Skip to content

security: remediate all 13 critical/high Dependabot alerts#79

Open
jhamon wants to merge 1 commit into
mainfrom
security/dependabot-crit-high-remediation
Open

security: remediate all 13 critical/high Dependabot alerts#79
jhamon wants to merge 1 commit into
mainfrom
security/dependabot-crit-high-remediation

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown

Clears every open critical and high Dependabot alert in this repo — 2 critical / 11 high → 0. Part of PIN-15 (public-demo security sweep). Lockfile-only npm bumps (all within existing manifest semver ranges) plus one small pip framework bump.

npm (2 crit / 9 high) — lockfile-only, no manifest changes

package from → to severity GHSA dirs
shell-quote 1.8.3 → 1.10.0 CRITICAL GHSA-w7jw-789q-3m8p (arg injection) namespace-notes/, shop-the-look/
form-data 4.0.5 → 4.0.6 high GHSA-hmw2-7cc7-3qxx legal-semantic-search, namespace-notes/{client,server}, shop-the-look
protobufjs 7.6.0 → 7.6.5 high GHSA-wcpc-wj8m-hjx6 legal-semantic-search
undici 7.25.0 → 7.28.0 high×3 GHSA-vxpw-j846-p89q, -hm92-r4w5-c3mj, -vmh5-mc38-953g namespace-notes/server
multer 2.1.1 → 2.2.0 high GHSA-72gw-mp4g-v24j namespace-notes/server

All targets were already within their manifests' semver ranges (multer ^2.0.2, undici ^7.25.0, form-data ^4.0.4), so these are pure package-lock.json updates — no package.json or app-code changes.

pip (2 high) — shop-the-look/requirements.txt

  • starlette 0.49.1 → 1.3.1 (GHSA-82w8-qh3p-5jfq, GHSA-wqp7-x3pw-xc5r).
  • The patched starlette requires FastAPI to drop its <1.0.0 cap, so fastapi 0.130.0 → 0.133.0 (first release pinning starlette>=0.40.0 with no upper bound).
  • The app imports no starlette APIs directly — only fastapi.middleware.cors.CORSMiddleware — so breaking-change exposure from the starlette major bump is minimal.

Verification

  • npm ls confirms every targeted package resolves at/above its patched version in all five lockfiles; no package entries dropped (one deduped @protobufjs/inquire sub-dep only).
  • fastapi 0.133.0 + starlette 1.3.1 install cleanly and the app's exact CORSMiddleware construction succeeds (verified in a fresh venv).
  • Full requirements set resolves with no version conflicts (fastapi 0.133.0 needs pydantic>=2.7.0 / starlette>=0.40.0, both satisfied by the repo's pins).

No CI on these demos, so verification is local install/import smoke tests as above.

🤖 Generated with Claude Code

Clears every open critical and high Dependabot alert (2 crit / 11 high)
across the repo's demos. Lockfile-only npm bumps (all within existing
manifest semver ranges) plus one small pip framework bump.

npm (11 high, 2 crit):
- shell-quote 1.8.3 -> 1.10.0 (CRITICAL GHSA-w7jw-789q-3m8p, arg injection)
  in namespace-notes/ and shop-the-look/ (transitive).
- form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx) across legal-semantic-search,
  namespace-notes/client, namespace-notes/server, shop-the-look.
- protobufjs 7.6.0 -> 7.6.5 (GHSA-wcpc-wj8m-hjx6) legal-semantic-search.
- undici 7.25.0 -> 7.28.0 (GHSA-vxpw-j846-p89q, -hm92-r4w5-c3mj,
  -vmh5-mc38-953g) namespace-notes/server.
- multer 2.1.1 -> 2.2.0 (GHSA-72gw-mp4g-v24j) namespace-notes/server.
  Within existing "^2.0.2" manifest range; no code change.

pip (2 high) in shop-the-look/requirements.txt:
- starlette 0.49.1 -> 1.3.1 (GHSA-82w8-qh3p-5jfq, GHSA-wqp7-x3pw-xc5r).
  Patched starlette requires fastapi to drop its <1.0.0 cap, so
  fastapi 0.130.0 -> 0.133.0 (first release with "starlette>=0.40.0").
  App uses no starlette APIs directly (only fastapi CORSMiddleware), so
  breaking-change exposure is minimal.

Verification:
- npm ls confirms every targeted package resolves at/above its patched
  version in all five lockfiles; no package entries dropped (one deduped
  protobufjs sub-dep only).
- fastapi 0.133.0 + starlette 1.3.1 install and the app's exact
  CORSMiddleware usage constructs cleanly (verified in a venv).
- Full requirements set resolves with no version conflicts (fastapi
  0.133.0 needs pydantic>=2.7.0/starlette>=0.40.0, both satisfied).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant