Skip to content

fix: patch 5 security alerts (2 high, 3 moderate)#56

Merged
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/security-alerts-2026-04-21
Apr 21, 2026
Merged

fix: patch 5 security alerts (2 high, 3 moderate)#56
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/security-alerts-2026-04-21

Conversation

@jkennedyvz

@jkennedyvz John Kennedy (jkennedyvz) commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

Security Alert Patch

Resolves all 5 open Dependabot security alerts on main via a lockfile-only refresh. No package.json changes — existing constraints already permit the fixed versions.

Packages Updated

Package Old → New Strategy Scope Alerts Resolved
vite 7.3.1 → 7.3.2 A-lockfile (constraint ^7.2.6 already allows 7.3.2) dev-only #35, #36, #37
langsmith 0.4.6 → 0.5.21 A-lockfile (transitive; parent constraint >=0.4.0 <1.0.0 already allows 0.5.x) runtime (transitive) #38, #39

Strategy key: A-lockfile = lockfile-only refresh, no manifest constraint change. Scope = dev-only means the dep is not shipped to end users; runtime (transitive) means the dep is pulled in by a runtime dep (@langchain/core, langchain) but not directly imported by openwork source.

CVE / GHSA Details

Alert Severity ID Package Summary
#36 High CVE-2026-39363 / GHSA-p9ff-h696-f583 vite Arbitrary file read via Vite dev server WebSocket
#35 High CVE-2026-39364 / GHSA-v2wj-q39q-566r vite server.fs.deny bypassed with queries
#37 Moderate CVE-2026-39365 / GHSA-4w7w-66w2-5vf9 vite Path traversal in optimized deps .map handling
#38 Moderate CVE-2026-40190 / GHSA-fw9q-39r9-c252 langsmith Prototype pollution via incomplete __proto__ guard in internal lodash set()
#39 Moderate GHSA-rr7j-v2q5-chgv langsmith Streaming token events bypass output redaction

Linear Tickets

No matching Linear tickets found for the resolved CVEs.

Upstream Issues

None — all fixes come from released upstream patches.

Breaking-Change Assessment

  • vite 7.3.1 → 7.3.2: patch bump, no breaking changes.
  • langsmith 0.4.6 → 0.5.21: minor bump on a 0.x package. Parent packages @langchain/core and langchain declare langsmith: ">=0.4.0 <1.0.0", pre-validating compatibility across the 0.4 → 0.5 boundary. openwork does not import langsmith directly (verified via grep of src/), so no direct API surface is exposed to the bump.

Verification

  • npm run typecheck — passes
  • npm run build — passes (vite v7.3.2 builds main/preload/renderer)
  • npm run lint — 0 errors (3 pre-existing prettier warnings unrelated to this change)
  • gitleaks git --staged — clean

🤖 Submitted by langster-patch

@jkennedyvz
fix: patch 5 Dependabot security alerts (lockfile only)
e91a3cd 
Bumps:
- vite 7.3.1 -> 7.3.2 (dev)
- langsmith 0.4.6 -> 0.5.21 (transitive via @langchain/core, langchain)

Resolves: GHSA-p9ff-h696-f583, GHSA-v2wj-q39q-566r, GHSA-4w7w-66w2-5vf9,
GHSA-fw9q-39r9-c252, GHSA-rr7j-v2q5-chgv
@jkennedyvz John Kennedy (jkennedyvz) merged commit 92719b2 into main Apr 21, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkennedyvz