Skip to content

fix(mcp-server): remediate npm audit fast-uri high (#596)#602

Open
bmdhodl wants to merge 1 commit into
mainfrom
fix/mcp-server-npm-audit-596
Open

fix(mcp-server): remediate npm audit fast-uri high (#596)#602
bmdhodl wants to merge 1 commit into
mainfrom
fix/mcp-server-npm-audit-596

Conversation

@bmdhodl

@bmdhodl bmdhodl commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Fixes #596

Summary

Resolves the security finding in mcp-server/ tracked by #596. Result: npm audit now reports 0 vulnerabilities (0 high, 0 moderate).

What the audit actually showed

On current main, the fast-uri HIGH is already cleared — the lockfile resolves fast-uri to 3.1.2, which is past the advisory range, so it is no longer flagged. The only remaining findings were 3 moderate hono advisories reached transitively through @modelcontextprotocol/sdk@hono/node-serverhono (resolved 4.12.18). npm reported these as "No fix available" because it will not auto-bump a transitively-pinned dependency.

Fix

Added an overrides entry pinning hono to ^4.12.23 (resolves to 4.12.25). All four hono GHSAs (GHSA-xrhx-7g5j-rcj5, GHSA-3hrh-pfw6-9m5x, GHSA-f577-qrjj-4474, GHSA-2gcr-mfcq-wcc3) have a vulnerable range of <4.12.21, so this clears every one. This matches the target of dependabot #570 (hono 4.12.23) but goes through an override since the SDK is the pinning parent — the bump-alone in #570 would not flow through to the SDK's transitive hono. This supersedes dependabot #570.

Before

3 moderate severity vulnerabilities
(hono x4 advisories via @modelcontextprotocol/sdk; fast-uri NOT flagged — already 3.1.2)

After

found 0 vulnerabilities

Files changed

  • mcp-server/package.json (added overrides)
  • mcp-server/package-lock.json (hono 4.12.18 → 4.12.25)

npm run build (tsc) passes. No source changes.

CI is billing-dark org-wide (Request 2026-06-14-2205); checks will not run until Actions billing is restored. Needs 1 human review to merge.

@bmdhodl @claude
fix(mcp-server): remediate npm audit fast-uri high (#596)
fc1ee37 
fast-uri was already patched (3.1.2) on main, so npm audit reports 0 high.
This change also clears the 3 remaining hono moderates by adding an
overrides entry pinning hono to ^4.12.23 (resolves to 4.12.25), which is
past the <4.12.21 advisory range for all four hono GHSAs. npm audit now
reports 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@bmdhodl bmdhodl mentioned this pull request Jun 15, 2026
Open
@bmdhodl bmdhodl added the aging PR open more than 3 days label Jun 20, 2026
@bmdhodl

bmdhodl commented Jun 20, 2026

Copy link
Copy Markdown
Owner Author

@bmdhodl this PR has been open 3+ days; review or close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aging PR open more than 3 days

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: mcp-server npm audit — fast-uri (high), hono + qs (moderate)

1 participant

@bmdhodl