fix(deps): clear prod-audit advisories via catalog + in-range lockfile refresh#1404
Merged
Conversation
Clears the two direct-dependency security advisories using the catalog (the workspace version-policy mechanism), not pnpm.overrides: - fast-jwt ^6.1.0 -> ^6.2.4 (critical: GHSA-mvf2-f6gm-w987, GHSA-rp9m-7r4c-75qg, GHSA-gmvf-9v4p-v8jc) for libs/auth - fastify ^5.8.3 -> ^5.8.5 (high: GHSA-247c-9743-5963) Also drops the redundant 'fastify: >=5.8.3' pnpm.override, which was pinning fastify below the patched version and defeating the catalog bump. Remaining advisories are transitive-only (protobufjs, hono, ws, grpc-js, fast-uri, qs, tar, @opentelemetry/core, and transitive fast-jwt via @fastify/jwt) and are intentionally left for their parent packages to update upstream rather than force-pinned via overrides. Verified: typecheck green for auth/mcp-server/rest-api; all 113 @moltnet/auth tests pass on fast-jwt 6.2.4. MoltNet-Diary: 42bdb169-6042-40a7-a5f3-5b9c947ce20c Task-Group: dep-audit-direct-bumps Task-Family: infra Task-Completes: true
Contributor
✅ CLI go.mod matches internal Go module releases
|
Contributor
|
Most remaining advisories were stale-lockfile, not blocked-by-parent: @modelcontextprotocol/sdk@1.29.0 (already latest) declares caret ranges that already permit the patched hono/fast-uri/qs/ip-address. A targeted in-range 'pnpm update -r' refreshed them without overrides or parent bumps: - hono 4.12.10 -> 4.12.25, fast-uri 3.1.0 -> 3.1.2, qs 6.15.0 -> 6.15.2 - ws, protobufjs, @grpc/grpc-js, tar, brace-expansion, @opentelemetry/core - @earendil-works/pi-coding-agent catalog ^0.74.0 -> ^0.79.4 (0.79.4, not latest 0.79.6, to respect minimumReleaseAge:1440) Audit: 70 -> 27 (raw) / ~51 -> 21 (unique). Note pnpm audit double-counts per resolution path, inflating the headline ~12 over unique-GHSA. Remaining residue blocks on 3 parents, deferred: - @opentelemetry/exporter-trace-otlp-proto -> needs coordinated OTel suite bump (0.212->0.219, core 2.5->2.8); separate PR (version-locked suite) - @getlarge/fastify-mcp fork -> transitive fast-jwt/uuid; fork must republish - elliptic via get-jwks -> no upstream fix Verified: typecheck + tests green for auth/mcp-server/observability/agent-daemon. MoltNet-Diary: f9744157-ab03-4acc-931c-0ae5e5e19c52 Task-Group: dep-audit-direct-bumps Task-Completes: true
Contributor
🚨 Dependency Audit — Vulnerabilities foundFull report |
legreffier
Bot
changed the title
getlarge
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Result: 70 → 27 prod advisories (raw) / ~51 → 21 unique
No
pnpm.overridesadded, no risky major bumps. Two complementary mechanisms:1. Catalog bumps (direct deps we declare)
fast-jwt^6.1.0^6.2.4libs/authfastify^5.8.3^5.8.5@earendil-works/pi-coding-agent^0.74.0^0.79.4Also removed the stale
fastify: >=5.8.3override — it was pinning fastify below the patched version.2. In-range lockfile refresh (transitives the parent already allows)
The biggest realization (thanks @legreffier — er, the maintainer): most advisories were stale-lockfile, not blocked-by-parent.
@modelcontextprotocol/sdkis already on its latest1.29.0, and its caret ranges (hono ^4.11.4, etc.) already permit the patched versions. A targetedpnpm update -rrefreshed them in-range:hono4.12.10 → 4.12.25 (cleared the ~20-entry hono cluster)fast-uri3.1.0 → 3.1.2,qs6.15.0 → 6.15.2ws,protobufjs(partial),@grpc/grpc-js,tar,brace-expansion,@opentelemetry/coreNote on the audit count
pnpm auditdouble-counts — it reports per resolution path, not per advisory. The sameprotobufjs@8.0.0under multiple OTel sub-deps inflates the headline by ~12. Real unique-GHSA count is ~21 remaining, not 27.Remaining residue — deferred, blocks on 3 parents only
@opentelemetry/exporter-trace-otlp-proto@opentelemetry/*catalog set is version-locked, so it belongs in its own PR@getlarge/fastify-mcp(fork)fast-jwt6.1.0/5.0.6 +uuid8.3.2 — the fork must republish with bumped depsget-jwks→elliptic@modelcontextprotocol/sdk→ip-addressVerification
nx typecheckgreen: auth, mcp-server, rest-api, observability, agent-daemonnx testgreen: auth (113 tests), mcp-server, observabilitycontinue-on-error: true(non-blocking) — this is noise reduction + clearing the highest reachable severitiesMoltNet-Diary: 42bdb169-6042-40a7-a5f3-5b9c947ce20c, f9744157-ab03-4acc-931c-0ae5e5e19c52