chore(security): patch pnpm audit vulnerabilities via overrides by jamesbhobbs · Pull Request #368 · deepnote/deepnote

jamesbhobbs · 2026-04-30T13:03:04Z

Summary

Bumps pnpm.overrides in the root package.json so that pnpm audit reports zero known vulnerabilities. All 13 advisories (3 high, 10 moderate) are addressed without touching application code — only transitive versions change.

Overrides added

defu >=6.1.5 — GHSA-737v-mqg7-c878 (prototype pollution; pulled in via tsdown>unconfig)
vite >=7.3.2 — GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 (server.fs.deny bypass, dev-server WS arbitrary file read, optimized-deps path traversal; via vite-tsconfig-paths)
brace-expansion >=5.0.5 — GHSA-f886-m6hf-6m8v (zero-step sequence DoS; the existing @isaacs/brace-expansion override is a different package name and did not cover this transitive)
postcss >=8.5.10 — GHSA-qx2v-qp2m-jg93 (XSS via unescaped </style>)

Overrides bumped

hono: >=4.12.7 → >=4.12.14 — fixes GHSA-26pp-8wgv-hjvm, GHSA-r5rp-j6wh-rvv4, GHSA-xf4j-xp2r-rqqx, GHSA-wmmm-f939-6g9c, GHSA-458j-xx4x-4375, GHSA-xpcf-pg52-r92g
@hono/node-server: >=1.19.10 → >=1.19.13 — GHSA-92pp-h63x-v22m (middleware bypass via repeated slashes)

Other changes

cspell.json: added defu to the dictionary so the spell-check pre-push hook passes.

Test plan

pnpm install succeeds
pnpm audit reports No known vulnerabilities found
CI green (typecheck, build, test)
Spot-check that nothing in packages/mcp breaks at the new hono major-minor (it stays within 4.12.x)

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores
- Updated project dependencies to newer stable versions, including core frameworks and build tools, for improved security and performance.

Bump pnpm overrides to resolve all 13 vulnerabilities reported by `pnpm audit` (3 high, 10 moderate): - defu >=6.1.5 (GHSA-737v-mqg7-c878, prototype pollution) - vite >=7.3.2 (GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9) - brace-expansion >=5.0.5 (GHSA-f886-m6hf-6m8v) - hono >=4.12.14 (GHSA-26pp-8wgv-hjvm, GHSA-r5rp-j6wh-rvv4, GHSA-xf4j-xp2r-rqqx, GHSA-wmmm-f939-6g9c, GHSA-458j-xx4x-4375, GHSA-xpcf-pg52-r92g) - @hono/node-server >=1.19.13 (GHSA-92pp-h63x-v22m) - postcss >=8.5.10 (GHSA-qx2v-qp2m-jg93) `pnpm audit` now reports no known vulnerabilities. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Required to satisfy the pre-push spell-check hook now that defu appears in package.json overrides. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

coderabbitai · 2026-04-30T13:03:18Z

📝 Walkthrough

Walkthrough

Configuration updates across two files: spell-check allowlist extended with "defu" in cspell.json, and pnpm.overrides in package.json adjusted to enforce stricter minimum versions for @hono/node-server, hono, brace-expansion, defu, postcss, and vite.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: patching security vulnerabilities via pnpm overrides in package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Updates Docs	✅ Passed	This PR implements a security patch for dependency vulnerabilities, not a feature. The check explicitly requires documentation updates when a feature is implemented. Since no features are being added—only transitive dependency versions are bumped via overrides—the documentation update requirement does not apply here.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2026-04-30T13:05:00Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.23%. Comparing base (3ec2d09) to head (589b890).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #368      +/-   ##
==========================================
- Coverage   83.34%   82.23%   -1.11%     
==========================================
  Files         145      144       -1     
  Lines        7987     5867    -2120     
  Branches     2156     1142    -1014     
==========================================
- Hits         6657     4825    -1832     
+ Misses       1329     1042     -287     
+ Partials        1        0       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 63-85: The pnpm override versions in package.json (entries like
"hono", "vite", "defu", "postcss", "brace-expansion" under the "pnpm.overrides"
block) were updated but pnpm-lock.yaml was not regenerated; run pnpm install
locally to update pnpm-lock.yaml so the lockfile reflects these new override
constraints and CI using --frozen-lockfile will pass/audit correctly, then
commit the updated pnpm-lock.yaml alongside the package.json change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1d672e3b-5650-4605-ba13-478cd5d3f72a

📥 Commits

Reviewing files that changed from the base of the PR and between 3ec2d09 and 589b890.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

cspell.json
package.json

Resolve 4 moderate pnpm audit vulnerabilities in hono (transitive via packages/mcp > @modelcontextprotocol/sdk > hono), all fixed in 4.12.21: - GHSA-xrhx-7g5j-rcj5 (CVE-2026-47674, CVSS 5.3): ip-restriction middleware bypasses static deny rules for non-canonical IPv6. - GHSA-3hrh-pfw6-9m5x (CVE-2026-47675, CVSS 4.3): cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection. - GHSA-f577-qrjj-4474 (CVE-2026-47673, CVSS 4.8): jwt/jwk middleware accepts any Authorization scheme, not only Bearer. - GHSA-2gcr-mfcq-wcc3 (CVE-2026-47676, CVSS 5.3): app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths. Bump the existing pnpm.overrides floor for hono >=4.12.18 -> >=4.12.21 following the established convention in this repo (see #387, #368, #307, #295, #292). pnpm install resolves hono to 4.12.23. After this change `pnpm audit` reports no known vulnerabilities. `pnpm typecheck`, `pnpm test` (2242 tests), and `pnpm prettier:check` all pass.

jamesbhobbs and others added 2 commits April 30, 2026 14:00

chore: add 'defu' to cspell dictionary

589b890

Required to satisfy the pre-push spell-check hook now that defu appears in package.json overrides. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

coderabbitai Bot requested changes Apr 30, 2026

View reviewed changes

Comment thread package.json

jamesbhobbs marked this pull request as ready for review April 30, 2026 13:12

jamesbhobbs requested a review from a team as a code owner April 30, 2026 13:12

coderabbitai Bot approved these changes Apr 30, 2026

View reviewed changes

dinohamzic approved these changes Apr 30, 2026

View reviewed changes

jamesbhobbs merged commit f3bbb6f into main Apr 30, 2026
38 of 39 checks passed

jamesbhobbs deleted the security/audit-patch-overrides branch April 30, 2026 13:17

jamesbhobbs mentioned this pull request May 14, 2026

chore(security): patch pnpm audit vulnerabilities via overrides #376

Merged

2 tasks

tkislan mentioned this pull request Jun 5, 2026

fix(security): bump hono override to >=4.12.21 #393

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(security): patch pnpm audit vulnerabilities via overrides#368

chore(security): patch pnpm audit vulnerabilities via overrides#368
jamesbhobbs merged 2 commits into
mainfrom
security/audit-patch-overrides

jamesbhobbs commented Apr 30, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented Apr 30, 2026 •

edited

Loading

Walkthrough

Estimated code review effort

Uh oh!

codecov Bot commented Apr 30, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

jamesbhobbs commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Overrides added

Overrides bumped

Other changes

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Estimated code review effort

Uh oh!

codecov Bot commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

jamesbhobbs commented Apr 30, 2026 •

edited

Loading

coderabbitai Bot commented Apr 30, 2026 •

edited

Loading

codecov Bot commented Apr 30, 2026 •

edited

Loading