From e2f4c230a5472b19203e7e3ef2d6e1544412ac8f Mon Sep 17 00:00:00 2001 From: Matt Williams Date: Mon, 20 Apr 2026 15:26:25 -0700 Subject: [PATCH 1/2] fix: harden dependency security posture Pin all 40 dependencies to exact versions, add .npmrc with save-exact and audit-on-install, whitelist only esbuild for install scripts via onlyBuiltDependencies, and add 18 scoped pnpm overrides to resolve all 48 audit vulnerabilities (including 1 critical handlebars RCE and 11 high-severity advisories). Co-Authored-By: Claude Opus 4.6 --- .npmrc | 2 + package.json | 100 ++++++++++------- pnpm-lock.yaml | 297 ++++++++++++++++++++++++------------------------- 3 files changed, 208 insertions(+), 191 deletions(-) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..236c641 --- /dev/null +++ b/.npmrc @@ -0,0 +1,2 @@ +save-exact=true +audit=true diff --git a/package.json b/package.json index c630392..02cf8af 100644 --- a/package.json +++ b/package.json @@ -70,52 +70,74 @@ "access": "public" }, "dependencies": { - "@js-temporal/polyfill": "^0.5.1", - "@modelcontextprotocol/sdk": "^1.26.0", + "@js-temporal/polyfill": "0.5.1", + "@modelcontextprotocol/sdk": "1.26.0", "@runloop/api-client": "1.16.0", - "@types/express": "^5.0.6", - "adm-zip": "^0.5.16", - "chalk": "^5.6.2", - "commander": "^14.0.2", - "conf": "^15.0.2", - "dotenv": "^17.2.3", - "express": "^5.2.1", - "figures": "^6.1.0", - "gradient-string": "^3.0.0", - "ink": "^6.6.0", - "ink-big-text": "^2.0.0", - "ink-gradient": "^3.0.0", - "ink-link": "^5.0.0", - "ink-spinner": "^5.0.0", - "ink-text-input": "^6.0.0", + "@types/express": "5.0.6", + "adm-zip": "0.5.16", + "chalk": "5.6.2", + "commander": "14.0.2", + "conf": "15.1.0", + "dotenv": "17.2.3", + "express": "5.2.1", + "figures": "6.1.0", + "gradient-string": "3.0.0", + "ink": "6.6.0", + "ink-big-text": "2.0.0", + "ink-gradient": "3.0.0", + "ink-link": "5.0.0", + "ink-spinner": "5.0.0", + "ink-text-input": "6.0.0", "react": "19.2.0", - "yaml": "^2.8.2", - "zustand": "^5.0.10" + "yaml": "2.8.3", + "zustand": "5.0.10" }, "pnpm": { + "onlyBuiltDependencies": ["esbuild"], "overrides": { - "tmp": "^0.2.5" + "tmp": "^0.2.5", + "qs": "^6.15.1", + "hono": "^4.12.14", + "@hono/node-server": "^1.19.14", + "@modelcontextprotocol/sdk>ajv": "^8.18.0", + "express-rate-limit": "^8.3.2", + "tar": "^7.5.13", + "flatted": "^3.4.2", + "handlebars": "^4.7.9", + "eslint>minimatch": "^3.1.3", + "eslint-plugin-react>minimatch": "^3.1.3", + "glob>minimatch": "^3.1.3", + "test-exclude>minimatch": "^3.1.3", + "@typescript-eslint/typescript-estree>minimatch": "^9.0.9", + "jest-util>picomatch": "^2.3.2", + "anymatch>picomatch": "^2.3.2", + "eslint>ajv": "^6.14.0", + "minimatch>brace-expansion": "^1.1.13", + "node-forge": "^1.4.0", + "micromatch>picomatch": "^2.3.2", + "tinyglobby>picomatch": "^4.0.4", + "path-to-regexp": "^8.4.2" } }, "devDependencies": { - "@anthropic-ai/mcpb": "^2.1.2", - "@types/adm-zip": "^0.5.7", - "@types/jest": "^29.5.14", - "@types/node": "^22.19.7", - "@types/react": "^19.2.10", - "@typescript-eslint/eslint-plugin": "^8.54.0", - "@typescript-eslint/parser": "^8.54.0", - "esbuild": "^0.27.2", - "eslint": "^9.39.2", - "eslint-plugin-react": "^7.37.5", - "eslint-plugin-react-hooks": "^6.1.1", - "globals": "^16.5.0", - "husky": "^9