Skip to content

chore: Update dependencies not covered by dependabot#375

Merged
Steve-Mcl merged 2 commits into
mainfrom
update-deps
Jun 30, 2026
Merged

chore: Update dependencies not covered by dependabot#375
Steve-Mcl merged 2 commits into
mainfrom
update-deps

Conversation

@Steve-Mcl

Copy link
Copy Markdown
Contributor

Description

Update dependencies not covered by dependabot

This pull request updates several dependencies in the package.json file to address version upgrades and includes new overrides for the serialize-javascript package. These changes help keep the project up-to-date and improve security and compatibility.

Dependency updates:

  • Upgraded @modelcontextprotocol/sdk from ^1.27.1 to ^1.29.0, onnxruntime-web from ^1.22.0 to ^1.27.0, and semver from ^7.7.2 to ^7.8.5 in dependencies.
  • Updated devDependencies: eslint-plugin-no-only-tests from ^3.1.0 to ^3.4.0, and mocha from ^11.7.5 to ^11.7.6.

Security and compatibility:

  • Added overrides for serialize-javascript versions 6 and 7, forcing both to use version 7.0.7 to ensure consistency and address security issues.

Testing

Local testing has been conducted.

AFTER

$ npm audit
# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  11.4.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  node_modules/mocha

2 low severity vulnerabilities

BEFORE

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.2.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

hono  <=4.12.24
Severity: high
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6  - https://github.com/advisories/GHSA-xrhx-7g5j-rcj5
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection - https://github.com/advisories/GHSA-3hrh-pfw6-9m5x
Hono: JWT middleware accepts any Authorization scheme, not only Bearer - https://github.com/advisories/GHSA-f577-qrjj-4474
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths - https://github.com/advisories/GHSA-2gcr-mfcq-wcc3
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`) - https://github.com/advisories/GHSA-wwfh-h76j-fc44
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice - https://github.com/advisories/GHSA-j6c9-x7qj-28xf
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard - https://github.com/advisories/GHSA-88fw-hqm2-52qc
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length` - https://github.com/advisories/GHSA-rv63-4mwf-qqc2
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest - https://github.com/advisories/GHSA-wgpf-jwqj-8h8p
fix available via `npm audit fix`
node_modules/hono

js-yaml  4.0.0 - 4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/js-yaml

protobufjs  <=7.6.2
Severity: high
protobufjs : Schema-derived names can shadow runtime-significant properties - https://github.com/advisories/GHSA-f38q-mgvj-vph7
protobufjs: Denial of service through unbounded Any expansion during JSON conversion - https://github.com/advisories/GHSA-wcpc-wj8m-hjx6
fix available via `npm audit fix`
node_modules/protobufjs

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

8 vulnerabilities (1 low, 4 moderate, 3 high)

AFTER

Related Issue(s)

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

@Steve-Mcl Steve-Mcl requested a review from hardillb June 30, 2026 19:37
@Steve-Mcl Steve-Mcl merged commit 7b35a2c into main Jun 30, 2026
9 checks passed
@Steve-Mcl Steve-Mcl deleted the update-deps branch June 30, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants