chore(deps): bump dompurify/js-yaml/hono override floors to patched versions#235
Open
theagenticguy wants to merge 1 commit into
Open
chore(deps): bump dompurify/js-yaml/hono override floors to patched versions#235theagenticguy wants to merge 1 commit into
theagenticguy wants to merge 1 commit into
Conversation
… versions OSV-Scanner went red on main (run 27601218693, 2026-06-16) because three pnpm-workspace.yaml override floors pinned packages to their now-vulnerable minimum: - dompurify: <3.4.0 -> "3.4.0" bumped to <3.4.10 -> "3.4.10" (7 advisories incl. GHSA-76mc-f452-cxcm, mXSS; devDep of @opencodehub/docs) - js-yaml: <4.1.1 -> "4.1.1" bumped to <4.2.0 -> "4.2.0" (GHSA-h67p-54hq-rp68, 5.3; runtime dep of cli + ingestion) - hono: <4.12.21 -> "4.12.21" bumped to <4.12.25 -> "4.12.25" (5 advisories incl. GHSA-88fw-hqm2-52qc 7.1 HIGH; published after the CI run, caught by local OSV 2.3.5; runtime dep of cli + mcp) Dependabot showed 0 open alerts (all 51 fixed) — these were masked by the exact-version override floors, so OSV caught what Dependabot's pins hid. Verified: pnpm install --lockfile-only, osv-scanner scan --lockfile clean (exit 0), pnpm install --frozen-lockfile passes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
OSV-Scanner went red on main (run 27601218693, 2026-06-16 07:23 UTC). Three
pnpm-workspace.yamloverride floors pinned packages to their now-vulnerable minimum, so the resolved versions carried open advisories.Dependabot showed 0 open alerts (all 51 fixed) — the exact-version override floors masked these from Dependabot, so OSV caught what Dependabot's pins hid.
Changes (
pnpm-workspace.yamloverrides)dompurify3.4.03.4.10@opencodehub/docsjs-yaml4.1.14.2.0cli+ingestionhono4.12.214.12.25cli+mcpThe
honoadvisories were published after the failing CI run; localosv-scanner2.3.5 surfaced them, so I folded them into the same bump to keep the next scan green.Verification
pnpm install --lockfile-only→ resolvesdompurify@3.4.10,js-yaml@4.2.0,hono@4.12.25osv-scanner scan --lockfile=pnpm-lock.yaml→ No issues found (exit 0)pnpm install --frozen-lockfile→ passes (no lockfile drift)🤖 Nightly maintenance auto-fix