From 3269669aadf97776345297cc5c1bef122b57fb9d Mon Sep 17 00:00:00 2001
From: Laith Al-Saadoon <alsaadoonlaith@gmail.com>
Date: Wed, 17 Jun 2026 03:07:45 +0000
Subject: [PATCH] chore(deps): bump dompurify, js-yaml, hono override floors to
 patched versions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OSV-Scanner went red on main (run 27601218693, 2026-06-16) because three
pnpm-workspace.yaml override floors pinned packages to their now-vulnerable
minimum:

- dompurify: <3.4.0 -> "3.4.0" bumped to <3.4.10 -> "3.4.10"
  (7 advisories incl. GHSA-76mc-f452-cxcm, mXSS; devDep of @opencodehub/docs)
- js-yaml: <4.1.1 -> "4.1.1" bumped to <4.2.0 -> "4.2.0"
  (GHSA-h67p-54hq-rp68, 5.3; runtime dep of cli + ingestion)
- hono: <4.12.21 -> "4.12.21" bumped to <4.12.25 -> "4.12.25"
  (5 advisories incl. GHSA-88fw-hqm2-52qc 7.1 HIGH; published after the CI
  run, caught by local OSV 2.3.5; runtime dep of cli + mcp)

Dependabot showed 0 open alerts (all 51 fixed) — these were masked by the
exact-version override floors, so OSV caught what Dependabot's pins hid.

Verified: pnpm install --lockfile-only, osv-scanner scan --lockfile clean
(exit 0), pnpm install --frozen-lockfile passes.
---
 pnpm-lock.yaml      | 48 +++++++++++++++++++--------------------------
 pnpm-workspace.yaml |  6 +++---
 2 files changed, 23 insertions(+), 31 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 9efdf07..57e8f04 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,7 +6,7 @@ settings:
 
 overrides:
   fast-xml-parser@<5.7.0: 5.7.1
-  js-yaml@<4.1.1: 4.1.1
+  js-yaml@<4.2.0: 4.2.0
   uuid@<14.0.0: 14.0.0
   ajv@<8.18.0: 8.18.0
   brace-expansion@<1.1.13: 1.1.13
@@ -17,8 +17,8 @@ overrides:
   picomatch@<2.3.2: 2.3.2
   qs@<6.15.2: 6.15.2
   tmp@<0.2.6: 0.2.6
-  dompurify@<3.4.0: 3.4.0
-  hono@<4.12.21: 4.12.21
+  dompurify@<3.4.10: 3.4.10
+  hono@<4.12.25: 4.12.25
   ip-address@<10.1.1: 10.1.1
   fast-uri@<3.1.2: 3.1.2
   fast-xml-builder@<1.1.7: 1.1.7
@@ -1268,7 +1268,7 @@ packages:
     resolution: {integrity: sha512-GwtvgtXxnWsucXvbQXkRgqksiH2Qed37H9xHZocE5sA3N8O8O8/8FA3uclQXxXVzc9XBZuEOMK7+r02FmSpHtw==}
     engines: {node: '>=18.14.1'}
     peerDependencies:
-      hono: 4.12.21
+      hono: 4.12.25
 
   '@huggingface/tokenizers@0.1.3':
     resolution: {integrity: sha512-8rF/RRT10u+kn7YuUbUg0OF30K8rjTc78aHpxT+qJ1uWSqxT1MHi8+9ltwYfkFYJzT/oS+qw3JVfHtNMGAdqyA==}
@@ -3425,8 +3425,8 @@ packages:
     resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
     engines: {node: '>= 4'}
 
-  dompurify@3.4.0:
-    resolution: {integrity: sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==}
+  dompurify@3.4.10:
+    resolution: {integrity: sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w==}
 
   domutils@3.2.2:
     resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
@@ -3936,8 +3936,8 @@ packages:
     resolution: {integrity: sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==}
     engines: {node: '>=0.10.0'}
 
-  hono@4.12.21:
-    resolution: {integrity: sha512-uV63apnb0kyPtAUwoWgaGh9HyIFcv8lgmzPZSiTBQAFOFGIzka5EZ1dZocmGnn0XdX0+XTqJ6Tqv7selMuGLRQ==}
+  hono@4.12.25:
+    resolution: {integrity: sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==}
     engines: {node: '>=16.9.0'}
 
   hosted-git-info@9.0.3:
@@ -4158,10 +4158,6 @@ packages:
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
-  js-yaml@4.1.1:
-    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
-    hasBin: true
-
   js-yaml@4.2.0:
     resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==}
     hasBin: true
@@ -6150,7 +6146,7 @@ snapshots:
   '@apidevtools/json-schema-ref-parser@14.0.1':
     dependencies:
       '@types/json-schema': 7.0.15
-      js-yaml: 4.1.1
+      js-yaml: 4.2.0
 
   '@apidevtools/openapi-schemas@2.1.0': {}
 
@@ -6955,9 +6951,9 @@ snapshots:
 
   '@gar/promise-retry@1.0.3': {}
 
-  '@hono/node-server@1.19.14(hono@4.12.21)':
+  '@hono/node-server@1.19.14(hono@4.12.25)':
     dependencies:
-      hono: 4.12.21
+      hono: 4.12.25
 
   '@huggingface/tokenizers@0.1.3': {}
 
@@ -7272,7 +7268,7 @@ snapshots:
 
   '@modelcontextprotocol/sdk@1.29.0(zod@4.4.3)':
     dependencies:
-      '@hono/node-server': 1.19.14(hono@4.12.21)
+      '@hono/node-server': 1.19.14(hono@4.12.25)
       ajv: 8.18.0
       ajv-formats: 3.0.1(ajv@8.18.0)
       content-type: 1.0.5
@@ -7282,7 +7278,7 @@ snapshots:
       eventsource-parser: 3.0.8
       express: 5.2.1
       express-rate-limit: 8.5.2(express@5.2.1)
-      hono: 4.12.21
+      hono: 4.12.25
       jose: 6.2.3
       json-schema-typed: 8.0.2
       pkce-challenge: 5.0.1
@@ -8178,7 +8174,7 @@ snapshots:
 
   '@yarnpkg/parsers@3.0.3':
     dependencies:
-      js-yaml: 4.1.1
+      js-yaml: 4.2.0
       tslib: 2.8.1
 
   '@yarnpkg/shell@4.1.3(typanion@3.14.0)':
@@ -8816,7 +8812,7 @@ snapshots:
     dependencies:
       env-paths: 2.2.1
       import-fresh: 3.3.1
-      js-yaml: 4.1.1
+      js-yaml: 4.2.0
       parse-json: 5.2.0
     optionalDependencies:
       typescript: 6.0.3
@@ -8826,7 +8822,7 @@ snapshots:
     dependencies:
       env-paths: 2.2.1
       import-fresh: 3.3.1
-      js-yaml: 4.1.1
+      js-yaml: 4.2.0
       parse-json: 5.2.0
     optionalDependencies:
       typescript: 6.0.3
@@ -9160,7 +9156,7 @@ snapshots:
     dependencies:
       domelementtype: 2.3.0
 
-  dompurify@3.4.0:
+  dompurify@3.4.10:
     optionalDependencies:
       '@types/trusted-types': 2.0.7
 
@@ -9905,7 +9901,7 @@ snapshots:
     dependencies:
       parse-passwd: 1.0.0
 
-  hono@4.12.21: {}
+  hono@4.12.25: {}
 
   hosted-git-info@9.0.3:
     dependencies:
@@ -10089,10 +10085,6 @@ snapshots:
 
   js-tokens@4.0.0: {}
 
-  js-yaml@4.1.1:
-    dependencies:
-      argparse: 2.0.1
-
   js-yaml@4.2.0:
     dependencies:
       argparse: 2.0.1
@@ -10554,7 +10546,7 @@ snapshots:
       d3-sankey: 0.12.3
       dagre-d3-es: 7.0.14
       dayjs: 1.11.20
-      dompurify: 3.4.0
+      dompurify: 3.4.10
       es-toolkit: 1.47.0
       katex: 0.16.46
       khroma: 2.1.0
@@ -11904,7 +11896,7 @@ snapshots:
       debug: 4.4.3
       dependency-path: 9.2.8
       event-loop-spinner: 2.3.2
-      js-yaml: 4.1.1
+      js-yaml: 4.2.0
       lodash.clonedeep: 4.5.0
       lodash.flatmap: 4.5.0
       lodash.isempty: 4.4.0
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index aef4ba2..0a666e9 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -4,7 +4,7 @@ packages:
 # In pnpm v11, overrides must live here (not in package.json's pnpm.overrides).
 overrides:
   fast-xml-parser@<5.7.0: "5.7.1"
-  js-yaml@<4.1.1: "4.1.1"
+  js-yaml@<4.2.0: "4.2.0"
   uuid@<14.0.0: "14.0.0"
   ajv@<8.18.0: "8.18.0"
   brace-expansion@<1.1.13: "1.1.13"
@@ -15,8 +15,8 @@ overrides:
   picomatch@<2.3.2: "2.3.2"
   qs@<6.15.2: "6.15.2"
   tmp@<0.2.6: "0.2.6"
-  dompurify@<3.4.0: "3.4.0"
-  hono@<4.12.21: "4.12.21"
+  dompurify@<3.4.10: "3.4.10"
+  hono@<4.12.25: "4.12.25"
   ip-address@<10.1.1: "10.1.1"
   fast-uri@<3.1.2: "3.1.2"
   fast-xml-builder@<1.1.7: "1.1.7"