Skip to content

feat(hero-13394): new resolutions#67

Merged
hero-daria merged 2 commits into
mainfrom
feature/hero-13394-cves
Jun 22, 2026
Merged

feat(hero-13394): new resolutions#67
hero-daria merged 2 commits into
mainfrom
feature/hero-13394-cves

Conversation

@hero-daria

Copy link
Copy Markdown
Contributor

No description provided.

@hero-daria
hero-daria requested a review from a team as a code owner June 22, 2026 00:31
@greptile-apps

greptile-apps Bot commented Jun 22, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates the resolutions block in package.json to pin several transitive dependencies to newer, patched versions as part of HERO-13394. The changes address known vulnerabilities across packages like qs, uuid, tmp, markdown-it, path-to-regexp, on-headers, and others, with corresponding yarn.lock updates.

  • New security resolutions added: js-yaml@3.14.2, on-headers@1.1.0, qs@6.15.2, tmp@0.2.7, and uuid@11.1.1 are pinned for the first time; markdown-it is bumped from 12.3.2 to 14.2.0 and path-to-regexp from 0.1.12 to 0.1.13.
  • Several upgrades span multiple major versions: tmp (0.0.x → 0.2.7), markdown-it (8/12 → 14), and uuid (8 → 11) each cross major version boundaries that carry documented breaking API changes, and their transitive consumers have not been updated to match.

Linked Tickets

  • HERO-13394: Pin transitive dependency resolutions to patched/newer versions to address known vulnerabilities

Confidence Score: 3/5

Three resolution upgrades cross major version boundaries without verification that transitive consumers are compatible, which could cause silent or loud runtime failures in the build/test toolchain.

The tmp consolidation forces packages that explicitly required 0.0.28 to run against 0.2.7, where path handling semantics changed. The markdown-it bump takes markdown-it-terminal from v8 to v14 with no changes to that package. The uuid jump from v8 to v11 removes deep-import paths that some packages may still use.

package.json — specifically the tmp, markdown-it, and uuid resolution entries warrant verification against their transitive consumers before merging.

Important Files Changed

Filename Overview
package.json Resolutions block updated with new version pins; several changes span multiple major versions (tmp 0.0.x→0.2.7, markdown-it 8/12→14, uuid 8→11) that may break transitive deps at runtime.
yarn.lock Lock file updated to reflect resolution overrides; correctly consolidates tmp versions, upgrades side-channel and its sub-packages, and updates markdown-it's transitive tree. Consistency with package.json resolutions looks correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json resolutions] --> B[tmp 0.0.x to 0.2.7]
    A --> C[markdown-it 12.3.2 to 14.2.0]
    A --> D[uuid v8 to v11.1.1]
    A --> E[qs 6.13.0 to 6.15.2]
    A --> F[path-to-regexp 0.1.12 to 0.1.13]
    A --> G[js-yaml 3.14.1 to 3.14.2]
    A --> H[on-headers 1.0.2 to 1.1.0]
    B --> B1{Breaking API in 0.2.x}
    B1 -->|dir option must be relative| B2[Runtime risk for absolute-path callers]
    C --> C1{markdown-it-terminal requires v8}
    C1 -->|Forced to v14 - 6 major versions| C2[API incompatibility risk]
    D --> D1{Transitive dep needs v8}
    D1 -->|Deep imports removed in v9| D2[Possible runtime error]
    E --> E2[Security patch - safe]
    F --> F2[Security patch - safe]
    G --> G2[Security patch - safe]
    H --> H2[Minor bump - safe]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[package.json resolutions] --> B[tmp 0.0.x to 0.2.7]
    A --> C[markdown-it 12.3.2 to 14.2.0]
    A --> D[uuid v8 to v11.1.1]
    A --> E[qs 6.13.0 to 6.15.2]
    A --> F[path-to-regexp 0.1.12 to 0.1.13]
    A --> G[js-yaml 3.14.1 to 3.14.2]
    A --> H[on-headers 1.0.2 to 1.1.0]
    B --> B1{Breaking API in 0.2.x}
    B1 -->|dir option must be relative| B2[Runtime risk for absolute-path callers]
    C --> C1{markdown-it-terminal requires v8}
    C1 -->|Forced to v14 - 6 major versions| C2[API incompatibility risk]
    D --> D1{Transitive dep needs v8}
    D1 -->|Deep imports removed in v9| D2[Possible runtime error]
    E --> E2[Security patch - safe]
    F --> F2[Security patch - safe]
    G --> G2[Security patch - safe]
    H --> H2[Minor bump - safe]
Loading

