Skip to content

chore(deps): security refresh — resolve critical/high advisories, fold pending bumps#158

Merged
ABB65 merged 3 commits into
mainfrom
chore/deps-security-refresh
Jul 17, 2026
Merged

chore(deps): security refresh — resolve critical/high advisories, fold pending bumps#158
ABB65 merged 3 commits into
mainfrom
chore/deps-security-refresh

Conversation

@ABB65

@ABB65 ABB65 commented Jul 17, 2026

Copy link
Copy Markdown
Member

Ne / neden

main'de 66 Dependabot güvenlik uyarısı vardı (1 kritik, 11 high, 44 medium, 10 low). Bu PR agresif tek geçişte bunları kapatıyor ve bekleyen Dependabot PR'larının işe yarar bump'larını içine katıyor.

Güvenlik sonucu

  • Kritik (shell-quote) ve tüm high'lar çözüldü.
  • Kalan tek flag: uuid — açığı uuid.v3/v5/v6'nın buf argümanıyla çağrılmasını gerektiriyor; Studio'nun transitive kullanımı (@aws-sdk, uuid.v4) bunu hiç yapmıyor → riskli cross-SDK major override bilinçli olarak atlandı.

Nasıl

Direct + toolchain bump'ları (geçen/düzeltilebilir Dependabot grup PR'larını içeri katar):
@anthropic-ai/sdk 0.80→0.112 · sharp 0.34.5→0.35.3 · marked→18.0.2 · vue 3.5.40 · vue-router 5.2.0 · testing group (vitest 4.1.10, @vue/test-utils 2.4.11, playwright-core 1.61.1, …) · linting group (@nuxt/eslint 1.16, eslint 10.7, @commitlint 21, lint-staged 17) · tsx 4.23.

pnpm overrides (parent'ı eski pinleyen runtime-reachable transitive'ler):
hono ^4.12.25 (MCP loopback server) · fast-uri ^3.1.2 · fast-xml-parser ^5.7.0 · ws ^8.21.0 · qs ^6.15.2 · js-cookie ^3.0.7.

Lockfile refresh tek başına main'deki bayat uyarıları temizliyor (shell-quote 1.9.0, nuxt 4.4.8, vite 7.3.6, devalue 5.8.1, dompurify 3.4.11, tar 7.5.19, …).

Kod: @nuxt/eslint 1.16 gerçek kod kokularını flag'ledi (no-useless-assignment, preserve-caught-error) — migrate-postgres, anthropic-ai, cdn-builder ve Polar webhook handler'da düzeltildi.

Dependabot triyajı (araştırıldı, kaybolan bump yok)

#107#111 bu PR ile supersede.

Doğrulama

pnpm typecheck ✅ · pnpm lint ✅ (0 hata) · pnpm test ✅ (1068/1068) · pnpm build ✅ · app-smoke-managed e2e ✅ (12/12, sharp boot doğrulandı)

…d pending bumps

Aggressive dependency pass closing the Dependabot backlog (66 alerts on main).

Direct + toolchain bumps (folds the passing/fixable Dependabot group PRs into one
reviewable change):
- @anthropic-ai/sdk 0.80 -> 0.112, sharp 0.34.5 -> 0.35.3, marked -> 18.0.2,
  vue 3.5.40, vue-router 5.2.0
- testing group (vitest 4.1.10, @vue/test-utils 2.4.11, playwright-core 1.61.1, ...)
- linting group (@nuxt/eslint 1.16, eslint 10.7, @commitlint 21, lint-staged 17)
- tsx 4.23

pnpm overrides for runtime-reachable transitives whose parents pin old versions:
hono ^4.12.25 (MCP loopback server), fast-uri ^3.1.2, fast-xml-parser ^5.7.0,
ws ^8.21.0, qs ^6.15.2, js-cookie ^3.0.7.

A lockfile refresh alone clears the stale advisories on main (shell-quote 1.9.0,
nuxt 4.4.8, vite 7.3.6, devalue 5.8.1, dompurify 3.4.11, tar 7.5.19, ...).

Result: the one critical (shell-quote) and every high are resolved. The only
remaining flagged package is uuid — its advisory needs uuid.v3/v5/v6 called with
a `buf` argument, which Studio's transitive usage (@aws-sdk, uuid.v4) never does,
so a risky cross-SDK major override is deliberately skipped.

The @nuxt/eslint 1.16 bump surfaced real code smells (no-useless-assignment,
preserve-caught-error) — fixed in migrate-postgres, anthropic-ai, cdn-builder,
and the Polar webhook handler.

Supersedes #107, #108, #109, #110, #111.
sharp 0.35.3 crashed the Nuxt server at boot on the CI runner
("Server process exited before becoming ready", sharp.mjs:171 install
error) — its native binary doesn't resolve on linux-x64 there, though it
built fine on darwin-arm64 locally (which is why the local smoke was a
false green). sharp is not a security advisory, so 0.34.5 (known-good on
CI) loses nothing. This also confirms #111's e2e failure was sharp, not a
stale base.
@ABB65

ABB65 commented Jul 17, 2026

Copy link
Copy Markdown
Member Author

Reverted sharp 0.34.5→0.35.3 in 9cbc018: sharp 0.35.3 fails to load its native binary on the CI Linux runner (server crashes at boot), though it built fine locally on darwin-arm64. sharp is not a security advisory so 0.34.5 is kept. This also confirms the earlier #111 e2e failure was sharp, not a stale base.

@ABB65
ABB65 merged commit 0c10311 into main Jul 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant