Skip to content

security: vulnerability remediation#129

Open
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation
Open

security: vulnerability remediation#129
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Jun 17, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-2g4f-4pwh-qvx6 ajv, eslint None 9.39.1 6.14.0 confirmed

Not Included

  • Deferred by batch limit: 6 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 2.
  • Unconfirmed attempted fixes: 0.
Deferred details
CVE/GHSA Package Reason
Unavailable from detector commander Non-CVE alert is not handled by dependency remediation.
Unavailable from detector highlight.js Non-CVE alert is not handled by dependency remediation.

Note

Low Risk
Lockfile-only transitive dependency bump for a known advisory; no app logic or API changes.

Overview
Security patch for ajv (GHSA-2g4f-4pwh-qvx6) via a lockfile-only update: resolved ajv@^6.12.4 moves from 6.12.6 to 6.14.0.

No application source changes—only yarn.lock. The affected copy is pulled in through the ESLint stack (@eslint/eslintrc / eslint), which uses AJV v6 for JSON Schema validation in config.

Reviewed by Cursor Bugbot for commit 7c3b0bc. Bugbot is set up for automated code reviews on this repo. Configure here.

@firetiger-agent

firetiger-agent Bot commented Jun 17, 2026

Copy link
Copy Markdown

Created a monitoring plan for this PR.

What this PR does: Removes a known vulnerable build-time dependency (ajv 6.12.6) from the Node SDK's dev toolchain by upgrading it to 6.14.0. This does not affect the published @onkernel/sdk package that developers install — ajv is only used internally by ESLint during CI.

Intended effect:

  • GHSA-2g4f-4pwh-qvx6 remediated: yarn.lock resolves ajv@^6.12.4 to 6.14.0 (was 6.12.6); confirmed when yarn.lock entry shows the new hash post-merge
  • CI lint/build/test: baseline = all three jobs pass on main; confirmed if all three jobs pass on this commit (no ESLint/schema validation regressions)

Risks:

  • ESLint schema incompatibilityajv minor bump within 6.x is low-risk but eslint plugins could break; alert if the CI lint job fails with an ajv-related error on commit 7c3b0bc
  • Unintended publishajv is dev-only; the published npm artifact should be unchanged; alert if publish-npm.yml is triggered unexpectedly as part of this PR merge

View monitor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel Awaiting requested review from ulziibay-kernel

At least 1 approving review is required to merge this pull request.

Assignees

@ulziibay-kernel ulziibay-kernel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel