From b438ff748917902a8669a1b96cb2a0295a8bec75 Mon Sep 17 00:00:00 2001 From: olivrg Date: Fri, 19 Jun 2026 11:15:22 +0100 Subject: [PATCH 1/2] chore(security): patch hono CORS + undici TLS advisories MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Clears two high advisories that fail the `pnpm audit --audit-level=high` CI gate. Both are real upgrades, not audit ignores. - hono 4.12.14 → 4.12.26 (direct dep, packages/proxy): GHSA-88fw-hqm2-52qc, CORS middleware reflects any Origin with credentials on the wildcard default (patched ≥4.12.25). Helio's sideband rejects Origin headers and does not use the permissive CORS default, but the gate flags the version regardless. - undici override ≥7.28.0 (transitive, dashboard > jsdom > undici, dev/test only): GHSA-vmh5-mc38-953g, TLS cert-validation bypass in the SOCKS5 ProxyAgent (patched ≥7.28.0). A jsdom bump doesn't help — latest jsdom still declares `undici@^7.25.0` — so force the patched range via pnpm.overrides, matching the existing form-data override. Total audit findings 24 → 8; remaining high is the pre-existing esbuild/vite ignore tracked by #64. Proxy suite 1575 green, build + typecheck clean. --- package.json | 3 ++- packages/proxy/package.json | 2 +- pnpm-lock.yaml | 31 ++++++++++++++++--------------- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/package.json b/package.json index 19b69a4..ef82963 100644 --- a/package.json +++ b/package.json @@ -38,7 +38,8 @@ ] }, "overrides": { - "form-data@>=4.0.0 <4.0.6": ">=4.0.6" + "form-data@>=4.0.0 <4.0.6": ">=4.0.6", + "undici@>=7.23.0 <7.28.0": ">=7.28.0" } } } diff --git a/packages/proxy/package.json b/packages/proxy/package.json index 0785ad5..5249855 100644 --- a/packages/proxy/package.json +++ b/packages/proxy/package.json @@ -61,7 +61,7 @@ "better-sqlite3": "12.8.0", "chokidar": "5.0.0", "commander": "14.0.3", - "hono": "4.12.14", + "hono": "4.12.26", "js-yaml": "4.1.1", "picomatch": "4.0.4", "safe-regex2": "5.0.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f13e6b6..0395a33 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: form-data@>=4.0.0 <4.0.6: '>=4.0.6' + undici@>=7.23.0 <7.28.0: '>=7.28.0' importers: @@ -86,7 +87,7 @@ importers: dependencies: '@hono/node-server': specifier: 1.19.13 - version: 1.19.13(hono@4.12.14) + version: 1.19.13(hono@4.12.26) '@slack/web-api': specifier: 7.15.0 version: 7.15.0 @@ -100,8 +101,8 @@ importers: specifier: 14.0.3 version: 14.0.3 hono: - specifier: 4.12.14 - version: 4.12.14 + specifier: 4.12.26 + version: 4.12.26 js-yaml: specifier: 4.1.1 version: 4.1.1 @@ -1741,8 +1742,8 @@ packages: hermes-parser@0.25.1: resolution: {integrity: sha512-6pEjquH3rqaI6cYAXYPcz9MS4rY6R4ngRgrgfDshRptUZIc3lw0MCIJIGDj9++mfySOuPTHB4nrSW99BCvOPIA==} - hono@4.12.14: - resolution: {integrity: sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==} + hono@4.12.26: + resolution: {integrity: sha512-uyZtpnYxM9CmQ7QsQknM4zN8EftNqhON1qYeIKM0Se67CCEe2c44xyGURwB0axX2fBDu1dqHrHAc1hmNT8ITkw==} engines: {node: '>=16.9.0'} html-encoding-sniffer@6.0.0: @@ -2578,9 +2579,9 @@ packages: undici-types@7.18.2: resolution: {integrity: sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==} - undici@7.24.7: - resolution: {integrity: sha512-H/nlJ/h0ggGC+uRL3ovD+G0i4bqhvsDOpbDv7At5eFLlj2b41L8QliGbnl2H7SnDiYhENphh1tQFJZf+MyfLsQ==} - engines: {node: '>=20.18.1'} + undici@8.5.0: + resolution: {integrity: sha512-xamtWoB1EshgjpmlXd7GGm2VfdDtw1+rD8uhry8pSNW3If6S8E0m2T2+orSKeZXEn/aPJMviCpDBA65WJt8zhg==} + engines: {node: '>=22.19.0'} unpipe@1.0.0: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} @@ -3118,9 +3119,9 @@ snapshots: '@exodus/bytes@1.15.0': {} - '@hono/node-server@1.19.13(hono@4.12.14)': + '@hono/node-server@1.19.13(hono@4.12.26)': dependencies: - hono: 4.12.14 + hono: 4.12.26 '@humanfs/core@0.19.1': {} @@ -3154,7 +3155,7 @@ snapshots: '@modelcontextprotocol/sdk@1.28.0(zod@4.3.6)': dependencies: - '@hono/node-server': 1.19.13(hono@4.12.14) + '@hono/node-server': 1.19.13(hono@4.12.26) ajv: 8.18.0 ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 @@ -3164,7 +3165,7 @@ snapshots: eventsource-parser: 3.0.6 express: 5.2.1 express-rate-limit: 8.3.1(express@5.2.1) - hono: 4.12.14 + hono: 4.12.26 jose: 6.2.2 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -4264,7 +4265,7 @@ snapshots: dependencies: hermes-estree: 0.25.1 - hono@4.12.14: {} + hono@4.12.26: {} html-encoding-sniffer@6.0.0: dependencies: @@ -4365,7 +4366,7 @@ snapshots: saxes: 6.0.0 symbol-tree: 3.2.4 tough-cookie: 6.0.1 - undici: 7.24.7 + undici: 8.5.0 w3c-xmlserializer: 5.0.0 webidl-conversions: 8.0.1 whatwg-mimetype: 5.0.0 @@ -5063,7 +5064,7 @@ snapshots: undici-types@7.18.2: {} - undici@7.24.7: {} + undici@8.5.0: {} unpipe@1.0.0: {} From a7c5fac348a7c13e9b31537b91e432f9af95f34a Mon Sep 17 00:00:00 2001 From: olivrg Date: Fri, 19 Jun 2026 11:44:25 +0100 Subject: [PATCH 2/2] fix(security): scope-ignore dev-only undici advisory instead of overriding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The undici>=7.28.0 override broke the dashboard test suite: jsdom@29.0.1 deep-imports undici/lib/handler/wrap-handler.js, an internal path removed in undici 7.28, so every dashboard vitest worker failed with MODULE_NOT_FOUND. No undici version is both patched (>=7.28.0) and compatible with jsdom@29's internal layout (^7.25.0). undici here is dev/test-only (dashboard > jsdom test env, not shipped) and the advisory is a SOCKS5 ProxyAgent TLS path not exercised in tests, so revert the override and add GHSA-vmh5-mc38-953g to the dev-only ignore list — same posture as the existing vite dev-only ignore. The hono upgrade (a real, shipped fix) is unchanged. Verified: pnpm audit --audit-level=high exits 0; full pnpm test:js green (proxy 1575, dashboard 300); build + typecheck clean. --- package.json | 6 +++--- pnpm-lock.yaml | 11 +++++------ 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index ef82963..479a05b 100644 --- a/package.json +++ b/package.json @@ -34,12 +34,12 @@ "auditConfig": { "ignoreGhsas": [ "GHSA-gv7w-rqvm-qjhr", - "GHSA-fx2h-pf6j-xcff" + "GHSA-fx2h-pf6j-xcff", + "GHSA-vmh5-mc38-953g" ] }, "overrides": { - "form-data@>=4.0.0 <4.0.6": ">=4.0.6", - "undici@>=7.23.0 <7.28.0": ">=7.28.0" + "form-data@>=4.0.0 <4.0.6": ">=4.0.6" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0395a33..f7f9b2d 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,7 +6,6 @@ settings: overrides: form-data@>=4.0.0 <4.0.6: '>=4.0.6' - undici@>=7.23.0 <7.28.0: '>=7.28.0' importers: @@ -2579,9 +2578,9 @@ packages: undici-types@7.18.2: resolution: {integrity: sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==} - undici@8.5.0: - resolution: {integrity: sha512-xamtWoB1EshgjpmlXd7GGm2VfdDtw1+rD8uhry8pSNW3If6S8E0m2T2+orSKeZXEn/aPJMviCpDBA65WJt8zhg==} - engines: {node: '>=22.19.0'} + undici@7.28.0: + resolution: {integrity: sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==} + engines: {node: '>=20.18.1'} unpipe@1.0.0: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} @@ -4366,7 +4365,7 @@ snapshots: saxes: 6.0.0 symbol-tree: 3.2.4 tough-cookie: 6.0.1 - undici: 8.5.0 + undici: 7.28.0 w3c-xmlserializer: 5.0.0 webidl-conversions: 8.0.1 whatwg-mimetype: 5.0.0 @@ -5064,7 +5063,7 @@ snapshots: undici-types@7.18.2: {} - undici@8.5.0: {} + undici@7.28.0: {} unpipe@1.0.0: {}