Adds pnpm-workspace.yaml overrides to pin transitive dependencies to patched versions, eliminating all 36 npm audit findings (21 high, 10 moderate, 5 low).#3423
Open
rafaelfiguereod-stack wants to merge 21 commits into
Conversation
…t migration, web-core version mismatch - crates/git/src/cli.rs: fix swapped stdout/stderr labels in git error messages; (false, true) = only stdout → label as "--- stdout", and (true, false) = only stderr → label as "--- stderr" - crates/server/src/main.rs: use startup::initialize_deployment() instead of duplicating init logic; the standalone binary was missing the migrate_legacy_attachment_directories() call that startup.rs has, meaning attachment directory migration never ran for npx users - packages/web-core/package.json: bump version from 0.1.18 to 0.1.44 to match the rest of the monorepo
…nban-glDx7 fix: audit findings — git error labels, missing attachment migration, web-core version
…gery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 29: Server-side request forgery
…dates Bumps the npm_and_yarn group with 3 updates in the / directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [lodash](https://github.com/lodash/lodash) and [postcss](https://github.com/postcss/postcss). Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `postcss` from 8.5.6 to 8.5.10 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.10) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `rollup` from 4.44.0 to 4.60.3 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.44.0...v4.60.3) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…arn/npm_and_yarn-48561404ca chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates
…dates Bumps the npm_and_yarn group with 1 update in the / directory: [mermaid](https://github.com/mermaid-js/mermaid). Updates `mermaid` from 11.13.0 to 11.15.0 - [Release notes](https://github.com/mermaid-js/mermaid/releases) - [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.13.0...mermaid@11.15.0) Updates `dompurify` from 3.3.3 to 3.4.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.2) Updates `uuid` from 11.1.0 to 13.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v11.1.0...v13.0.0) --- updated-dependencies: - dependency-name: mermaid dependency-version: 11.15.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 13.0.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…arn/npm_and_yarn-a5a47657ce chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates
Adds pnpm-workspace.yaml overrides to pin transitive dependencies to patched versions, eliminating all 36 npm audit findings (21 high, 10 moderate, 5 low). Packages pinned: - devalue >=5.8.1 (prototype pollution / DoS) - flatted >=3.4.2 (unbounded recursion DoS) - preact >=10.29.2 (JSON VNode injection) - fast-uri >=3.1.2 (path traversal + host confusion) - js-yaml >=4.1.1 (prototype pollution in merge) - yaml >=2.8.3 (stack overflow via deeply nested input) - glob >=10.5.0 (CLI command injection) - lodash-es >=4.18.0 (code injection + prototype pollution) - uuid >=13.0.1 (missing buffer bounds check) - diff@8 >=8.0.3 (DoS in @git-diff-view/file) - ajv@6 ^6.14.0 (ReDoS with $data option) - ajv@8 >=8.20.0 (ReDoS with $data option) - brace-expansion@1 >=1.1.13 / @2 >=2.0.3 (zero-step seq hang) - minimatch@3 >=3.1.4 / @8 >=8.0.6 / @9 >=9.0.9 (ReDoS) - eslint>minimatch >=9.0.9 (scoped ReDoS fix for eslint path) Also updates SECURITY.md from the auto-generated GitHub template (which referenced non-existent version numbers) to accurately describe the project's security policy and vulnerability reporting process. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lities fix(deps): add pnpm overrides to resolve 36 npm vulnerabilities
Author
|
Packages pinned:
Also updates SECURITY.md from the auto-generated GitHub template Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com |
Addresses two issues flagged by CodeRabbit and Codex in PR #5: 1. pnpm-workspace.yaml: tighten `glob: ">=10.5.0"` (unscoped) to `"glob@10": ">=10.5.0"` (version-scoped). The unscoped override forced rimraf@3 (which declares `glob: ^7.1.3`) and @sentry/bundler-plugin-core (which declares `glob: ^9.3.2`) to resolve glob@13.0.6 -- an incompatible major for rimraf@3's legacy callback API. With the scoped override, each package resolves its naturally compatible glob version; only sucrase (glob: ^10.3.10, the actually vulnerable range) is constrained to >=10.5.0. 2. SECURITY.md: update advisory URL from rafaelfiguereod-stack/vibe-kanban (personal fork) to BloopAI/vibe-kanban (upstream project). Security reporters should file advisories against the maintained upstream, not a development fork. Validation: pnpm audit → 0 vulnerabilities; tsc --noEmit clean across local-web, remote-web, web-core, ui. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…-overrides-followup fix(deps): scope glob override to v10 and fix SECURITY advisory URL
rafaelfiguereod-stack
left a comment
rafaelfiguereod-stack
left a comment
Author
There was a problem hiding this comment.
Approving with minor notes.
Verified that the startup logic removed from main.rs (asset directory creation, db.sqlite → db.v2.sqlite migration, and logging) is faithfully preserved in initialize_deployment() in startup.rs — no regression there. The refactor is clean.
