Skip to content

fix(security): update vulnerable dependencies (fixes #82)#83

Merged
bobmatnyc merged 2 commits intomainfrom
bugfix/issue-82-security-vulnerabilities
Jan 18, 2026
Merged

fix(security): update vulnerable dependencies (fixes #82)#83
bobmatnyc merged 2 commits intomainfrom
bugfix/issue-82-security-vulnerabilities

Conversation

@bobmatnyc
Copy link
Copy Markdown
Owner

@bobmatnyc bobmatnyc commented Jan 18, 2026

Summary

Addresses security vulnerabilities reported in dependencies via npm audit (Issue #82).

Changes

Removed (Unused)

  • langchain - Had 0 imports in the codebase, completely unused dead weight

Updated Direct Dependencies

Package Before After Advisory
@langchain/core ^0.3.44 ^0.3.80 GHSA-r399-636x-v7f6
@modelcontextprotocol/sdk ^1.20.1 ^1.25.2 GHSA-8r9q-7v3j-jr4g
mem0ai ^2.1.34 ^2.2.1 Latest

Updated Transitive Dependencies (via overrides)

Package Before After Advisory
axios ^1.12.0 ^1.13.2 GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6
undici ^6.21.0 ^6.23.0 GHSA-cxrh-j4jr-qwg3, GHSA-g9mf-h72j-4rw9
qs (new) ^6.14.1 GHSA-6rw7-vpxm-498p

Results

Metric Before After
Critical vulnerabilities 6 0 ✅
High vulnerabilities 3 1 (dev dep)
Low vulnerabilities 1 1 (dev dep)
Total 10 2

Remaining Vulnerabilities

The 2 remaining vulnerabilities are in development/build-time dependencies only:

  • tar ≤7.5.2 in mem0ai > sqlite3 build chain (high)
  • diff <8.0.3 in ts-node (low)

These pose minimal production risk.

Test plan

  • All 563 tests passing
  • Build successful
  • pnpm audit shows critical vulns reduced from 6 to 0

Closes #82

🤖 Generated with Claude Code

bobmatnyc and others added 2 commits January 17, 2026 21:46
@bobmatnyc @claude
fix(security): update vulnerable dependencies (fixes #82)
1f9e4b2 
## Summary
Addresses security vulnerabilities reported in dependencies via npm audit.

## Changes
- **REMOVED** `langchain` - completely unused (0 imports in codebase)
- **UPDATED** `@langchain/core`: ^0.3.44 → ^0.3.80 (GHSA-r399-636x-v7f6)
- **UPDATED** `@modelcontextprotocol/sdk`: ^1.20.1 → ^1.25.2 (GHSA-8r9q-7v3j-jr4g)
- **UPDATED** `mem0ai`: ^2.1.34 → ^2.2.1
- **UPDATED** overrides for transitive deps:
  - `axios`: ^1.12.0 → ^1.13.2 (GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6)
  - `undici`: ^6.21.0 → ^6.23.0 (GHSA-cxrh-j4jr-qwg3, GHSA-g9mf-h72j-4rw9)
  - `qs`: added ^6.14.1 (GHSA-6rw7-vpxm-498p)

## Results
- Critical vulnerabilities: 6 → 0
- High vulnerabilities: 3 → 1 (dev dep only)
- All 563 tests passing
- Build successful

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@bobmatnyc @claude
fix(lint): resolve forEach callback return value warnings
ff314af 
Convert forEach callbacks that implicitly return values to for...of loops
to satisfy Biome's lint/suspicious/useIterableCallbackReturn rule.

Files fixed:
- src/analysis/semantic/ChunkGenerator.ts
- src/analysis/tokens/TokenTracker.ts
- src/utils/dependencies/reportFormatter.ts
- src/utils/review/consolidateReview.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@bobmatnyc bobmatnyc merged commit 02584c5 into main Jan 18, 2026
5 checks passed
@bobmatnyc bobmatnyc deleted the bugfix/issue-82-security-vulnerabilities branch January 18, 2026 02:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Security: ai-code-review depends on vulnerable versions of LangChain, axios, undici, qs and MCP SDK

1 participant

@bobmatnyc