Conversation
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, straightforward dependency version bumps and pnpm overrides for security audit fixes.
Extended reasoning...
Overview
This PR addresses npm audit findings by bumping better-auth from ^1.4.17 to ^1.4.22 in two example packages, moving the strip-ansi resolution from root package.json to pnpm-workspace.yaml overrides, and adding ~17 new pnpm overrides to pin vulnerable transitive dependencies (ajv, brace-expansion, flatted, hono, minimatch, picomatch, qs, rollup, undici, yaml, etc.) to patched versions. The lockfile updates reflect these changes. A few packages are added to minimumReleaseAgeExclude to bypass the 7-day age gate for security patches.
Security risks
This PR reduces security risk by fixing known vulnerabilities in transitive dependencies. No new security concerns are introduced — the overrides constrain version ranges to known-safe versions.
Level of scrutiny
Low scrutiny is appropriate. This is a purely mechanical change to dependency configuration files (package.json, pnpm-workspace.yaml, pnpm-lock.yaml). No source code is modified. The pattern is well-established and this is explicitly a sibling PR to #1780 which did the same on another branch.
Other factors
No changesets are needed since this is a chore PR with no library code changes. No human reviewers have commented yet, but the changes are entirely in dependency management files with no ambiguity in intent or implementation.
felixweinberger
force-pushed
the
fweinberger/v2-pnpm-audit-fix
branch
from
12f6ab1 to
cb0578c
Compare
There was a problem hiding this comment.
LGTM — mechanical security audit overrides and dependency bumps, no source code changes.
Extended reasoning...
Overview
This PR addresses npm/pnpm audit findings by: (1) bumping better-auth from ^1.4.17 to ^1.4.22 in two private example packages, (2) moving the existing strip-ansi resolution from root package.json resolutions to pnpm-workspace.yaml overrides, and (3) adding 17 new pnpm overrides targeting specific vulnerable version ranges (ajv, brace-expansion, express-rate-limit, flatted, hono, markdown-it, minimatch, picomatch, qs, rollup, undici, yaml). The lockfile changes are the mechanical consequence of these overrides.
Security risks
The PR reduces security risk by pinning transitive dependencies to patched versions. No new attack surface is introduced by the source-level changes. The one minor observation is that better-auth ^1.4.22 resolved to 1.5.5 in the lockfile, which bundles a mongo adapter and pulls in mongodb@7.1.0 transitively — unnecessary since the examples only use better-sqlite3. This is flagged as a nit inline comment but has no security impact since these are private, unpublished example packages.
Level of scrutiny
Low scrutiny is appropriate. This is a config-only change — no application logic, no API changes, no auth code modified. The overrides follow a clear pattern (vulnerable range → fixed version) and the lockfile diffs are consistent with the declared overrides.
Other factors
No outstanding reviewer comments. No changeset needed (chore, no version bump). The sibling PR #1780 is referenced for context. CI appears to have run successfully based on the pkg-pr-new bot comment.
felixweinberger
force-pushed
the
fweinberger/v2-pnpm-audit-fix
branch
from
cb0578c to
002124e
Compare
felixweinberger
force-pushed
the
fweinberger/v2-pnpm-audit-fix
branch
from
002124e to
f1a3506
Compare
Address npm audit. Sibling to #1780. Lockfile-only regen — existing ^-ranges already allowed patched versions, the lockfile was just pinning stale resolutions. pnpm audit: 45 → 0 vulnerabilities.
felixweinberger
force-pushed
the
fweinberger/v2-pnpm-audit-fix
branch
from
f1a3506 to
a0cbc68
Compare
|
@claude review |
There was a problem hiding this comment.
LGTM — lockfile-only regeneration for audit fixes.
Extended reasoning...
Overview
This PR modifies only pnpm-lock.yaml (1486 insertions, 1290 deletions), which is an auto-generated lockfile. The commit message is "chore(v2): pnpm audit fix — regenerate lockfile" and the PR description says it's a sibling to #1780. No source code, configuration, or package.json files are changed in this PR.
Security risks
None introduced by this PR. The purpose of the change is to address security audit findings by regenerating the lockfile to pick up patched dependency versions. The lockfile is deterministic and auto-generated by pnpm.
Level of scrutiny
Low scrutiny appropriate. Lockfile changes are mechanical outputs of the package manager. There is no human-authored logic to review. The diff is large (2776 lines) but this is typical for lockfile regenerations when transitive dependencies shift.
Other factors
My two previous inline comments (about better-auth resolving to 1.5.5 with unnecessary MongoDB deps, and hono catalog entries not matching overrides) are both marked as resolved. No new commits have been pushed since those comments. The bug hunting system found no issues. This is a routine maintenance PR that only touches an auto-generated file.
1 participant
Address npm audit. Sibling to #1780.