chore(deps): patch Dependabot security alerts (Tier 1 + dev/build)#13
Merged
Conversation
Resolves the actionable Dependabot alerts; remaining open alerts require a Next 14->15 major migration (tracked separately). Runtime: - next 14.2.16 -> 14.2.35 (studio + www): clears CVE-2025-29927 and 12 other 14.2-line advisories (the rest are Next-15-only) - cn.hutool:hutool-all 5.8.20 -> 5.8.21 (CVE-2023-24163) - dompurify (via monaco-editor) -> >=3.4.9 through pnpm override Dev / build-time: - vitest 2.x -> 3.2.6 (pulls vite 6.4.3, clearing the vite alert too) - esbuild 0.21.5 -> 0.25.0 (mcp-bridge) - glob -> 10.5.0, postcss -> >=8.5.10 via pnpm overrides - eslint-config-next aligned to 14.2.35; drop duplicate keys in studio package.json Validated: mvn compile; pnpm -r typecheck; studio vitest (13/13); mcp-bridge build + tests (117); next build for www and studio. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Triaged the 92 open Dependabot alerts (which collapse to 8 distinct packages — the count is inflated by the same vuln appearing across 3 manifests) and applied the safe, verifiable fixes. This clears everything except the alerts that require a Next 14 → 15 major migration (left for a separate effort).
Net effect: ~92 alerts → ~10 remaining (all Next-15-only).
Changes
Runtime
next14.2.16 → 14.2.35 (studio + www) — clears the critical CVE-2025-29927 (middleware authz bypass; note neither app actually uses Next middleware, so it wasn't reachable) plus 12 other 14.2-line advisories.cn.hutool:hutool-all5.8.20 → 5.8.21 (CVE-2023-24163 XML deserialization; code only uses hutool JSON/codec, so not reachable — patch bump regardless).dompurify(transitive viamonaco-editor) → ≥3.4.9 via pnpm override.Dev / build-time (rated high/critical but never shipped to prod)
vitest2.x → 3.2.6 — also pullsvite6.4.3, clearing the vite alert.esbuild0.21.5 → 0.25.0 (mcp-bridge).glob→ 10.5.0,postcss→ ≥8.5.10 via pnpm overrides.eslint-config-nextaligned to 14.2.35; removed duplicate keys in studiopackage.json.Deferred (Tier 4 — separate PR)
~10 remaining
nextadvisories (several High: CVE-2026-44573/44578, etc.) are only patched in Next 15.5.16 with no 14.2 backport. Clearing them needs an App Router major migration + testing — out of scope here. Mostly image-optimization SSRF / cache / dev-server class.Validation
mvn -o compile✓pnpm -r typecheck✓ (all 5 projects)vitest run✓ (13/13, under vitest 3 + vite 6)node --test✓ (117)next build✓ for www and studio🤖 Generated with Claude Code