Skip to content

fix: resolve all 13 Dependabot security alerts#34

Open
tonyoconnell wants to merge 1 commit intomainfrom
fix/dependabot-security-alerts
Open

fix: resolve all 13 Dependabot security alerts#34
tonyoconnell wants to merge 1 commit intomainfrom
fix/dependabot-security-alerts

Conversation

@tonyoconnell
Copy link
Collaborator

@tonyoconnell tonyoconnell commented Mar 25, 2026

Summary

  • Bump yaml 2.8.2→2.8.3 in packages/cli (stack overflow via nested collections)
  • Bump @modelcontextprotocol/sdk 1.26.0→1.28.0 in packages/mcp, which pulls:
    • hono 4.12.2→4.12.9 (prototype pollution, file access, cookie/SSE injection)
    • @hono/node-server 1.19.9→1.19.11 (auth bypass via encoded slashes)
    • express-rate-limit 8.2.1→8.3.1 (IPv4-mapped IPv6 rate limit bypass)
  • All patch-level bumps, no breaking changes
  • npm audit returns 0 vulnerabilities, build passes clean

Test plan

  • npm audit — 0 vulnerabilities
  • npm run build — passes
  • Verify MCP server starts correctly
  • Verify CLI commands work

🤖 Generated with Claude Code

@tonyoconnell @claude
fix: resolve all 13 Dependabot security alerts
86f5763 
Bump yaml (2.8.2→2.8.3), @modelcontextprotocol/sdk (1.26.0→1.28.0)
which pulls hono (4.12.2→4.12.9), @hono/node-server (1.19.9→1.19.11),
and express-rate-limit (8.2.1→8.3.1). All patch-level updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tonyoconnell