Skip to content

fix(deps): close 25 npm security alerts in docs and the JS SDK#620

Merged
rogeriochaves merged 1 commit into
mainfrom
dependabot-scout/scenario-npm-security
Jun 8, 2026
Merged

fix(deps): close 25 npm security alerts in docs and the JS SDK#620
rogeriochaves merged 1 commit into
mainfrom
dependabot-scout/scenario-npm-security

Conversation

@langwatch-agent

Copy link
Copy Markdown
Contributor

Why

A consolidated, low-risk security pass over the npm side of scenario. It closes 25 open Dependabot alerts (all MODERATE) in the docs site and the javascript SDK. Every fix is a transitive dependency forced to a patched version via a pnpm override; no direct dependency and no application code changes.

Everything stays within the same major version of each package (the one exception, uuid, is explicitly capped to its existing major), so breakage risk is low.

What changed

docs/pnpm-workspace.yaml (23 alerts). Two existing overrides were stale (below the now-required patched versions) and are refreshed; the rest are new. All of these come in transitively through the vocs docs framework.

package override alerts
dompurify >=3.4.0 #199 #237 #264 #265 #315 #320 #321 #322
hono >=4.12.21 (was >=4.12.18) #402 #403 #404 #405
mermaid >=11.15.0 #360 #361 #362 #363
uuid >=11.1.1 <12 #389
brace-expansion >=5.0.6 (5.0.x line only) #382
postcss >=8.5.10 #328
@hono/node-server >=1.19.13 (was <1.19.10) #287
yaml >=2.8.3 #229
mdast-util-to-hast >=13.2.1 #71
js-yaml >=4.1.1 #65

javascript/package.json (2 alerts). The previous protobufjs overrides pinned 8.0.2 and 7.5.6, both of which are themselves still vulnerable; refreshed to the patched lines.

package override alerts
protobufjs >=8.2.0 and >=7.5.8 #385 #386

Lockfiles regenerated for both. Every resolved copy of each package is now at or above the patched version, with no vulnerable copy left behind (verified by sweeping the lockfiles).

How this was verified

  • docs: pnpm install clean, tsc --noEmit passes, and vocs build prerenders the whole site successfully (the bumps to mermaid, dompurify and hono are exercised by the build). Lockfile sweep confirms no remaining vulnerable dompurify/mermaid/postcss/yaml/etc copies.
  • javascript SDK: pnpm install clean, tsc --noEmit passes, tsup build (including the .d.ts generation) succeeds. protobufjs resolves to 7.5.8 and 8.6.1.

Deliberately left out

  • The openai-realtime-demo example (hono/ws/ip-address/ajv, ~10 alerts). It is a workspace member of javascript/ but ships its own separate committed lockfile, so its package level overrides are ignored by the workspace resolver. Fixing its lock correctly needs a standalone (--ignore-workspace) regeneration, which is its own change and not worth bundling into this pass.
  • uuid fix(docs): exclude scenario.report.app from pdoc to unblock Publish Docs #388 in the JS SDK. The vulnerable range spans uuid 9.x/10.x/11.x copies in that tree, so a single override would force unrelated consumers across majors. Needs a more targeted look.
  • The python/examples/lovable_clone template (react-router, brace-expansion, yaml, js-yaml, @babel/runtime). Mixed npm (package-lock.json) and pnpm template; separate follow up.
  • The PIP alerts (aiohttp, starlette). Different toolchain (uv); separate pass.

Consolidated low-risk security pass via pnpm overrides. No direct
dependencies change; every fix is a transitive override bumped to a
patched version, all within the same major (except uuid, capped to its
existing major). docs typecheck + build and the JS SDK typecheck + build
all pass.

docs/pnpm-workspace.yaml (23 alerts): refresh the stale hono and
@hono/node-server overrides and add patched-version overrides for the
rest.
  dompurify  >=3.4.0   (#199 #237 #264 #265 #315 #320 #321 #322)
  hono       >=4.12.21 (#402 #403 #404 #405)
  mermaid    >=11.15.0 (#360 #361 #362 #363)
  uuid       >=11.1.1  (#389, capped <12)
  brace-expansion >=5.0.6 (#382)
  postcss    >=8.5.10  (#328)
  @hono/node-server >=1.19.13 (#287)
  yaml       >=2.8.3   (#229)
  mdast-util-to-hast >=13.2.1 (#71)
  js-yaml    >=4.1.1   (#65)

javascript/package.json (2 alerts): refresh the stale protobufjs
overrides (the previous targets 8.0.2 and 7.5.6 were themselves still
vulnerable).
  protobufjs >=8.2.0 and >=7.5.8 (#385 #386)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Ready for human review. Closes 25 MODERATE npm alerts (23 in docs, 2 in the JS SDK) via pnpm override refreshes only, all transitive and within-major. Verified: docs typecheck + vocs build green, JS SDK typecheck + tsup build green, lockfile sweep shows no vulnerable copies left. Deferred items (realtime-demo dual-lock, uuid #388 multi-major, python template, PIP) are in the description.

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The PR updates pnpm overrides and lockfiles to force newer transitive dependency versions across the docs site and the JavaScript SDK (including runtime libraries like protobufjs, mermaid, dompurify, yaml/js-yaml, postcss, uuid, etc.). Because these are dependency-resolution changes that affect runtime libraries used by the SDK (not just docs or formatting) and could alter behavior or integrations, this is not clearly within the allowed low-risk categories and should receive a normal review.

This PR requires a manual review before merging.

@rogeriochaves rogeriochaves merged commit ca91380 into main Jun 8, 2026
17 checks passed
@rogeriochaves rogeriochaves deleted the dependabot-scout/scenario-npm-security branch June 8, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants