Skip to content

fix(deps): address Dependabot vulnerability alerts for serialize-javascript and hono#948

Merged
jeanduplessis merged 1 commit intomainfrom
fix/dependabot-vulnerability-upgrades
Mar 10, 2026
Merged

fix(deps): address Dependabot vulnerability alerts for serialize-javascript and hono#948
jeanduplessis merged 1 commit intomainfrom
fix/dependabot-vulnerability-upgrades

Conversation

@kilo-code-bot
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot Bot commented Mar 9, 2026

Summary

Addresses all 5 open Dependabot vulnerability alerts by upgrading affected dependencies:

Alert Package Severity GHSA Fix
#59 serialize-javascript High GHSA-5c6j-r48x-rmvq (RCE via RegExp.flags and Date.prototype.toISOString) pnpm override >=7.0.3 (resolved to 7.0.4)
#39 hono Medium GHSA-6wqw-2p9w-4vw4 (Cache middleware ignores Cache-Control: private) 4.11.64.12.2
#40 hono Medium GHSA-w332-q679-j88p (Arbitrary key read in serve-static middleware) 4.11.64.12.2
#41 hono Medium GHSA-9r54-q6cx-xmh5 (XSS through ErrorBoundary component) 4.11.64.12.2
#42 hono Low GHSA-gq3j-xvxp-8hrf (Timing comparison hardening in basicAuth/bearerAuth) 4.11.64.12.2

serialize-javascript (6.0.2 → 7.0.4): Transitive dependency of terser-webpack-plugin (via webpack/storybook). Added a pnpm override since the parent package pins ^6.0.2. The serialize-javascript@7.0.3 entry was already in minimumReleaseAgeExclude.

hono (4.11.6 → 4.12.2): Direct dependency in kiloclaw/controller/package.json, which was pinned at a vulnerable version instead of using the workspace catalog (^4.12.1). Updated to 4.12.2, matching the version already resolved elsewhere in the monorepo.

Verification

  • pnpm install — lockfile updated, serialize-javascript resolved to 7.0.4, hono resolved to 4.12.2
  • pnpm typecheck — passes across all 29 workspace projects
  • pnpm lint — passes across all workspace projects
  • pnpm format:check — all files conform to Prettier style
  • pnpm test — all test suites fail due to missing Postgres database in this environment (pre-existing infrastructure issue, not caused by these changes)

Visual Changes

N/A

Reviewer Notes

  • The hono upgrade from 4.11.6 to 4.12.2 is a minor version bump. The kiloclaw/controller only uses Hono and Context types — no breaking changes expected.
  • serialize-javascript v7 is a major bump from v6, but the API is backwards-compatible (the breaking change was dropping Node <18 support and fixing the security vulnerabilities). The pnpm override forces all consumers to use the patched version.
  • Tests require a Postgres database connection and fail uniformly in this environment — CI should confirm they pass.

@kilo-code-bot
fix(deps): address Dependabot vulnerability alerts for serialize-java…
c320100 
…script and hono

- Add pnpm override for serialize-javascript >=7.0.3 (GHSA-5c6j-r48x-rmvq, high severity RCE)
- Upgrade hono from 4.11.6 to 4.12.2 in kiloclaw/controller (GHSA-6wqw-2p9w-4vw4, GHSA-w332-q679-j88p, GHSA-9r54-q6cx-xmh5, GHSA-gq3j-xvxp-8hrf)
@kilo-code-bot
Copy link
Copy Markdown
Contributor Author

kilo-code-bot Bot commented Mar 9, 2026

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (4 files)
  • kiloclaw/controller/bun.lock
  • kiloclaw/controller/package.json
  • package.json
  • pnpm-lock.yaml

@jeanduplessis jeanduplessis merged commit 15da315 into main Mar 10, 2026
18 checks passed
@jeanduplessis jeanduplessis deleted the fix/dependabot-vulnerability-upgrades branch March 10, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eshurakov eshurakov eshurakov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eshurakov @jeanduplessis