fix(security): pin patched transitive deps to clear Dependabot moderates
Resolve all remaining npm advisories surfaced by `npm audit` across the four manifests via targeted `overrides` (no direct-dep additions, no downgrades):
- root: hono >=4.12.21 (was 4.12.18) — JWT scheme, cookie injection, IPv6 restriction bypass, percent-encoded mount routing (transitive via @modelcontextprotocol/sdk + @hono/node-server). Resolved -> 4.12.25. - hub: qs >=6.15.2 (was 6.14.2, DoS via stringify) and ip-address >=10.1.1 (was 10.1.0, XSS in Address6) — both transitive via express/body-parser and express-rate-limit. Resolved -> qs 6.15.2, ip-address 10.2.0.
Add test/security-no-xlsx-dependency.test.mjs: regression guard proving the unpatched SheetJS `xlsx` parser stays out of every lockfile and that the Excel importer keeps using exceljs (Dependabot #29/#30, no upstream patch — already remediated structurally; this locks it in).
npm audit: 0 vulnerabilities in root, hub, hub/bridge, hub/gateway. Suite: 3341/3342 (one pre-existing flaky timing benchmark, green in isolation).
Semantic Changes
1 symbol
Files Changed
+1
~4
819 in snapshot
0 comments
muse hub commit comment sha256:41d741fb345c4abdb640838aa3d847de02ccffd7a39fce04894e743e683b50d0 --body "your comment"
No comments yet. Be the first to start the discussion.