[dev] [Itsnotaka] daniel/bun-bro

[github-actions]

This is an automated pull request to merge daniel/bun-bro into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Ready	Preview	Comment	Nov 19, 2025 6:39pm
portal	Ready	Preview	Comment	Nov 19, 2025 6:39pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan: xlsx@0.18.5 has 2 HIGH issues (Prototype Pollution GHSA-4r6h-8v6p-xvw6, ReDoS GHSA-5pgg-2g8v-p4x9). ai@5.0.0 has 1 LOW issue (GHSA-rwvc-j5jr-mgvh, fixed in 5.0.52). No hardcoded creds or injection findings in submitted files.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

✅ No security issues detected in code changes.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade ai from 5.0.0 to >=5.0.52 in package.json and the lockfile to apply the GHSA-rwvc-j5jr-mgvh fix.
2. Upgrade xlsx (currently 0.18.5) to a release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9; update package.json and the lockfile and run the test suite.
3. Audit code locations that parse user-supplied files with xlsx/ai and add input validation/size limits or sanitize inputs before parsing (e.g., reject oversized files, validate file types) to reduce exploitation surface.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 19, 2025

[claudfuen]

🎉 This PR is included in version 1.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