Fix All in Claude Code

Prompt To Fix All With AI
Fix the following 4 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 4
package.json:90
**`tmp` resolution collapses incompatible major versions**

The resolution forces `tmp@0.2.7` for all requests including exact pins `tmp@0.0.28` and `tmp@0.0.33` that appear in the lock file. The `tmp` 0.2.x line has documented breaking changes: `template`, `name`, and `dir` options must now be relative to `tmpdir` (absolute paths no longer accepted). Any transitive package that was calling `tmp.file({ dir: '/absolute/path' })` or similar will silently produce unexpected results or throw at runtime, because those packages were specifically pinned to 0.0.x and have not been updated for the 0.2.x API contract. The `tmp` README explicitly calls these out as "Previously Undocumented Breaking Changes" that were only partially reverted.

### Issue 2 of 4
package.json:83
**`markdown-it` resolution spans six major versions for `markdown-it-terminal`**

The lock file shows `markdown-it-terminal@0.2.1` depends on `markdown-it "^8.3.1"`. This resolution forces it to `14.2.0` — six major versions ahead. Between v8 and v14 the dependency graph changed substantially: `entities`, `mdurl`, `linkify-it`, and `uc.micro` were all replaced with newer incompatible versions, and `punycode.js` was added. Any internal API `markdown-it-terminal` relies on from the v8 surface (e.g. `md.core`, `md.renderer`, or plugin registration signatures) that changed in those releases will throw at runtime when the addon renders terminal output.

### Issue 3 of 4
package.json:91
**`uuid` resolution jumps three major versions**

The lock file resolves a transitive `uuid@^8.3.2` dependency, now forced to `11.1.1`. While uuid v11 still ships a CommonJS build (the CJS drop happens at v12), there were breaking changes between v8 and v9 (removal of deep-require paths like `uuid/v4`) and further changes in v10. Any transitive package that uses `require('uuid/v4')` or similar deep-import patterns will break at runtime. Verifying that no dependency in the tree does this is worth confirming before merging.

### Issue 4 of 4
package.json:82
**`lodash.template` alias changed from a range to an exact pin**

The previous resolution used `^4.17.21`, allowing patch and minor updates. The new pin `4.18.1` is exact and will not automatically receive future security patches. This is a minor hardening concern — consider whether this should remain a range like `^4.18.1` so that future lodash patch releases are picked up automatically.

Reviews (1): Last reviewed commit: "feat(hero-13394): new resolutions pt 2" | Re-trigger Greptile

Comment thread package.json
"path-to-regexp": "0.1.13",
"qs": "6.15.2",
"terser": "4.8.1",
"tmp": "0.2.7",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 tmp resolution collapses incompatible major versions

The resolution forces tmp@0.2.7 for all requests including exact pins tmp@0.0.28 and tmp@0.0.33 that appear in the lock file. The tmp 0.2.x line has documented breaking changes: template, name, and dir options must now be relative to tmpdir (absolute paths no longer accepted). Any transitive package that was calling tmp.file({ dir: '/absolute/path' }) or similar will silently produce unexpected results or throw at runtime, because those packages were specifically pinned to 0.0.x and have not been updated for the 0.2.x API contract. The tmp README explicitly calls these out as "Previously Undocumented Breaking Changes" that were only partially reverted.

Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 90

Comment:
**`tmp` resolution collapses incompatible major versions**

The resolution forces `tmp@0.2.7` for all requests including exact pins `tmp@0.0.28` and `tmp@0.0.33` that appear in the lock file. The `tmp` 0.2.x line has documented breaking changes: `template`, `name`, and `dir` options must now be relative to `tmpdir` (absolute paths no longer accepted). Any transitive package that was calling `tmp.file({ dir: '/absolute/path' })` or similar will silently produce unexpected results or throw at runtime, because those packages were specifically pinned to 0.0.x and have not been updated for the 0.2.x API contract. The `tmp` README explicitly calls these out as "Previously Undocumented Breaking Changes" that were only partially reverted.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code

Comment thread package.json
"lodash.template": "npm:lodash@^4.17.21",
"markdown-it": "12.3.2",
"lodash.template": "npm:lodash@4.18.1",
"markdown-it": "14.2.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 markdown-it resolution spans six major versions for markdown-it-terminal

The lock file shows markdown-it-terminal@0.2.1 depends on markdown-it "^8.3.1". This resolution forces it to 14.2.0 — six major versions ahead. Between v8 and v14 the dependency graph changed substantially: entities, mdurl, linkify-it, and uc.micro were all replaced with newer incompatible versions, and punycode.js was added. Any internal API markdown-it-terminal relies on from the v8 surface (e.g. md.core, md.renderer, or plugin registration signatures) that changed in those releases will throw at runtime when the addon renders terminal output.

Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 83

Comment:
**`markdown-it` resolution spans six major versions for `markdown-it-terminal`**

The lock file shows `markdown-it-terminal@0.2.1` depends on `markdown-it "^8.3.1"`. This resolution forces it to `14.2.0` — six major versions ahead. Between v8 and v14 the dependency graph changed substantially: `entities`, `mdurl`, `linkify-it`, and `uc.micro` were all replaced with newer incompatible versions, and `punycode.js` was added. Any internal API `markdown-it-terminal` relies on from the v8 surface (e.g. `md.core`, `md.renderer`, or plugin registration signatures) that changed in those releases will throw at runtime when the addon renders terminal output.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code

Comment thread package.json
"qs": "6.15.2",
"terser": "4.8.1",
"tmp": "0.2.7",
"uuid": "11.1.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 uuid resolution jumps three major versions

The lock file resolves a transitive uuid@^8.3.2 dependency, now forced to 11.1.1. While uuid v11 still ships a CommonJS build (the CJS drop happens at v12), there were breaking changes between v8 and v9 (removal of deep-require paths like uuid/v4) and further changes in v10. Any transitive package that uses require('uuid/v4') or similar deep-import patterns will break at runtime. Verifying that no dependency in the tree does this is worth confirming before merging.

Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 91

Comment:
**`uuid` resolution jumps three major versions**

The lock file resolves a transitive `uuid@^8.3.2` dependency, now forced to `11.1.1`. While uuid v11 still ships a CommonJS build (the CJS drop happens at v12), there were breaking changes between v8 and v9 (removal of deep-require paths like `uuid/v4`) and further changes in v10. Any transitive package that uses `require('uuid/v4')` or similar deep-import patterns will break at runtime. Verifying that no dependency in the tree does this is worth confirming before merging.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code

Comment thread package.json
"json5": "1.0.2",
"lodash.template": "npm:lodash@^4.17.21",
"markdown-it": "12.3.2",
"lodash.template": "npm:lodash@4.18.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 lodash.template alias changed from a range to an exact pin

The previous resolution used ^4.17.21, allowing patch and minor updates. The new pin 4.18.1 is exact and will not automatically receive future security patches. This is a minor hardening concern — consider whether this should remain a range like ^4.18.1 so that future lodash patch releases are picked up automatically.

Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 82

Comment:
**`lodash.template` alias changed from a range to an exact pin**

The previous resolution used `^4.17.21`, allowing patch and minor updates. The new pin `4.18.1` is exact and will not automatically receive future security patches. This is a minor hardening concern — consider whether this should remain a range like `^4.18.1` so that future lodash patch releases are picked up automatically.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Fix in Claude Code

@hero-daria
hero-daria merged commit e8602f5 into main Jun 22, 2026
2 checks passed
@hero-daria
hero-daria deleted the feature/hero-13394-cves branch June 22, 2026 02:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants