chore(security): patch 5 Dependabot alerts (2026-04-30)

[PMerlet]

Summary

1 fixed, 3 ignored, 3 deferred, 1 resolutions added, 0 resolutions removed, 4 could-not-auto-fix. | label: 🔒 security applied

Fixed

Alert	Package	Ecosystem	From → To	Severity	Bump
#340	fast-xml-parser	npm	5.5.8 → 5.7.2 (resolved)	medium	resolution; @aws-sdk/xml-builder@3.972.16 pins the vulnerable 5.5.8

Ignored

• fix(typing-generator): add simple quote around the collection and field name to support unconventional characters  #336 @fastify/middie (high, middleware bypass via ignoreDuplicateSlashes) — The package is dev/test/tooling only and the exploit requires untrusted input at runtime. Pulled in only by @nestjs/platform-fastify@10.x (a devDependency of packages/agent), which is used in unit tests and the local packages/_example/src/frameworks/nest-fastify-v8.ts example. No direct import in our published source. The middleware-bypass exploit needs a server exposed to attacker-controlled URLs, which is not the case in tests/examples.
• fix(decorators): remove useless isRequired field #337 @fastify/middie (critical, middleware auth bypass in child plugin scopes) — same reason as fix(typing-generator): add simple quote around the collection and field name to support unconventional characters  #336 (same package, same indirect path, same lack of runtime exposure).
• feat: add support for mongoose datasource #339 uuid < 14.0.0 (medium, missing buffer bounds check in v3/v5/v6 when buf is provided) — The vulnerable code path is unreachable from our code. Verified by grepping the repo: only v1, v4, and validate are imported from uuid (packages/agent/src/utils/query-string.ts, packages/agent/src/routes/access/*.ts, packages/datasource-toolkit/src/validation/type-getter.ts, packages/datasource-customizer/src/decorators/search/filter-builder/build-uuid-field-filter.ts). The advisory affects only v3/v5/v6 when callers pass a too-short buf, which we never do.

Could not auto-fix

• chore: allow to create alpha and beta branches specific for a package #330, fix(datasource-sequelize): serialize record to transform date to iso string  #331, chore: create firebase package directory #332, chore(firebase): add new empty classes for firebase #333 @fastify/express <= 4.0.4 (critical, middleware auth bypass via URL normalization gaps / path doubling in child plugin scopes).
  • Why no fix: the patched version is 4.0.5, but @fastify/express@4.x is built on fastify-plugin@^5.0.0, which hard-checks for fastify@5.x at registration time. The agent's packages/agent/test/framework-mounter.test.ts covers fastify v2/v3/v4 (declared via the fastify, fastify2, fastify4 aliased dev-deps and the peerDependency range ^1.1.0 || ^2.0.0 || ^3.0.0 || ^4.0.0). With @fastify/express@^4.0.5 in place, those registrations fail with FastifyError: fastify-plugin: @fastify/express - expected '5.x' fastify version, '3.29.5' is installed (and the same against 4.29.1).
  • What was attempted: bumped @fastify/express from ^1.1.0 → ^4.0.5 in packages/agent/package.json (devDep + peerDep). Pushed in commit 268bf4d. CI failed in Linting & Testing (agent) at the Test code step with the version-mismatch error above. Reverted in commit 1a57b1d.
  • Next step (not done in this PR): migrating the agent to fastify 5.x (and dropping fastify 2/3/4 from peerDependencies / matrix tests) is a project-level breaking change that exceeds the scope of an automated security-fix PR. Tracking separately is recommended before the next vuln scan run.

Deferred

• feat(decorator): allow to rename a collection #341 uuid (medium, packages/agent/package.json, created 2026-04-23, < 7 days old)
• chore: add forbidden and unprocessable error #342 uuid (medium, packages/datasource-customizer/package.json, created 2026-04-23, < 7 days old)
• docs: improve documentation by removing some typos #343 uuid (medium, packages/datasource-toolkit/package.json, created 2026-04-23, < 7 days old)

(Same root cause as #339 above — likely IGNORE on next run too.)

Resolutions added

• feat: add collection hooks #340 — fast-xml-parser: ^5.7.0
  • Parent chain tried: plugin-aws-s3 → @aws-sdk/client-s3 → @aws-sdk/core → @aws-sdk/xml-builder → fast-xml-parser. @aws-sdk/xml-builder@3.972.16 (the version satisfying @aws-sdk/core's ^3.972.6) tightly pins fast-xml-parser to exactly 5.5.8.
  • Why no parent bump: newer @aws-sdk/xml-builder@3.972.20+ ships fast-xml-parser@5.7.2, but the version is selected transitively by @aws-sdk/core and not pinnable from our manifests without a deeper bump of the entire @aws-sdk family. A scoped resolution under @aws-sdk/xml-builder would be ideal but Yarn 1's nested-resolution syntax ("@aws-sdk/xml-builder/fast-xml-parser") was tried first and did not deduplicate the version (a second copy was added instead of overriding the existing one).
  • Placed in: root package.json (Yarn 1 ignores workspace-level resolutions).
  • Form: unconditional root entry (last-resort fallback). Acceptable here because fast-xml-parser only appears in this single chain — verified with yarn why fast-xml-parser.

Resolutions removed

None. Existing root resolutions (tar, micromatch, qs, axios, follow-redirects, lerna/**/glob, semantic-release, hono, @hono/node-server, langsmith, lodash, lodash-es) were sampled by removing each, re-running yarn install, and inspecting yarn why:

• tar → without pin drops to tar@6.2.1 via sqlite3. Pin needed.
• micromatch → without pin, semantic-release-slack-bot pulls 4.0.2 (vulnerable). Pin needed.
• qs → without pin, body-parser/@nestjs/platform-express pull 6.13.0 (vulnerable). Pin needed.
• The remaining entries are likely still-needed security pins; full removal-and-reinstall sweep was not performed for all 12 to keep this PR's scope contained. They will be re-audited in subsequent runs.

Risks

• fast-xml-parser 5.5.8 → 5.7.2 is a minor bump within the same major. The @aws-sdk/xml-builder consumer code only uses fast-xml-parser for parsing AWS XML responses; the patched API surface (XMLParser/XMLBuilder) is unchanged in 5.7.x. No behavior change beyond the patched vuln expected.

Manual testing

Covered by CI (yarn lint + yarn test matrix per workspace).

Validation

✅ CI green (after cycle-2 revert of @fastify/express bump)

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on main by 0.01%.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.