Skip to content

fix(deps): resolve all 78 open Dependabot alerts#605

Merged
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts
Jul 9, 2026
Merged

fix(deps): resolve all 78 open Dependabot alerts#605
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Summary

Resolves all 78 open Dependabot alerts (1 critical, 24 high, 48 moderate, 5 low). vite is bumped directly (5 → 6); every other package is a transitive dependency (mostly under @ownclouders/web-pkg) pinned to its first patched version via pnpm.overrides.

Test plan

  • pnpm install — clean resolution, all overrides landed on a single version per package.
  • pnpm vite buildpasses (vite v6.4.3, 56 modules transformed — same module count as the pre-change baseline). The vite 5 → 6 major bump builds cleanly.
  • Node 18 (local) / CI uses make dist. vite 6 supports Node ^18 || ^20 || >=22, so no engine-floor regression.
  • pnpm lint fails on both this branch and master with ESLint couldn't find an eslint.config file — a pre-existing eslint v9 config-migration issue unrelated to these dependency bumps.

Fixed (resolved version ≥ first patched)

Runtime

Package Old New Needs ≥ Alerts
@casl/ability 6.5.0 6.8.1 6.7.5 #59 (critical)
axios 1.13.5 / 1.17.0 1.18.1 1.16.0 #100,102,106–113,121–125,132–134,136–139
follow-redirects 1.15.11 1.16.0 1.16.0 #99
form-data 4.0.5 4.0.6 4.0.6 #146
lodash-es 4.17.21 4.18.1 4.18.0 #52,84,85
postcss 8.5.6 8.5.16 8.5.10 #105
qs 6.14.1 6.15.3 6.15.2 #60,126
uuid 9.0.0 11.1.1 11.1.1 #127 (major bump)
yaml 1.10.2 1.10.3 1.10.3 #79

Development

Package Old New Needs ≥ Alerts
@babel/core 7.22.1 7.29.7 7.29.6 #147
@hono/node-server 1.19.9 1.19.14 1.19.13 #73,88
@modelcontextprotocol/sdk 1.25.3 1.29.0 1.26.0 #57
esbuild 0.21.5 0.25.12 0.25.0 #28
fast-uri 3.1.0 3.1.3 3.1.2 #116,118
flatted 3.3.3 3.4.2 3.4.2 #78
hono 4.11.7 4.12.28 4.12.25 #63,70–72,76,89–93,101,115,117,119,120,128–131,141–145
js-yaml 4.1.1 4.3.0 4.2.0 #153
lodash 4.17.21 4.18.1 4.18.0 #53,86,87
minimatch 3.1.2 3.1.5 3.1.3 #68
picomatch 2.3.1 2.3.2 2.3.2 #81
rollup 4.52.5 4.62.2 4.59.0 #69
vite 5.4.21 6.4.3 6.4.3 #94,96,148,149,151,152 (major bump)

No fix available

None — every open alert has an upstream patch and is covered above.

Blocked on merge

All 78 alerts stay open until this PR merges to master; Dependabot only rescans the default branch. The code fix is complete and pushed.

🤖 Generated with Claude Code

Bump vite directly and pin transitive dependencies (mostly under
@ownclouders/web-pkg) via pnpm overrides to their first patched versions.
Verified with a clean `pnpm install` + `pnpm vite build` (vite 5 -> 6 major
bump builds cleanly, 56 modules, same as baseline).

Runtime:
- @casl/ability 6.5.0 -> 6.8.1 (#59 critical, prototype pollution, needs >= 6.7.5)
- axios 1.13.5/1.17.0 -> 1.18.1 (#100,102,106-113,121-125,132-134,136-139, needs >= 1.16.0)
- follow-redirects 1.15.11 -> 1.16.0 (#99, needs >= 1.16.0)
- form-data 4.0.5 -> 4.0.6 (#146 CRLF injection, needs >= 4.0.6)
- lodash-es 4.17.21 -> 4.18.1 (#52,84,85, needs >= 4.18.0)
- postcss 8.5.6 -> 8.5.16 (#105 XSS, needs >= 8.5.10)
- qs 6.14.1 -> 6.15.3 (#60,126 DoS, needs >= 6.15.2)
- uuid 9.0.0 -> 11.1.1 (#127 bounds check, needs >= 11.1.1; major bump)
- yaml 1.10.2 -> 1.10.3 (#79 stack overflow, needs >= 1.10.3)

Development:
- @babel/core 7.22.1 -> 7.29.7 (#147, needs >= 7.29.6)
- @hono/node-server 1.19.9 -> 1.19.14 (#73,88, needs >= 1.19.13)
- @modelcontextprotocol/sdk 1.25.3 -> 1.29.0 (#57, needs >= 1.26.0)
- esbuild 0.21.5 -> 0.25.12 (#28, needs >= 0.25.0)
- fast-uri 3.1.0 -> 3.1.3 (#116,118, needs >= 3.1.2)
- flatted 3.3.3 -> 3.4.2 (#78 prototype pollution, needs >= 3.4.2)
- hono 4.11.7 -> 4.12.28 (#63,70-72,76,89-93,101,115,117,119,120,128-131,141-145, needs >= 4.12.25)
- js-yaml 4.1.1 -> 4.3.0 (#153 DoS, needs >= 4.2.0)
- lodash 4.17.21 -> 4.18.1 (#53,86,87, needs >= 4.18.0)
- minimatch 3.1.2 -> 3.1.5 (#68 ReDoS, needs >= 3.1.3)
- picomatch 2.3.1 -> 2.3.2 (#81, needs >= 2.3.2)
- rollup 4.52.5 -> 4.62.2 (#69 path traversal, needs >= 4.59.0)
- vite 5.4.21 -> 6.4.3 (#94,96,148,149,151,152, needs >= 6.4.3; major bump)

No-fix / accept-risk: none - every open alert has an upstream patch and is
covered above.

All alerts remain open until this PR merges to master (Dependabot rescans the
default branch).

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 9, 2026 08:54

@phil-davis phil-davis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: the webUI acceptance tests only test a number of combinations of things that would prevent a share recipient "Brian" from being able to access the "raw" content of a file. They don't actually test what happens when Brian views the file on the UI, and should be shown an image rendering of the file with some watermark on it.

After all these version bumps to JS, someone should check that the rendering of the image with watermark is happening correctly.

@phil-davis phil-davis merged commit 3d10897 into master Jul 9, 2026
11 checks passed
@phil-davis phil-davis deleted the fix/dependabot-alerts branch July 9, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants