From 063357da36aa9537edeb2cc12ba30594013bc417 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 28 May 2026 11:13:29 +0000 Subject: [PATCH] chore(security): patch 3 Dependabot alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Bump `ws` from ^8.16.0 → ^8.20.1 in `@forestadmin/forest-cloud` (closes alert #364: uninitialized memory disclosure). - Add scoped resolutions pinning `fast-uri` to ^3.1.2 in `@fastify/ajv-compiler` and `fast-json-stringify` chains (closes #357 and #358: host confusion / path traversal). - Drop 4 redundant resolutions whose natural resolutions already satisfy the original pin: `**/socks/ip-address`, `**/ajv/fast-uri`, `**/@langchain/langgraph-sdk/uuid`, `**/@modelcontextprotocol/sdk/hono`. --- package.json | 6 ++---- packages/forest-cloud/package.json | 2 +- yarn.lock | 15 +++++---------- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/package.json b/package.json index f3475f082e..e013f39330 100644 --- a/package.json +++ b/package.json @@ -60,11 +60,9 @@ "@hono/node-server": "^1.19.13", "langsmith": "^0.6.0", "lodash": "^4.18.0", - "**/@langchain/langgraph-sdk/uuid": "^13.0.1", - "**/socks/ip-address": "^10.1.1", "**/express-rate-limit/ip-address": "^10.1.1", "**/@aws-sdk/xml-builder/fast-xml-parser": "^5.7.0", - "**/@modelcontextprotocol/sdk/hono": "^4.12.18", - "**/ajv/fast-uri": "^3.1.2" + "**/@fastify/ajv-compiler/fast-uri": "^3.1.2", + "**/fast-json-stringify/fast-uri": "^3.1.2" } } diff --git a/packages/forest-cloud/package.json b/packages/forest-cloud/package.json index 306d004bec..65265a1390 100644 --- a/packages/forest-cloud/package.json +++ b/packages/forest-cloud/package.json @@ -24,7 +24,7 @@ "joi": "^17.12.2", "ora": "^3.2.0", "subscriptions-transport-ws": "^0.9.19", - "ws": "^8.16.0" + "ws": "^8.20.1" }, "publishConfig": { "access": "public" diff --git a/yarn.lock b/yarn.lock index c257c490d8..44bd9fa81e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8337,12 +8337,7 @@ fast-safe-stringify@2.1.1, fast-safe-stringify@^2.0.7, fast-safe-stringify@^2.0. resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz#c406a83b6e70d9e35ce3b30a81141df30aeba884" integrity sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA== -fast-uri@^2.0.0, fast-uri@^2.1.0: - version "2.3.0" - resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-2.3.0.tgz#bdae493942483d299e7285dcb4627767d42e2793" - integrity sha512-eel5UKGn369gGEWOqBShmFJWfq/xSJvsgDzgLYC845GneayWvXBf0lJCBn5qTABfewy1ZDPoaR5OZCP+kssfuw== - -fast-uri@^3.0.1, fast-uri@^3.1.2: +fast-uri@^2.0.0, fast-uri@^2.1.0, fast-uri@^3.0.1, fast-uri@^3.1.2: version "3.1.2" resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.1.2.tgz#8af3d4fc9d3e71b11572cc2673b514a7d1a8c8ec" integrity sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ== @@ -17733,10 +17728,10 @@ write-pkg@4.0.0: resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9" integrity sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ== -ws@^8.16.0: - version "8.17.1" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" - integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== +ws@^8.20.1: + version "8.21.0" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.21.0.tgz#012e413fc07429945121b0c153158c4343086951" + integrity sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g== xml-naming@^0.1.0: version "0.1.0"