.1.7", - "ink-testing-library": "^4.0.0", - "jest": "^29.7.0", - "prettier": "^3.8.1", - "ts-jest": "^29.4.6", - "ts-node": "^10.9.2", - "typescript": "^5.9.3" + "@anthropic-ai/mcpb": "2.1.2", + "@types/adm-zip": "0.5.7", + "@types/jest": "29.5.14", + "@types/node": "22.19.7", + "@types/react": "19.2.10", + "@typescript-eslint/eslint-plugin": "8.54.0", + "@typescript-eslint/parser": "8.54.0", + "esbuild": "0.27.2", + "eslint": "9.39.2", + "eslint-plugin-react": "7.37.5", + "eslint-plugin-react-hooks": "6.1.1", + "globals": "16.5.0", + "husky": "9.1.7", + "ink-testing-library": "4.0.0", + "jest": "29.7.0", + "prettier": "3.8.1", + "ts-jest": "29.4.6", + "ts-node": "10.9.2", + "typescript": "5.9.3" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 22ca7b1..ada4664 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,131 +6,152 @@ settings: overrides: tmp: ^0.2.5 + qs: ^6.15.1 + hono: ^4.12.14 + '@hono/node-server': ^1.19.14 + '@modelcontextprotocol/sdk>ajv': ^8.18.0 + express-rate-limit: ^8.3.2 + tar: ^7.5.13 + flatted: ^3.4.2 + handlebars: ^4.7.9 + eslint>minimatch: ^3.1.3 + eslint-plugin-react>minimatch: ^3.1.3 + glob>minimatch: ^3.1.3 + test-exclude>minimatch: ^3.1.3 + '@typescript-eslint/typescript-estree>minimatch': ^9.0.9 + jest-util>picomatch: ^2.3.2 + anymatch>picomatch: ^2.3.2 + eslint>ajv: ^6.14.0 + minimatch>brace-expansion: ^1.1.13 + node-forge: ^1.4.0 + micromatch>picomatch: ^2.3.2 + tinyglobby>picomatch: ^4.0.4 + path-to-regexp: ^8.4.2 importers: .: dependencies: '@js-temporal/polyfill': - specifier: ^0.5.1 + specifier: 0.5.1 version: 0.5.1 '@modelcontextprotocol/sdk': - specifier: ^1.26.0 + specifier: 1.26.0 version: 1.26.0(zod@4.3.6) '@runloop/api-client': specifier: 1.16.0 version: 1.16.0 '@types/express': - specifier: ^5.0.6 + specifier: 5.0.6 version: 5.0.6 adm-zip: - specifier: ^0.5.16 + specifier: 0.5.16 version: 0.5.16 chalk: - specifier: ^5.6.2 + specifier: 5.6.2 version: 5.6.2 commander: - specifier: ^14.0.2 + specifier: 14.0.2 version: 14.0.2 conf: - specifier: ^15.0.2 + specifier: 15.1.0 version: 15.1.0 dotenv: - specifier: ^17.2.3 + specifier: 17.2.3 version: 17.2.3 express: - specifier: ^5.2.1 + specifier: 5.2.1 version: 5.2.1 figures: - specifier: ^6.1.0 + specifier: 6.1.0 version: 6.1.0 gradient-string: - specifier: ^3.0.0 + specifier: 3.0.0 version: 3.0.0 ink: - specifier: ^6.6.0 + specifier: 6.6.0 version: 6.6.0(@types/react@19.2.10)(react@19.2.0) ink-big-text: - specifier: ^2.0.0 + specifier: 2.0.0 version: 2.0.0(ink@6.6.0(@types/react@19.2.10)(react@19.2.0))(react@19.2.0) ink-gradient: - specifier: ^3.0.0 + specifier: 3.0.0 version: 3.0.0(ink@6.6.0(@types/react@19.2.10)(react@19.2.0)) ink-link: - specifier: ^5.0.0 + specifier: 5.0.0 version: 5.0.0(ink@6.6.0(@types/react@19.2.10)(react@19.2.0)) ink-spinner: - specifier: ^5.0.0 + specifier: 5.0.0 version: 5.0.0(ink@6.6.0(@types/react@19.2.10)(react@19.2.0))(react@19.2.0) ink-text-input: - specifier: ^6.0.0 + specifier: 6.0.0 version: 6.0.0(ink@6.6.0(@types/react@19.2.10)(react@19.2.0))(react@19.2.0) react: specifier: 19.2.0 version: 19.2.0 yaml: - specifier: ^2.8.2 - version: 2.8.2 + specifier: 2.8.3 + version: 2.8.3 zustand: - specifier: ^5.0.10 + specifier: 5.0.10 version: 5.0.10(@types/react@19.2.10)(react@19.2.0) devDependencies: '@anthropic-ai/mcpb': - specifier: ^2.1.2 + specifier: 2.1.2 version: 2.1.2 '@types/adm-zip': - specifier: ^0.5.7 + specifier: 0.5.7 version: 0.5.7 '@types/jest': - specifier: ^29.5.14 + specifier: 29.5.14 version: 29.5.14 '@types/node': - specifier: ^22.19.7 + specifier: 22.19.7 version: 22.19.7 '@types/react': - specifier: ^19.2.10 + specifier: 19.2.10 version: 19.2.10 '@typescript-eslint/eslint-plugin': - specifier: ^8.54.0 + specifier: 8.54.0 version: 8.54.0(@typescript-eslint/parser@8.54.0(eslint@9.39.2)(typescript@5.9.3))(eslint@9.39.2)(typescript@5.9.3) '@typescript-eslint/parser': - specifier: ^8.54.0 + specifier: 8.54.0 version: 8.54.0(eslint@9.39.2)(typescript@5.9.3) esbuild: - specifier: ^0.27.2 + specifier: 0.27.2 version: 0.27.2 eslint: - specifier: ^9.39.2 + specifier: 9.39.2 version: 9.39.2 eslint-plugin-react: - specifier: ^7.37.5 + specifier: 7.37.5 version: 7.37.5(eslint@9.39.2) eslint-plugin-react-hooks: - specifier: ^6.1.1 + specifier: 6.1.1 version: 6.1.1(eslint@9.39.2) globals: - specifier: ^16.5.0 + specifier: 16.5.0 version: 16.5.0 husky: - specifier: ^9.1.7 + specifier: 9.1.7 version: 9.1.7 ink-testing-library: - specifier: ^4.0.0 + specifier: 4.0.0 version: 4.0.0(@types/react@19.2.10) jest: - specifier: ^29.7.0 + specifier: 29.7.0 version: 29.7.0(@types/node@22.19.7)(ts-node@10.9.2(@types/node@22.19.7)(typescript@5.9.3)) prettier: - specifier: ^3.8.1 + specifier: 3.8.1 version: 3.8.1 ts-jest: - specifier: ^29.4.6 + specifier: 29.4.6 version: 29.4.6(@babel/core@7.28.6)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.28.6))(esbuild@0.27.2)(jest-util@29.7.0)(jest@29.7.0(@types/node@22.19.7)(ts-node@10.9.2(@types/node@22.19.7)(typescript@5.9.3)))(typescript@5.9.3) ts-node: - specifier: ^10.9.2 + specifier: 10.9.2 version: 10.9.2(@types/node@22.19.7)(typescript@5.9.3) typescript: - specifier: ^5.9.3 + specifier: 5.9.3 version: 5.9.3 packages: @@ -506,11 +527,11 @@ packages: resolution: {integrity: sha512-43/qtrDUokr7LJqoF2c3+RInu/t4zfrpYdoSDfYyhg52rwLV6TnOvdG4fXm7IkSB3wErkcmJS9iEhjVtOSEjjA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} - '@hono/node-server@1.19.9': - resolution: {integrity: sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw==} + '@hono/node-server@1.19.14': + resolution: {integrity: sha512-GwtvgtXxnWsucXvbQXkRgqksiH2Qed37H9xHZocE5sA3N8O8O8/8FA3uclQXxXVzc9XBZuEOMK7+r02FmSpHtw==} engines: {node: '>=18.14.1'} peerDependencies: - hono: ^4 + hono: ^4.12.14 '@humanfs/core@0.19.1': resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==} @@ -912,11 +933,8 @@ packages: ajv: optional: true - ajv@6.12.6: - resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==} - - ajv@8.17.1: - resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==} + ajv@6.14.0: + resolution: {integrity: sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==} ajv@8.18.0: resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==} @@ -1044,11 +1062,8 @@ packages: resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==} engines: {node: '>=18'} - brace-expansion@1.1.12: - resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==} - - brace-expansion@2.0.2: - resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} + brace-expansion@1.1.14: + resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} @@ -1495,8 +1510,8 @@ packages: resolution: {integrity: sha512-2Zks0hf1VLFYI1kbh0I5jP3KHHyCHpkfyHBzsSXRFgl/Bg9mWYfMW8oD+PdMPlEwy5HNsR9JutYy6pMeOh61nw==} engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} - express-rate-limit@8.2.1: - resolution: {integrity: sha512-PCZEIEIxqwhzw4KF0n7QF4QqruVTcF73O5kFKUnGOyjbCCgizBBiFaYpd/fnBLUMPw/BWw9OsiN7GgrNYr7j6g==} + express-rate-limit@8.3.2: + resolution: {integrity: sha512-77VmFeJkO0/rvimEDuUC5H30oqUC4EyOhyGccfqoLebB0oiEYfM7nwPrsDsBL1gsTpwfzX8SFy2MT3TDyRq+bg==} engines: {node: '>= 16'} peerDependencies: express: '>= 4.11' @@ -1564,8 +1579,8 @@ packages: resolution: {integrity: sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==} engines: {node: '>=16'} - flatted@3.3.3: - resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==} + flatted@3.4.2: + resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==} flora-colossus@2.0.0: resolution: {integrity: sha512-dz4HxH6pOvbUzZpZ/yXhafjbR2I8cenK5xL0KtBFb7U2ADsR+OwXifnxZjij/pZWF775uSCMzWVd+jDik2H2IA==} @@ -1691,8 +1706,8 @@ packages: resolution: {integrity: sha512-frdKI4Qi8Ihp4C6wZNB565de/THpIaw3DjP5ku87M+N9rNSGmPTjfkq61SdRXB7eCaL8O1hkKDvf6CDMtOzIAg==} engines: {node: '>=14'} - handlebars@4.7.8: - resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==} + handlebars@4.7.9: + resolution: {integrity: sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==} engines: {node: '>=0.4.7'} hasBin: true @@ -1727,8 +1742,8 @@ packages: resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} engines: {node: '>= 0.4'} - hono@4.11.7: - resolution: {integrity: sha512-l7qMiNee7t82bH3SeyUCt9UF15EVmaBvsppY2zQtrbIhl/yzBTny+YUxsVjSjQ6gaqaeVtZmGocom8TzBlA4Yw==} + hono@4.12.14: + resolution: {integrity: sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==} engines: {node: '>=16.9.0'} html-escaper@2.0.2: @@ -1849,8 +1864,8 @@ packages: resolution: {integrity: sha512-4gd7VpWNQNB4UKKCFFVcp1AVv+FMOgs9NKzjHKusc8jTMhd5eL1NqQqOpE0KzMds804/yHlglp3uxgluOqAPLw==} engines: {node: '>= 0.4'} - ip-address@10.0.1: - resolution: {integrity: sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==} + ip-address@10.1.0: + resolution: {integrity: sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==} engines: {node: '>= 12'} ipaddr.js@1.9.1: @@ -2318,11 +2333,11 @@ packages: resolution: {integrity: sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==} engines: {node: '>=18'} - minimatch@3.1.2: - resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} + minimatch@3.1.5: + resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==} - minimatch@9.0.5: - resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==} + minimatch@9.0.9: + resolution: {integrity: sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==} engines: {node: '>=16 || 14 >=14.17'} minimist@1.2.8: @@ -2367,8 +2382,8 @@ packages: encoding: optional: true - node-forge@1.3.3: - resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==} + node-forge@1.4.0: + resolution: {integrity: sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==} engines: {node: '>= 6.13.0'} node-int64@0.4.0: @@ -2483,18 +2498,18 @@ packages: path-parse@1.0.7: resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==} - path-to-regexp@8.3.0: - resolution: {integrity: sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==} + path-to-regexp@8.4.2: + resolution: {integrity: sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==} picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@2.3.1: - resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} + picomatch@2.3.2: + resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==} engines: {node: '>=8.6'} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} + picomatch@4.0.4: + resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} engines: {node: '>=12'} pirates@4.0.7: @@ -2548,8 +2563,8 @@ packages: pure-rand@6.1.0: resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==} - qs@6.14.1: - resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==} + qs@6.15.1: + resolution: {integrity: sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==} engines: {node: '>=0.6'} range-parser@1.2.1: @@ -2647,11 +2662,6 @@ packages: resolution: {integrity: sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==} hasBin: true - semver@7.7.3: - resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==} - engines: {node: '>=10'} - hasBin: true - semver@7.7.4: resolution: {integrity: sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==} engines: {node: '>=10'} @@ -2829,8 +2839,8 @@ packages: resolution: {integrity: sha512-yEFYrVhod+hdNyx7g5Bnkkb0G6si8HJurOoOEgC8B/O0uXLHlaey/65KRv6cuWBNhBgHKAROVpc7QyYqE5gFng==} engines: {node: '>=20'} - tar@7.5.9: - resolution: {integrity: sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==} + tar@7.5.13: + resolution: {integrity: sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==} engines: {node: '>=18'} terminal-link@5.0.0: @@ -3107,8 +3117,8 @@ packages: resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} engines: {node: '>=18'} - yaml@2.8.2: - resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} + yaml@2.8.3: + resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==} engines: {node: '>= 14.6'} hasBin: true @@ -3184,7 +3194,7 @@ snapshots: fflate: 0.8.2 galactus: 1.0.0 ignore: 7.0.5 - node-forge: 1.3.3 + node-forge: 1.4.0 pretty-bytes: 5.6.0 zod: 3.25.76 zod-to-json-schema: 3.25.1(zod@3.25.76) @@ -3473,7 +3483,7 @@ snapshots: dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 - minimatch: 3.1.2 + minimatch: 3.1.5 transitivePeerDependencies: - supports-color @@ -3487,14 +3497,14 @@ snapshots: '@eslint/eslintrc@3.3.3': dependencies: - ajv: 6.12.6 + ajv: 6.14.0 debug: 4.4.3 espree: 10.4.0 globals: 14.0.0 ignore: 5.3.2 import-fresh: 3.3.1 js-yaml: 4.1.1 - minimatch: 3.1.2 + minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -3508,9 +3518,9 @@ snapshots: '@eslint/core': 0.17.0 levn: 0.4.1 - '@hono/node-server@1.19.9(hono@4.11.7)': + '@hono/node-server@1.19.14(hono@4.12.14)': dependencies: - hono: 4.11.7 + hono: 4.12.14 '@humanfs/core@0.19.1': {} @@ -3825,17 +3835,17 @@ snapshots: '@modelcontextprotocol/sdk@1.26.0(zod@4.3.6)': dependencies: - '@hono/node-server': 1.19.9(hono@4.11.7) - ajv: 8.17.1 - ajv-formats: 3.0.1(ajv@8.17.1) + '@hono/node-server': 1.19.14(hono@4.12.14) + ajv: 8.18.0 + ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 cors: 2.8.6 cross-spawn: 7.0.6 eventsource: 3.0.7 eventsource-parser: 3.0.6 express: 5.2.1 - express-rate-limit: 8.2.1(express@5.2.1) - hono: 4.11.7 + express-rate-limit: 8.3.2(express@5.2.1) + hono: 4.12.14 jose: 6.1.3 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -3854,7 +3864,7 @@ snapshots: form-data-encoder: 1.7.2 formdata-node: 4.4.1 node-fetch: 2.7.0 - tar: 7.5.9 + tar: 7.5.13 uuidv7: 1.1.0 zod: 3.25.76 transitivePeerDependencies: @@ -4067,7 +4077,7 @@ snapshots: '@typescript-eslint/types': 8.54.0 '@typescript-eslint/visitor-keys': 8.54.0 debug: 4.4.3 - minimatch: 9.0.5 + minimatch: 9.0.9 semver: 7.7.4 tinyglobby: 0.2.15 ts-api-utils: 2.4.0(typescript@5.9.3) @@ -4116,28 +4126,17 @@ snapshots: dependencies: humanize-ms: 1.2.1 - ajv-formats@3.0.1(ajv@8.17.1): - optionalDependencies: - ajv: 8.17.1 - ajv-formats@3.0.1(ajv@8.18.0): optionalDependencies: ajv: 8.18.0 - ajv@6.12.6: + ajv@6.14.0: dependencies: fast-deep-equal: 3.1.3 fast-json-stable-stringify: 2.1.0 json-schema-traverse: 0.4.1 uri-js: 4.4.1 - ajv@8.17.1: - dependencies: - fast-deep-equal: 3.1.3 - fast-uri: 3.1.0 - json-schema-traverse: 1.0.0 - require-from-string: 2.0.2 - ajv@8.18.0: dependencies: fast-deep-equal: 3.1.3 @@ -4168,7 +4167,7 @@ snapshots: anymatch@3.1.3: dependencies: normalize-path: 3.0.0 - picomatch: 2.3.1 + picomatch: 2.3.2 arg@4.1.3: {} @@ -4317,21 +4316,17 @@ snapshots: http-errors: 2.0.1 iconv-lite: 0.7.2 on-finished: 2.4.1 - qs: 6.14.1 + qs: 6.15.1 raw-body: 3.0.2 type-is: 2.0.1 transitivePeerDependencies: - supports-color - brace-expansion@1.1.12: + brace-expansion@1.1.14: dependencies: balanced-match: 1.0.2 concat-map: 0.0.1 - brace-expansion@2.0.2: - dependencies: - balanced-match: 1.0.2 - braces@3.0.3: dependencies: fill-range: 7.1.1 @@ -4758,7 +4753,7 @@ snapshots: estraverse: 5.3.0 hasown: 2.0.2 jsx-ast-utils: 3.3.5 - minimatch: 3.1.2 + minimatch: 3.1.5 object.entries: 1.1.9 object.fromentries: 2.0.8 object.values: 1.2.1 @@ -4791,7 +4786,7 @@ snapshots: '@humanwhocodes/module-importer': 1.0.1 '@humanwhocodes/retry': 0.4.3 '@types/estree': 1.0.8 - ajv: 6.12.6 + ajv: 6.14.0 chalk: 4.1.2 cross-spawn: 7.0.6 debug: 4.4.3 @@ -4810,7 +4805,7 @@ snapshots: is-glob: 4.0.3 json-stable-stringify-without-jsonify: 1.0.1 lodash.merge: 4.6.2 - minimatch: 3.1.2 + minimatch: 3.1.5 natural-compare: 1.4.0 optionator: 0.9.4 transitivePeerDependencies: @@ -4868,10 +4863,10 @@ snapshots: jest-message-util: 29.7.0 jest-util: 29.7.0 - express-rate-limit@8.2.1(express@5.2.1): + express-rate-limit@8.3.2(express@5.2.1): dependencies: express: 5.2.1 - ip-address: 10.0.1 + ip-address: 10.1.0 express@5.2.1: dependencies: @@ -4895,7 +4890,7 @@ snapshots: once: 1.4.0 parseurl: 1.3.3 proxy-addr: 2.0.7 - qs: 6.14.1 + qs: 6.15.1 range-parser: 1.2.1 router: 2.2.0 send: 1.2.1 @@ -4924,9 +4919,9 @@ snapshots: dependencies: bser: 2.1.1 - fdir@6.5.0(picomatch@4.0.3): + fdir@6.5.0(picomatch@4.0.4): optionalDependencies: - picomatch: 4.0.3 + picomatch: 4.0.4 fflate@0.8.2: {} @@ -4965,10 +4960,10 @@ snapshots: flat-cache@4.0.1: dependencies: - flatted: 3.3.3 + flatted: 3.4.2 keyv: 4.5.4 - flatted@3.3.3: {} + flatted@3.4.2: {} flora-colossus@2.0.0: dependencies: @@ -5077,7 +5072,7 @@ snapshots: fs.realpath: 1.0.0 inflight: 1.0.6 inherits: 2.0.4 - minimatch: 3.1.2 + minimatch: 3.1.5 once: 1.4.0 path-is-absolute: 1.0.1 @@ -5104,7 +5099,7 @@ snapshots: chalk: 5.6.2 tinygradient: 1.1.5 - handlebars@4.7.8: + handlebars@4.7.9: dependencies: minimist: 1.2.8 neo-async: 2.6.2 @@ -5137,7 +5132,7 @@ snapshots: dependencies: function-bind: 1.1.2 - hono@4.11.7: {} + hono@4.12.14: {} html-escaper@2.0.2: {} @@ -5265,7 +5260,7 @@ snapshots: hasown: 2.0.2 side-channel: 1.1.0 - ip-address@10.0.1: {} + ip-address@10.1.0: {} ipaddr.js@1.9.1: {} @@ -5736,7 +5731,7 @@ snapshots: chalk: 4.1.2 ci-info: 3.9.0 graceful-fs: 4.2.11 - picomatch: 2.3.1 + picomatch: 2.3.2 jest-validate@29.7.0: dependencies: @@ -5881,7 +5876,7 @@ snapshots: micromatch@4.0.8: dependencies: braces: 3.0.3 - picomatch: 2.3.1 + picomatch: 2.3.2 mime-db@1.52.0: {} @@ -5899,13 +5894,13 @@ snapshots: mimic-function@5.0.1: {} - minimatch@3.1.2: + minimatch@3.1.5: dependencies: - brace-expansion: 1.1.12 + brace-expansion: 1.1.14 - minimatch@9.0.5: + minimatch@9.0.9: dependencies: - brace-expansion: 2.0.2 + brace-expansion: 1.1.14 minimist@1.2.8: {} @@ -5931,7 +5926,7 @@ snapshots: dependencies: whatwg-url: 5.0.0 - node-forge@1.3.3: {} + node-forge@1.4.0: {} node-int64@0.4.0: {} @@ -6047,13 +6042,13 @@ snapshots: path-parse@1.0.7: {} - path-to-regexp@8.3.0: {} + path-to-regexp@8.4.2: {} picocolors@1.1.1: {} - picomatch@2.3.1: {} + picomatch@2.3.2: {} - picomatch@4.0.3: {} + picomatch@4.0.4: {} pirates@4.0.7: {} @@ -6097,7 +6092,7 @@ snapshots: pure-rand@6.1.0: {} - qs@6.14.1: + qs@6.15.1: dependencies: side-channel: 1.1.0 @@ -6178,7 +6173,7 @@ snapshots: depd: 2.0.0 is-promise: 4.0.0 parseurl: 1.3.3 - path-to-regexp: 8.3.0 + path-to-regexp: 8.4.2 transitivePeerDependencies: - supports-color @@ -6207,8 +6202,6 @@ snapshots: semver@6.3.1: {} - semver@7.7.3: {} - semver@7.7.4: {} send@1.2.1: @@ -6432,7 +6425,7 @@ snapshots: tagged-tag@1.0.0: {} - tar@7.5.9: + tar@7.5.13: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0 @@ -6449,14 +6442,14 @@ snapshots: dependencies: '@istanbuljs/schema': 0.1.3 glob: 7.2.3 - minimatch: 3.1.2 + minimatch: 3.1.5 tinycolor2@1.6.0: {} tinyglobby@0.2.15: dependencies: - fdir: 6.5.0(picomatch@4.0.3) - picomatch: 4.0.3 + fdir: 6.5.0(picomatch@4.0.4) + picomatch: 4.0.4 tinygradient@1.1.5: dependencies: @@ -6483,12 +6476,12 @@ snapshots: dependencies: bs-logger: 0.2.6 fast-json-stable-stringify: 2.1.0 - handlebars: 4.7.8 + handlebars: 4.7.9 jest: 29.7.0(@types/node@22.19.7)(ts-node@10.9.2(@types/node@22.19.7)(typescript@5.9.3)) json5: 2.2.3 lodash.memoize: 4.1.2 make-error: 1.3.6 - semver: 7.7.3 + semver: 7.7.4 type-fest: 4.41.0 typescript: 5.9.3 yargs-parser: 21.1.1 @@ -6721,7 +6714,7 @@ snapshots: yallist@5.0.0: {} - yaml@2.8.2: {} + yaml@2.8.3: {} yargs-parser@21.1.1: {} From df3894005e66fce8ef09c6bb09a912bd708bdb6d Mon Sep 17 00:00:00 2001 From: Matt Williams Date: Mon, 20 Apr 2026 15:35:55 -0700 Subject: [PATCH 2/2] ci: add bypass-keyword to dependency age gate Enables emergency bypass of the 14-day age gate by including "bypass-age-gate" in the PR body. Needed for this PR since the security patches we're pulling in were published < 14 days ago. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5b1a39..d9ce1cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -148,6 +148,7 @@ jobs: ecosystems: npm min-age-days: "14" base-ref: origin/${{ github.event.pull_request.base.ref }} + bypass-keyword: "bypass-age-gate" ready-to-merge: runs-on: ubuntu-slim