Skip to content

Commit ae945b1

Browse files
committed
fix(deps): resolve Dependabot alerts for transitive deps
Clears all 14 open Dependabot alerts. All four flagged packages are transitive deps pulled in via @modelcontextprotocol/sdk, fixed with patch/minor bumps: - fast-uri 3.1.0 -> 3.1.2 (high; via ajv) - hono 4.12.12 -> 4.12.25 (medium/low; via @hono/node-server) - qs 6.15.0 -> 6.15.2 (medium; via express/body-parser) - ip-address 10.1.0 -> 10.1.1 (medium; via express-rate-limit) fast-uri, hono and qs update cleanly via `npm update`. express-rate-limit pins ip-address to exactly 10.1.0, so an `overrides` entry forces the patched 10.1.1 (a patch release, API-compatible). `npm audit` now reports 0 vulnerabilities; build passes.
1 parent 6f2c3d9 commit ae945b1

2 files changed

Lines changed: 15 additions & 12 deletions

File tree

package-lock.json

Lines changed: 12 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@
2222
"release": "npm run build && npm publish"
2323
},
2424
"license": "ISC",
25+
"overrides": {
26+
"ip-address": "10.1.1"
27+
},
2528
"dependencies": {
2629
"@modelcontextprotocol/sdk": "^1.29.0",
2730
"@vectorize-io/vectorize-client": "^0.1.3",

0 commit comments

Comments
 (0)