A few observations:
github_app.rs — SSRF fix: The installation_id <= 0 guard addresses the code scanning alert, but worth confirming the type of installation_id. If it's already an unsigned integer (u64/u32), the <= 0 check is either a no-op or a compile warning. If it's i64, the check is meaningful. Either way it's not harmful, just worth clarifying.
cli.rs — stderr/stdout fix: Correct. The labels were clearly swapped.
pnpm-workspace.yaml overrides: The approach is right for a pnpm monorepo. All 21 pinned ranges look reasonable and match the listed CVEs/advisories.
Scope: This PR combines four separate concerns (bug fix, security fix, refactor, dep pinning). For a project of this size that's acceptable, but future PRs would be easier to review and bisect if kept more focused.
Overall the changes are sound. Main blocker is workflow approval from a maintainer so CI can run.
… docs - crates/utils/src/shell.rs: wrap unsafe set_var in a static Mutex (PATH_MUTATION_LOCK) so concurrent calls to refresh_path cannot race on the process environment; add SAFETY comment explaining residual risk - crates/utils/src/jwt.rs: add comment at import site clarifying that insecure_decode is intentionally used only for metadata extraction, never for authentication decisions - crates/executors/src/actions/script.rs: document trust boundary for script content passed to shell -c (authenticated user sessions only, isolated workspace directories) - crates/executors/src/stdout_dup.rs: add SAFETY comments to all four unsafe blocks explaining that raw fds/handles are valid and exclusively owned (transferred via into_raw_fd/into_raw_handle from os_pipe) https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
Add pnpm override pinning shell-quote to >=1.8.4. The vulnerable 1.8.3 reached the tree transitively via concurrently (dev tooling). quote() failed to validate object-token .op inputs against the operator model, allowing a literal newline to pass through unescaped and execute a second shell command. pnpm audit now reports no known vulnerabilities. https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
Update the exact pins aws-lc-sys 0.37.0 -> 0.41.0 and aws-lc-rs 1.16.0 -> 1.17.0 to clear: - RUSTSEC-2026-0047 PKCS7_verify signature validation bypass (7.5 high) - RUSTSEC-2026-0046 PKCS7_verify certificate chain validation bypass (7.5 high) - RUSTSEC-2026-0048 CRL distribution point scope check logic error (7.4 high) - RUSTSEC-2026-0044 X.509 name constraints bypass via wildcard/unicode CN - RUSTSEC-2026-0045 timing side-channel in AES-CCM tag verification (5.9 medium) aws-lc backs the rustls aws_lc_rs crypto provider used for all TLS in the server. aws-lc-rs 1.17.0 is semver-compatible with rustls 0.23; cargo build -p server compiles cleanly (aws-lc-sys 0.41 C sources build). https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
In-range patch bump clearing: - RUSTSEC-2026-0104 reachable panic in certificate revocation list parsing - RUSTSEC-2026-0099 name constraints accepted for wildcard certificates - RUSTSEC-2026-0098 name constraints for URI names incorrectly accepted rustls-webpki backs certificate-path validation for all server TLS. cargo check -p server passes. https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
Clears the unbounded-allocation DoS advisories in russh and
russh-cryptovec (both fixed in >=0.60.3). Port the embedded SSH server
to the russh 0.61 API:
- Drop the separate russh-keys crate (merged into russh::keys); use
russh::keys::{PrivateKey, PublicKey}.
- Pin ssh-key to =0.7.0-rc.10 to match russh so KeypairData types unify.
- Build MethodSet via MethodSet::from(&[MethodKind::PublicKey]) (the
MethodSet::PUBLICKEY const was removed).
- Add the new Auth::Reject { partial_success } field.
- Switch the Handler impl from #[async_trait] to native async fn (russh
0.61 uses RPITIT by default); drop the async-trait dependency.
- Handle::data/extended_data now take impl Into<bytes::Bytes>; pass
Vec<u8> directly instead of CryptoVec.
- Bump russh-sftp 2.0 -> 2.3; its Handler::Error bound changed to
Into<StatusReply>, so convert SftpError -> StatusReply.
cargo build -p server and cargo clippy -p embedded-ssh -p local-deployment
both pass; cargo audit no longer reports russh.
https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
…nban-glDx7 fix: security audit remediation — code hardening + dependency CVE patches
End-to-end integration tests exercising the runtime paths affected by the russh 0.48 -> 0.61 upgrade, which compile-time checks alone can't cover: - exec_channel_roundtrips_stdout: Ed25519 host-key construction, public-key auth (Auth::Accept), and stdout streaming over the stdio exec channel. - rejects_unauthorized_public_key: auth_publickey returns Auth::Reject when no relay signing session matches the client key. - sftp_subsystem_round_trips_a_file: SFTP open/write/read round-trip (the VS Code Remote path), exercising SftpError -> StatusReply. Tests run a real russh 0.61 client against the embedded server over a loopback TCP socket. https://claude.ai/code/session_01YZT4mfTZyLxUYaAcPGDCuC
…nban-glDx7 test: add russh 0.61 SSH/SFTP smoke tests for embedded-ssh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.