fix(deps): npm audit fix — clear hono + js-yaml production advisories#128
fix(deps): npm audit fix — clear hono + js-yaml production advisories#128chitcommit wants to merge 2 commits into
Conversation
Newly-published advisories landed on production dependencies, failing both the build-job audit and the reusable governance dependency-audit gate (both run production-scoped --omit=dev): - hono <=4.12.24 (HIGH): path traversal in serve-static via encoded backslash; CORS middleware reflecting any Origin with credentials under wildcard; body limit bypass on Lambda; Set-Cookie merging; repeated-header dropping. - js-yaml <=4.1.1 (moderate): quadratic-complexity DoS in merge-key handling. `npm audit fix` resolves all of them within the existing semver ranges, so package.json is unchanged — this is a package-lock.json-only update (also clears the dev-tree esbuild/ws advisories). Non-breaking by construction. Verified: `npm audit --audit-level=high` (full + --omit=dev) => found 0 vulnerabilities; `npm run typecheck` passes. Full vitest suite runs in CI (needs a live DATABASE_URL via globalSetup), not locally.
|
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
chittycommand | 8398a19 | Jun 28 2026, 09:14 AM |
|
To use Codex here, create a Codex account and connect to github. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dd15fa85e0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…-22 bump Review (Codex P2): the prior `npm audit fix` resolved wrangler 4.73.0 -> 4.105.0, which declares `node >=22`, while CI provisions Node 20. There is no engine-strict config so CI stayed green, but shipping a Node-22 wrangler requirement via a security PR is unnecessary scope creep — wrangler is a dev dependency and is already scoped out of both audit gates by `--omit=dev`. Re-scope the lockfile to the production vulnerabilities only: - hono 4.12.23 -> 4.12.27 (clears the HIGH serve-static / CORS advisories) - js-yaml updated within range (clears the moderate DoS) - wrangler stays 4.73.0 (node >=20), matching CI. The dev-tree esbuild/ws advisories remain but never ship and are excluded by the production-scoped gate. Verified: `npm ci` + `npm run typecheck` pass; `npm audit --audit-level=high --omit=dev` => found 0 vulnerabilities; wrangler 4.73.0 runs. package.json unchanged.
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
To use Codex here, create a Codex account and connect to github. |
What
npm audit fixto clear production-dependency advisories.package-lock.jsononly —package.jsonis unchanged.Why
Newly-published advisories landed on production deps and are now failing both audit gates (both run production-scoped
--omit=dev, so this is real shipped-code risk, not dev tooling):hono≤4.12.24serve-static(encoded%5C); CORS middleware reflects any Origin with credentials under wildcard; body-limit bypass on Lambda; Set-Cookie merging; repeated-header droppingjs-yaml≤4.1.1honois the core framework shipped to the Worker, so the CORS-with-credentials and path-traversal items are directly relevant. This also incidentally clears the dev-treeesbuild/wsadvisories.This is the real remediation behind the gate scoping in #124 — and it confirms that gate is working:
--omit=devcorrectly surfaced a genuine production vuln.Non-breaking by construction
npm audit fix(no--force) resolved everything within the existing semver ranges, sopackage.jsondid not change — only the lockfile. No major upgrades.Verification
The full
vitestsuite runs in CI (its globalSetup applies migrations against a liveDATABASE_URL), so it was not run in this sandbox.Unblocks
This clears the
buildandgates / dependency-auditfailures currently red onmainand on the docs PR #127. Once this merges, #127 will be rebased to go green.https://claude.ai/code/session_01886crB52Jw3LWiqPh33WUM
Generated by Claude Code