Skip to content

security: bump vulnerable npm dependencies#108

Merged
sauravpanda merged 3 commits into
browser-use:mainfrom
sauravpanda:saurav/security-npm-dep-bumps
Jul 12, 2026
Merged

security: bump vulnerable npm dependencies#108
sauravpanda merged 3 commits into
browser-use:mainfrom
sauravpanda:saurav/security-npm-dep-bumps

Conversation

@sauravpanda

@sauravpanda sauravpanda commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

What & why

Bumps npm dependencies flagged by our security scan to patched, pinned versions. Every version respects the repo's 3-day minimumReleaseAge guard, and I picked the newest patch within the lowest safe major to minimize breakage.

Direct deps

package where before → after
turbo root 2.8.13 → 2.10.4
vite root catalog 7.1.4 → 7.3.6
dompurify root catalog + packages/ui 3.3.1 → 3.4.11
@hey-api/openapi-ts packages/sdk/js 0.90.10 → 0.97.3
@opentelemetry/core, sdk-trace-base packages/bcode-laminar 2.6.1 → 2.9.0
nitro enterprise, stats/app, console/app, console/support 3.0.1-alpha.1 → 3.0.260610-beta
@actions/artifact packages/desktop 4.0.0 → 5.0.1 (drops @azure/core-http → kills vulnerable uuid@8.3.2)

Transitive (root overrides) — safe, same-major only

  • postcss 8.5.16, tar 7.5.19
  • @opentelemetry/{core,sdk-trace-base,resources,sdk-trace-node} 2.9.0 — unifies the OTel stable set and drops the vulnerable 2.6.1 the OTLP exporters / sdk-node@0.214.0 pull in (they exact-pin 2.6.1). Within OTel major 2.x, so semver-safe.

esbuild & uuid — fixed at source, not via global override

  • esbuild: no override. vite@7.3.6 declares esbuild ^0.27||^0.28; a global pin can't also satisfy sdks/vscode (^0.25.3) or @jsx-email/cli (^0.19). vite now resolves esbuild@0.28.1 naturally (≥ the 0.25 CVE floor).
  • uuid: no override. The @actions/artifact bump removes @azure/core-http, the sole source of uuid@8.3.2; uuid resolves to a single 14.0.1 and Effect keeps its ^14.

js-yaml / picomatch / ws — intentionally NOT overridden (see review)

Each of these only ever appears in the tree under a consumer that requires the old major, so a global override would break that consumer, not fix anything:

  • js-yaml: gray-matter@4.0.3 pins js-yaml ^3.13.1 and calls safeLoad/safeDump (removed in v4). It drives markdown frontmatter parsing in core config/skill loading, so forcing v4 threw at runtime (thanks @chatgpt-codex-connector for catching this — it's invisible to typecheck). Verified: a clean install links gray-matter → js-yaml@3.15.0 and parsing works.
  • picomatch: micromatch@4.0.8 pins picomatch ^2.3.1 (even the latest micromatch still pins v2).
  • ws: @slack/socket-mode@1.3.6 pins ws ^7; ws@7.5.11 is already patched for CVE-2024-37890. Getting ws 8 there needs @slack/bolt 3→4 (a Slack-bot API migration).

App fix surfaced by the vite bump

  • packages/app/src/components/titlebar.tsx: null-check VITE_OPENCODE_CHANNEL (declared optional in env.d.ts). vite 7.3's stricter import.meta.env typing exposed the pre-existing unsafe .includes() / .toUpperCase() access.

Verification

  • Clean bun install resolves cleanly; bun.lock refreshed.
  • Runtime smoke test: gray-matter frontmatter parse works (would throw under the old js-yaml override).
  • Confirmed removed: uuid@8, @azure/core-http, @opentelemetry/core@2.6, postcss@8.4, dompurify@3.3, nitro@…alpha.
  • bun turbo typecheck — 25/25 packages pass.

Deliberately left as follow-ups (need parent bumps / replacements)

  • astro (5.7.13 → needs ≥6.4.6): 5→6 migration blocked by toolbeam-docs-theme (astro peer ^5.7.13, no v6 release); starlight/cloudflare/solid need lockstep bumps; no patched astro 5.x.
  • js-yaml 3.x (gray-matter — unmaintained, final release pins js-yaml 3), picomatch 2.x (micromatch), ws 7.x (@slack/bolt 3), esbuild 0.18/0.19 (@jsx-email/cli build-time tooling): all locked behind parents that require a major migration or a replacement.
  • transitive vite < 7.3.5 inside dev tooling (@jsx-email/cli → vite@4, astro → vite@6, solid-start/vitest → vite@7.1).
  • node-forge — not present anywhere in the dependency tree.

Note: opened from a fork because I have read-only access to this repo.

Bump flagged packages to patched, pinned versions to clear the dependency
security advisories. All picks respect the repo's 3-day minimumReleaseAge;
`bun install` and a full `turbo typecheck` (13/13 packages) pass.

Direct deps
- turbo 2.8.13 -> 2.10.4
- vite (catalog) 7.1.4 -> 7.3.6
- dompurify (catalog + ui) 3.3.1 -> 3.4.11
- @hey-api/openapi-ts 0.90.10 -> 0.97.3 (packages/sdk/js)
- @opentelemetry/core + sdk-trace-base 2.6.1 -> 2.9.0 (packages/bcode-laminar)
- nitro 3.0.1-alpha.1 -> 3.0.260610-beta (enterprise, stats/app, console/app, console/support)

Transitive (root overrides)
- esbuild 0.25.12, postcss 8.5.16, tar 7.5.19
- js-yaml 4.3.0, picomatch 4.0.5, uuid 11.1.1, ws 8.21.0
- @opentelemetry/{core,sdk-trace-base,resources,sdk-trace-node} 2.9.0
  (unify the OTel stable set, dropping the vulnerable 2.6.1 pulled in by
  the exporters/sdk-node)

Left as follow-ups
- astro (5.7.13): the advisory needs >=6.4.6, but the coordinated 5->6
  migration is blocked by toolbeam-docs-theme (astro peer ^5.7.13, no v6
  release yet); starlight/cloudflare/solid also need bumping in lockstep.
- transitive vite <7.3.5 inside dev tooling (@jsx-email/cli vite@4,
  astro vite@6, solid-start/vitest vite@7.1): can't be blanket-forced
  without breaking those majors.
- node-forge: not present in the dependency tree.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f0549a4689

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json Outdated
Comment thread package.json Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 9 files

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread package.json Outdated
Comment thread package.json Outdated
…rides

- Drop the global `esbuild` override: it forced vite@7.3.6 below its
  declared `^0.27.0 || ^0.28.0` range. Natural resolution now gives vite
  esbuild@0.28.1 (>= the 0.25 CVE floor); only @jsx-email/cli's build-time
  esbuild 0.18/0.19 remains (email tooling, dev-server-only CVE, low risk).
- Drop the global `uuid` override: it downgraded Effect's already-safe
  uuid@14 to 11.1.1. Instead bump @opencode-ai/desktop's @actions/artifact
  4.0.0 -> 5.0.1, which drops @azure/core-http (the only source of the
  vulnerable uuid@8.3.2). uuid now resolves to a single 14.0.1.
- titlebar.tsx: null-check VITE_OPENCODE_CHANNEL (declared optional in
  env.d.ts); vite 7.3's stricter import.meta.env typing surfaced the
  pre-existing unsafe access.

Full `bun turbo typecheck` passes (25/25).

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d037d1bbf2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json Outdated
Codex flagged js-yaml, and the same reasoning applies to picomatch/ws:
each global override forced a consumer past its declared major.

- js-yaml@4.3.0 broke gray-matter@4.0.3 (declares js-yaml ^3.13.1, calls
  the safeLoad/safeDump APIs removed in v4). gray-matter drives markdown
  frontmatter parsing in core config/skill loading, so it threw at
  runtime (invisible to typecheck). Verified fixed: a clean install links
  gray-matter -> js-yaml@3.15.0 and matter(...) parses again.
- picomatch@4.0.5 forced onto micromatch@4.0.8 (^2.3.1; even latest
  micromatch pins picomatch 2).
- ws@8.21.0 forced onto @slack/socket-mode@1.3.6 (^7). ws@7.5.11 is
  already patched for CVE-2024-37890; getting ws 8 there needs
  @slack/bolt 3 -> 4 (a Slack-bot API migration).

Each override only ever targeted a consumer that requires the old major,
so removing them just restores natural, working resolution. The remaining
sub-floor transitives (js-yaml 3 / picomatch 2 / ws 7 / esbuild 0.19) are
documented as follow-ups needing parent bumps or replacements.

Full bun turbo typecheck passes (25/25).

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c7b614b64c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/console/app/package.json
@sauravpanda sauravpanda merged commit af4bbb6 into browser-use:main Jul 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant