Skip to content

fix: patch Dependabot critical/high alerts#330

Open
tnrdd wants to merge 1 commit into
mainfrom
fix/dependabot-tier1-2
Open

fix: patch Dependabot critical/high alerts#330
tnrdd wants to merge 1 commit into
mainfrom
fix/dependabot-tier1-2

Conversation

@tnrdd

@tnrdd tnrdd commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Addresses the open Dependabot alerts (3 critical, 57 high, plus mediums/lows). Almost all are transitive; only next and kysely are direct.

Direct dependency bumps

  • next 15.3.815.5.19 — clears all 20 direct alerts, including every high-severity one (stays on the 15.x major, no v16 jump)
  • kysely ^0.28.0^0.28.17 (3 high alerts)
  • eslint-config-next15.5.19 to stay in sync with Next

pnpm.overrides for vulnerable transitives

Each pinned to a security patch within its current major (no breaking upgrades). Where multiple majors coexisted, overrides are scoped per-major.

  • Criticals: fast-xml-parser 5.5.6 (AWS SDK), sha.js 2.4.12 (Coinbase wallet SDK), form-data 4.0.6 (Coinbase CDP SDK)
  • Highs: axios 1.18.1, ws 7.5.11 / 8.21.0, socket.io-parser 4.2.6, picomatch 2.3.2, minimatch 3.1.5 / 9.0.9, lodash 4.18.1, immutable 5.1.9, h3 1.15.11, flatted 3.4.2, defu 6.1.7, base-x 3.0.11, effect 3.21.4, hono 4.12.27, @hono/node-server 1.19.14

Not addressed here (need upstream major upgrades, unsafe to force)

  • @libp2p/kad-dht — resolved at 12.x, only patched in 16.x (4-major jump via @helia/verified-fetch); forcing it would likely break IPFS fetch
  • vite — dev-only peer of vitest; pnpm can't override an auto-installed peer, real fix is a vitest bump. Dev-server advisory, not shipped to production.

Most remaining transitives are deep in the web3 wallet stack (wagmi@wagmi/connectors → porto / walletconnect / reown / coinbase); the overrides above cover the patchable ones.

Verification

  • pnpm typecheck
  • pnpm lint
  • pnpm test:unit ✅ (285 passed, 1 skipped)

Note: hono/h3 sit in the wallet-connect runtime path (patch-level bumps within the same major), worth a quick wallet-connect smoke test on the preview deploy before merge.

Direct bumps:
- next 15.3.8 -> 15.5.19 (clears all 20 direct alerts incl. high)
- kysely -> 0.28.17, eslint-config-next -> 15.5.19

pnpm overrides for vulnerable transitives, each pinned within its
current major (security patch level, no breaking upgrades):
- criticals: fast-xml-parser 5.5.6, sha.js 2.4.12, form-data 4.0.6
- highs: axios 1.18.1, ws 7.5.11/8.21.0, socket.io-parser 4.2.6,
  picomatch 2.3.2, minimatch 3.1.5/9.0.9, lodash 4.18.1,
  immutable 5.1.9, h3 1.15.11, flatted 3.4.2, defu 6.1.7,
  base-x 3.0.11, effect 3.21.4, hono 4.12.27, @hono/node-server 1.19.14

Not addressed (need upstream major upgrades, unsafe to force):
- @libp2p/kad-dht (12.x -> 16.x, via @helia/verified-fetch)
- vite (dev-only peer of vitest; needs vitest bump)
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
platform Ready Ready Preview, Comment Jun 30, 2026 4:42am

Request Review

@gaston-review gaston-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gaston Review

Verdict: Approved

Score: ███████░░░ 7/10

Pull Request Summary

This PR patches Dependabot critical/high alerts by bumping three direct dependencies (next 15.3→15.5, kysely 0.28.0→0.28.17, eslint-config-next 15.5.15→15.5.19) and adding 19 pnpm overrides to force patched versions of transitive dependencies like axios, ws, lodash, minimatch, picomatch, fast-xml-parser, and others.

Review Summary

🟡 Warning — Next.js minor version jump (15.3 → 15.5) bundled with security patches
Bumping Next.js by two minor versions is a bigger change than the other patches here. If this is driven by a specific CVE in Next.js, it's justified. But if it's just opportunistic, consider whether it should be a separate PR with its own verification. Either way, make sure the build and e2e suite pass.

The approach is solid — using pnpm overrides with version-range selectors (e.g. ws@7, ws@8) is the right way to pin transitive dependencies for security patches without waiting for upstream to update. The lockfile consolidation from multiple ws/axios/lodash versions down to single patched versions is clean. My only real concern is the Next.js minor version jump being bundled into what's otherwise a security-only patch PR.


🔍 Reviewed by Gaston

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant