chore: update dependencies to fix vulnerabilities (#2644)

Author: pepol

cli/package.json

@@ -52,7 +52,7 @@
     "@wundergraph/cosmo-shared": "workspace:*",
     "@wundergraph/protographic": "workspace:*",
     "ajv": "8.17.1",
-    "axios": "1.12.2",
+    "axios": "1.13.5",
     "boxen": "7.1.1",
     "cli-progress": "3.12.0",
     "cli-table3": "0.6.3",
@@ -80,7 +80,7 @@
     "prompts": "2.4.2",
     "pupa": "3.1.0",
     "semver": "7.7.1",
-    "tar": "7.4.3",
+    "tar": "7.5.11",
     "trieve-ts-sdk": "0.0.80",
     "undici": "6.21.2",
     "zod": "^3.25.0"
@@ -98,7 +98,6 @@
     "@types/node": "20.12.12",
     "@types/prompts": "2.4.9",
     "@types/semver": "7.7.0",
-    "@types/tar": "6.1.13",
     "@vitest/coverage-v8": "3.2.4",
     "del-cli": "5.0.0",
     "eslint": "8.57.1",

controlplane/package.json

@@ -62,7 +62,7 @@
     "@wundergraph/cosmo-connect": "workspace:*",
     "@wundergraph/cosmo-shared": "workspace:*",
     "@wundergraph/protographic": "workspace:*",
-    "axios": "^1.12.2",
+    "axios": "^1.13.5",
     "axios-retry": "^4.5.0",
     "bullmq": "^5.10.0",
     "cookie": "^0.7.2",
@@ -81,7 +81,7 @@
     "isomorphic-dompurify": "^2.33.0",
     "jose": "^5.2.4",
     "lodash": "^4.17.21",
-    "nodemailer": "^7.0.7",
+    "nodemailer": "^7.0.11",
     "nuid": "^1.1.6",
     "octokit": "^4.1.3",
     "openai": "^4.104.0",

controlplane/src/core/build-server.ts

@@ -185,6 +185,20 @@ export default async function build(opts: BuildConfig) {
     pluginTimeout: 10_000, // 10s
   });
 
+  /**
+   * CVE-2026-25223 prevention
+   */
+  fastify.addHook('onRequest', async (request, reply) => {
+    const contentType = request.headers['content-type'];
+
+    const contentTypeNormalized = contentType || [];
+    const contentTypeValues = Array.isArray(contentTypeNormalized) ? contentTypeNormalized : [contentTypeNormalized];
+
+    if (contentTypeValues.some((v) => v.includes('\t'))) {
+      await reply.code(400).send({ error: 'Invalid Content-Type header' });
+    }
+  });
+
   /**
    * Plugin registration
    */

package.json

@@ -57,9 +57,9 @@
     "@connectrpc/connect-query": "^1.4.1",
     "@connectrpc/protoc-gen-connect-es": "^1.4.0",
     "@connectrpc/protoc-gen-connect-query": "^1.4.1",
-    "@lerna-lite/cli": "4.1.1",
-    "@lerna-lite/publish": "4.1.1",
-    "@lerna-lite/version": "4.1.1",
+    "@lerna-lite/cli": "4.11.4",
+    "@lerna-lite/publish": "4.11.4",
+    "@lerna-lite/version": "4.11.4",
     "husky": "^8.0.3",
     "lint-staged": "^15.2.10",
     "prettier": "^3.6.2",