fix(deps): close 25 npm security alerts in docs and the JS SDK#620
Conversation
Consolidated low-risk security pass via pnpm overrides. No direct dependencies change; every fix is a transitive override bumped to a patched version, all within the same major (except uuid, capped to its existing major). docs typecheck + build and the JS SDK typecheck + build all pass. docs/pnpm-workspace.yaml (23 alerts): refresh the stale hono and @hono/node-server overrides and add patched-version overrides for the rest. dompurify >=3.4.0 (#199 #237 #264 #265 #315 #320 #321 #322) hono >=4.12.21 (#402 #403 #404 #405) mermaid >=11.15.0 (#360 #361 #362 #363) uuid >=11.1.1 (#389, capped <12) brace-expansion >=5.0.6 (#382) postcss >=8.5.10 (#328) @hono/node-server >=1.19.13 (#287) yaml >=2.8.3 (#229) mdast-util-to-hast >=13.2.1 (#71) js-yaml >=4.1.1 (#65) javascript/package.json (2 alerts): refresh the stale protobufjs overrides (the previous targets 8.0.2 and 7.5.6 were themselves still vulnerable). protobufjs >=8.2.0 and >=7.5.8 (#385 #386) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Ready for human review. Closes 25 MODERATE npm alerts (23 in docs, 2 in the JS SDK) via pnpm override refreshes only, all transitive and within-major. Verified: docs typecheck + vocs build green, JS SDK typecheck + tsup build green, lockfile sweep shows no vulnerable copies left. Deferred items (realtime-demo dual-lock, uuid #388 multi-major, python template, PIP) are in the description. |
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
Why
A consolidated, low-risk security pass over the npm side of scenario. It closes 25 open Dependabot alerts (all MODERATE) in the
docssite and thejavascriptSDK. Every fix is a transitive dependency forced to a patched version via a pnpm override; no direct dependency and no application code changes.Everything stays within the same major version of each package (the one exception, uuid, is explicitly capped to its existing major), so breakage risk is low.
What changed
docs/pnpm-workspace.yaml(23 alerts). Two existing overrides were stale (below the now-required patched versions) and are refreshed; the rest are new. All of these come in transitively through thevocsdocs framework.>=3.4.0>=4.12.21(was>=4.12.18)>=11.15.0>=11.1.1 <12>=5.0.6(5.0.x line only)>=8.5.10>=1.19.13(was<1.19.10)>=2.8.3>=13.2.1>=4.1.1javascript/package.json(2 alerts). The previous protobufjs overrides pinned 8.0.2 and 7.5.6, both of which are themselves still vulnerable; refreshed to the patched lines.>=8.2.0and>=7.5.8Lockfiles regenerated for both. Every resolved copy of each package is now at or above the patched version, with no vulnerable copy left behind (verified by sweeping the lockfiles).
How this was verified
pnpm installclean,tsc --noEmitpasses, andvocs buildprerenders the whole site successfully (the bumps to mermaid, dompurify and hono are exercised by the build). Lockfile sweep confirms no remaining vulnerable dompurify/mermaid/postcss/yaml/etc copies.pnpm installclean,tsc --noEmitpasses,tsupbuild (including the.d.tsgeneration) succeeds. protobufjs resolves to 7.5.8 and 8.6.1.Deliberately left out
openai-realtime-demoexample (hono/ws/ip-address/ajv, ~10 alerts). It is a workspace member ofjavascript/but ships its own separate committed lockfile, so its package level overrides are ignored by the workspace resolver. Fixing its lock correctly needs a standalone (--ignore-workspace) regeneration, which is its own change and not worth bundling into this pass.python/examples/lovable_clonetemplate (react-router, brace-expansion, yaml, js-yaml, @babel/runtime). Mixed npm (package-lock.json) and pnpm template; separate follow up.