Skip to content

fix(deps): patch 7 transitive security advisories (CYPACK-1186)#1195

Open
cyrusagent wants to merge 2 commits into
mainfrom
cypack-1186-security-patches
Open

fix(deps): patch 7 transitive security advisories (CYPACK-1186)#1195
cyrusagent wants to merge 2 commits into
mainfrom
cypack-1186-security-patches

Conversation

@cyrusagent
Copy link
Copy Markdown
Contributor

@cyrusagent cyrusagent commented May 10, 2026
edited
Loading

Summary

Patches all 7 open Dependabot advisories on main by bumping pnpm.overrides:

  • hono ≥4.12.18 — fixes CSS injection in JSX SSR (GHSA-qp7p-654g-cw7p), Cache Middleware cross-user leakage (GHSA-p77w-8qqv-26rm), and JWT NumericDate validation (GHSA-hm8q-7f3q-5f36). Bumps existing override from >=4.12.7.
  • fast-uri ≥3.1.2 (new override) — fixes path-traversal via percent-encoded dot segments (GHSA-q3j6-qgpj-74h6, high) and host-confusion via percent-encoded authority delimiters (GHSA-v39h-62p7-jpjc, high). Pulled in transitively via fastify > @fastify/ajv-compiler.
  • ip-address ≥10.1.1 (new override) — fixes XSS in Address6 HTML-emitting methods (GHSA-v2v4-37r5-5v8g). Pulled in transitively via @modelcontextprotocol/sdk > express-rate-limit.
  • @anthropic-ai/sdk ≥0.91.1 (new override) — fixes insecure default file permissions in the local filesystem memory tool (GHSA-p7fg-763f-g4gf, CVE-2026-41686). The transitive copy under @anthropic-ai/claude-agent-sdk was on 0.81.0; the latest released claude-agent-sdk (0.2.138) still requires @anthropic-ai/sdk: ^0.81.0, so a direct-dep bump cannot reach the patched transitive — override is the appropriate fallback per our policy.

The 0.91.1 type updates added a required stop_details field on BetaMessage. This PR adds stop_details: null to the BetaMessage stubs constructed in cursor-runner, codex-runner, and gemini-runner to satisfy the new type.

pnpm audit now reports zero advisories.

Supersedes #1192 (which only addressed 2 of the 7 advisories).

Closes CYPACK-1186.

Test plan

  • pnpm install clean
  • pnpm audit reports zero advisories
  • pnpm build succeeds across all packages
  • pnpm typecheck clean
  • pnpm test:packages:run — all 17 workspace projects pass (1240 tests)

@cyrusagent
fix(deps): patch 7 transitive security advisories (CYPACK-1186)
7f0512b 
Bump pnpm.overrides to pull in patched versions of hono (>=4.12.18),
fast-uri (>=3.1.2), ip-address (>=10.1.1), and @anthropic-ai/sdk
(>=0.91.1). Add stop_details: null to BetaMessage stubs in the
cursor/codex/gemini runners to satisfy the new @anthropic-ai/sdk type.

pnpm audit now reports zero advisories.
@cyrusagent cyrusagent mentioned this pull request May 10, 2026
Closed
5 tasks
@Connoropolous
Copy link
Copy Markdown
Contributor

Connoropolous commented May 12, 2026

@cyrusagent can you rebase off main and fix merge confliccts?

@cyrus-cyhost-904
Copy link
Copy Markdown

cyrus-cyhost-904 Bot commented May 12, 2026

I can't connect to your local environment because the Cyrus process isn't running. Run cyrus in your terminal and keep it running, then mention me again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Connoropolous Connoropolous Connoropolous approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyrusagent @Connoropolous