chore(deps): security refresh — resolve critical/high advisories, fold pending bumps#158
Merged
Conversation
…d pending bumps Aggressive dependency pass closing the Dependabot backlog (66 alerts on main). Direct + toolchain bumps (folds the passing/fixable Dependabot group PRs into one reviewable change): - @anthropic-ai/sdk 0.80 -> 0.112, sharp 0.34.5 -> 0.35.3, marked -> 18.0.2, vue 3.5.40, vue-router 5.2.0 - testing group (vitest 4.1.10, @vue/test-utils 2.4.11, playwright-core 1.61.1, ...) - linting group (@nuxt/eslint 1.16, eslint 10.7, @commitlint 21, lint-staged 17) - tsx 4.23 pnpm overrides for runtime-reachable transitives whose parents pin old versions: hono ^4.12.25 (MCP loopback server), fast-uri ^3.1.2, fast-xml-parser ^5.7.0, ws ^8.21.0, qs ^6.15.2, js-cookie ^3.0.7. A lockfile refresh alone clears the stale advisories on main (shell-quote 1.9.0, nuxt 4.4.8, vite 7.3.6, devalue 5.8.1, dompurify 3.4.11, tar 7.5.19, ...). Result: the one critical (shell-quote) and every high are resolved. The only remaining flagged package is uuid — its advisory needs uuid.v3/v5/v6 called with a `buf` argument, which Studio's transitive usage (@aws-sdk, uuid.v4) never does, so a risky cross-SDK major override is deliberately skipped. The @nuxt/eslint 1.16 bump surfaced real code smells (no-useless-assignment, preserve-caught-error) — fixed in migrate-postgres, anthropic-ai, cdn-builder, and the Polar webhook handler. Supersedes #107, #108, #109, #110, #111.
This was referenced Jul 17, 2026
sharp 0.35.3 crashed the Nuxt server at boot on the CI runner
("Server process exited before becoming ready", sharp.mjs:171 install
error) — its native binary doesn't resolve on linux-x64 there, though it
built fine on darwin-arm64 locally (which is why the local smoke was a
false green). sharp is not a security advisory, so 0.34.5 (known-good on
CI) loses nothing. This also confirms #111's e2e failure was sharp, not a
stale base.
Member
Author
|
Reverted sharp 0.34.5→0.35.3 in 9cbc018: sharp 0.35.3 fails to load its native binary on the CI Linux runner (server crashes at boot), though it built fine locally on darwin-arm64. sharp is not a security advisory so 0.34.5 is kept. This also confirms the earlier #111 e2e failure was sharp, not a stale base. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ne / neden
main'de 66 Dependabot güvenlik uyarısı vardı (1 kritik, 11 high, 44 medium, 10 low). Bu PR agresif tek geçişte bunları kapatıyor ve bekleyen Dependabot PR'larının işe yarar bump'larını içine katıyor.Güvenlik sonucu
uuid.v3/v5/v6'nınbufargümanıyla çağrılmasını gerektiriyor; Studio'nun transitive kullanımı (@aws-sdk,uuid.v4) bunu hiç yapmıyor → riskli cross-SDK major override bilinçli olarak atlandı.Nasıl
Direct + toolchain bump'ları (geçen/düzeltilebilir Dependabot grup PR'larını içeri katar):
@anthropic-ai/sdk0.80→0.112 ·sharp0.34.5→0.35.3 ·marked→18.0.2 ·vue3.5.40 ·vue-router5.2.0 · testing group (vitest 4.1.10, @vue/test-utils 2.4.11, playwright-core 1.61.1, …) · linting group (@nuxt/eslint 1.16, eslint 10.7, @commitlint 21, lint-staged 17) · tsx 4.23.pnpm overrides (parent'ı eski pinleyen runtime-reachable transitive'ler):
hono ^4.12.25(MCP loopback server) ·fast-uri ^3.1.2·fast-xml-parser ^5.7.0·ws ^8.21.0·qs ^6.15.2·js-cookie ^3.0.7.Lockfile refresh tek başına main'deki bayat uyarıları temizliyor (shell-quote 1.9.0, nuxt 4.4.8, vite 7.3.6, devalue 5.8.1, dompurify 3.4.11, tar 7.5.19, …).
Kod:
@nuxt/eslint1.16 gerçek kod kokularını flag'ledi (no-useless-assignment,preserve-caught-error) — migrate-postgres, anthropic-ai, cdn-builder ve Polar webhook handler'da düzeltildi.Dependabot triyajı (araştırıldı, kaybolan bump yok)
@nuxt/eslint1.16'nın yeni kurallarının mevcut kodu flag'lemesi kırıyordu; kod düzeltildi, bump içeri katıldı.→ #107–#111 bu PR ile supersede.
Doğrulama
pnpm typecheck✅ ·pnpm lint✅ (0 hata) ·pnpm test✅ (1068/1068) ·pnpm build✅ ·app-smoke-managede2e ✅ (12/12, sharp boot doğrulandı)