catching this — it's invisible to typecheck). Verified: a clean install links gray-matter →js-yaml@3.15.0and parsing works.micromatch@4.0.8pinspicomatch ^2.3.1(even the latest micromatch still pins v2).@slack/socket-mode@1.3.6pinsws ^7;ws@7.5.11is already patched for CVE-2024-37890. Getting ws 8 there needs@slack/bolt3→4 (a Slack-bot API migration).App fix surfaced by the vite bump
packages/app/src/components/titlebar.tsx: null-checkVITE_OPENCODE_CHANNEL(declared optional inenv.d.ts). vite 7.3's stricterimport.meta.envtyping exposed the pre-existing unsafe.includes()/.toUpperCase()access.Verification
bun installresolves cleanly;bun.lockrefreshed.uuid@8,@azure/core-http,@opentelemetry/core@2.6,postcss@8.4,dompurify@3.3,nitro@…alpha.bun turbo typecheck— 25/25 packages pass.Deliberately left as follow-ups (need parent bumps / replacements)
5.7.13→ needs≥6.4.6): 5→6 migration blocked bytoolbeam-docs-theme(astro peer^5.7.13, no v6 release); starlight/cloudflare/solid need lockstep bumps; no patched astro 5.x.