Skip to content

Security - Fix npm audit vulnerabilities #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eshurakov wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Security - Fix npm audit vulnerabilities #45

eshurakov wants to merge 1 commit into from

Conversation

@eshurakov
Copy link
Contributor

@eshurakov eshurakov commented Feb 5, 2026

Summary

  • Bump direct dependencies to resolve transitive vulnerabilities: @qdrant/js-client-rest, @workos-inc/node, diff, vitest, wrangler, @cloudflare/vitest-pool-workers
  • Add 7 pnpm overrides for transitive dependencies where upstream packages haven't updated yet: glob, esbuild, lodash, diff, fast-xml-parser, vite, qs
  • Add glob@13.0.1, minimatch@10.1.2, @isaacs/brace-expansion@5.0.1 to minimumReleaseAgeExclude to fix the high-severity GHSA-7h2j-956f-4vf2

Audit results

Before: 19 vulnerabilities reported by GitHub (5 high, 7 moderate, 7 low)
After: 3 low-severity findings remaining, all from storybook's webpack and elliptic — unfixable until storybook updates its dependencies

Note

The fast-xml-parser override can be removed once @aws-sdk/client-s3@>=3.982.0 passes the 4-day minimumReleaseAge threshold (the fix shipped in @aws-sdk/xml-builder@3.972.4).

@eshurakov
Security - Fix npm audit vulnerabilities
ea4bd7a 
Reduce audit findings from multiple high/moderate/low to only 3 low-severity
storybook-related issues (elliptic, webpack) that are unfixable upstream.

Direct dependency bumps:
- @qdrant/js-client-rest ^1.16.0 -> ^1.16.2
- @workos-inc/node ^7.72.2 -> ^8.0.0
- diff ^8.0.2 -> ^8.0.3 (cloudflare-app-builder)
- vitest ^2.1.8 -> ^3.2.4, wrangler ^4.51.0/^4.61.0 -> ^4.61.1 (cloud-agent*)
- @cloudflare/vitest-pool-workers ^0.11.1 -> ^0.12.8 (cloud-agent-next)

Overrides added for transitive vulnerabilities where upstream hasn't updated:
- glob >=13.0.1, esbuild >=0.25.0, lodash >=4.17.23, diff >=8.0.3,
  fast-xml-parser >=5.3.4, vite >=6.4.1, qs >=6.14.1

Added glob@13.0.1 + minimatch@10.1.2 + @isaacs/brace-expansion@5.0.1
to minimumReleaseAgeExclude to fix GHSA-7h2j-956f-4vf2.
kiloconnect[bot]
kiloconnect bot reviewed Feb 5, 2026
View reviewed changes
package.json
"@vercel/functions": "^3.3.3",
"@vercel/otel": "^2.1.0",
"@workos-inc/node": "^7.72.2",
"@workos-inc/node": "^8.0.0",
Copy link
Contributor

@kiloconnect kiloconnect bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Major version bump for @workos-inc/node (v7 → v8) may be breaking

This PR upgrades @workos-inc/node to a new major version. Please verify all WorkOS usages still match the v8 API (client initialization, method names/return shapes, and any webhook/auth helpers) and that runtime behavior is unchanged.

package.json
"storybook": "^9.1.17",
"next": "^15.5.10",
"preact": "10.28.3"
"preact": "10.28.3",
Copy link
Contributor

@kiloconnect kiloconnect bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: pnpm.overrides uses open-ended >= ranges

Overrides like glob: '>=13.0.1' / vite: '>=6.4.1' can silently move to newer major versions the next time the lockfile is regenerated, which can introduce unexpected breakages. Consider pinning to the minimum fixed versions (or a bounded range) to keep installs reproducible.

@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 5, 2026

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 2
SUGGESTION 0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

WARNING

File Line Issue
package.json 91 Major version bump for @workos-inc/node (v7 → v8) may be breaking
package.json 183 pnpm.overrides uses open-ended >= ranges
Files Reviewed (5 files)
  • cloud-agent-next/package.json - 0 issues
  • cloud-agent/package.json - 0 issues
  • cloudflare-app-builder/package.json - 0 issues
  • package.json - 2 issues
  • pnpm-workspace.yaml - 0 issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiloconnect kiloconnect[bot] kiloconnect[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eshurakov