fix(security): upgrade CLI deps and add overrides for vulnerabilities#2952
fix(security): upgrade CLI deps and add overrides for vulnerabilities#2952
Conversation
- Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621 ReDoS) - Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition) - Add pnpm overrides for transitive deps: - qs <6.14.0 → 6.14.0 (CVE-2025-15284 DoS) - systeminformation <5.27.14 → 5.27.14 (CVE-2025-68154 cmd injection) - lodash <4.17.23 → 4.17.23 (CVE-2025-13465 prototype pollution) Note: undici alert #536 dismissed as tolerable_risk (DoS via malicious server response; consumers only connect to trusted servers)
|
WalkthroughThe root package.json updates the pnpm Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📜 Recent review detailsConfiguration used: Repository UI Review profile: CHILL Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🧰 Additional context used📓 Path-based instructions (1)**/*.{js,ts,jsx,tsx,json,md,yaml,yml}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (3)📓 Common learnings📚 Learning: 2026-01-15T11:50:06.067ZApplied to files:
📚 Learning: 2026-01-15T10:48:02.687ZApplied to files:
🔇 Additional comments (1)
✏️ Tip: You can disable this entire section by setting Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@package.json`:
- Around line 97-100: Update the qs override entry in package.json to pin a
non-vulnerable version: replace the existing override "qs@>=6.0.0 <6.14.0":
"6.14.0" with "qs@>=6.0.0 <6.14.1": "6.14.1" so the override satisfies
CVE-2025-15284; ensure you only change the qs override string and keep the
surrounding formatting consistent with the other overrides.
In `@packages/cli-v3/package.json`:
- Line 86: This package update modifies the public package packages/cli-v3 by
bumping the dependency "@modelcontextprotocol/sdk" to ^1.25.2; add a changeset
for this public package using the repository guideline (run pnpm run
changeset:add) and commit the generated changeset file so the release tooling
includes this version change for packages/cli-v3 and documents the security
upgrade in the changelog.
🧹 Nitpick comments (1)
packages/cli-v3/package.json (1)
1-3: Consider adding a changeset for this security update.This package is public and the dependency upgrades address security vulnerabilities. As per coding guidelines, modifications to public packages in
packages/*should include a changeset (pnpm run changeset:add). Apatchchangeset documenting the security fixes would help users track these updates in the changelog.
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
package.jsonpackages/cli-v3/package.json
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{js,ts,jsx,tsx,json,md,yaml,yml}
📄 CodeRabbit inference engine (AGENTS.md)
Format code using Prettier before committing
Files:
packages/cli-v3/package.jsonpackage.json
{packages,integrations}/**/*
📄 CodeRabbit inference engine (CLAUDE.md)
Add a changeset when modifying any public package in
packages/*orintegrations/*usingpnpm run changeset:add
Files:
packages/cli-v3/package.json
🧠 Learnings (3)
📓 Common learnings
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Run commands from root with `pnpm run` in this pnpm 10.23.0 monorepo using Turborepo
📚 Learning: 2026-01-15T10:48:02.687Z
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0
Applied to files:
packages/cli-v3/package.jsonpackage.json
📚 Learning: 2026-01-15T11:50:06.067Z
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`
Applied to files:
package.json
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
Review CompleteYour review story is ready! Comment !reviewfast on this PR to re-generate the story. |
- Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621 ReDoS) - Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition) - Add pnpm overrides for transitive deps: - qs <6.14.0 → 6.14.0 (CVE-2025-15284 DoS) - systeminformation <5.27.14 → 5.27.14 (CVE-2025-68154 cmd injection) - lodash <4.17.23 → 4.17.23 (CVE-2025-13465 prototype pollution) --------- Co-authored-by: nicktrn <55853254+nicktrn@users.noreply.github.com>
2 participants
Note: undici alert #536 dismissed as tolerable_risk (DoS via malicious server response; consumers only connect to trusted servers)
Closes #
✅ Checklist
Testing
[Describe the steps you took to test this change]
Changelog
[Short description of what has changed]
Screenshots
[Screenshots]
💯