From ae945b19e185fadd87290eba00e73e602a780c49 Mon Sep 17 00:00:00 2001 From: Derek Bouius Date: Fri, 12 Jun 2026 13:22:07 -0400 Subject: [PATCH] fix(deps): resolve Dependabot alerts for transitive deps Clears all 14 open Dependabot alerts. All four flagged packages are transitive deps pulled in via @modelcontextprotocol/sdk, fixed with patch/minor bumps: - fast-uri 3.1.0 -> 3.1.2 (high; via ajv) - hono 4.12.12 -> 4.12.25 (medium/low; via @hono/node-server) - qs 6.15.0 -> 6.15.2 (medium; via express/body-parser) - ip-address 10.1.0 -> 10.1.1 (medium; via express-rate-limit) fast-uri, hono and qs update cleanly via `npm update`. express-rate-limit pins ip-address to exactly 10.1.0, so an `overrides` entry forces the patched 10.1.1 (a patch release, API-compatible). `npm audit` now reports 0 vulnerabilities; build passes. --- package-lock.json | 24 ++++++++++++------------ package.json | 3 +++ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index f81d337..89f38fd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1451,9 +1451,9 @@ "dev": true }, "node_modules/fast-uri": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", - "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "funding": [ { "type": "github", @@ -1771,9 +1771,9 @@ } }, "node_modules/hono": { - "version": "4.12.12", - "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.12.tgz", - "integrity": "sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q==", + "version": "4.12.25", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.25.tgz", + "integrity": "sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==", "license": "MIT", "engines": { "node": ">=16.9.0" @@ -1873,9 +1873,9 @@ } }, "node_modules/ip-address": { - "version": "10.1.0", - "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz", - "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==", + "version": "10.1.1", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.1.tgz", + "integrity": "sha512-1FMu8/N15Ck1BL551Jf42NYIoin2unWjLQ2Fze/DXryJRl5twqtwNHlO39qERGbIOcKYWHdgRryhOC+NG4eaLw==", "license": "MIT", "engines": { "node": ">= 12" @@ -2531,9 +2531,9 @@ } }, "node_modules/qs": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz", - "integrity": "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==", + "version": "6.15.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz", + "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==", "license": "BSD-3-Clause", "dependencies": { "side-channel": "^1.1.0" diff --git a/package.json b/package.json index 238d9e0..15ce1d7 100644 --- a/package.json +++ b/package.json @@ -22,6 +22,9 @@ "release": "npm run build && npm publish" }, "license": "ISC", + "overrides": { + "ip-address": "10.1.1" + }, "dependencies": { "@modelcontextprotocol/sdk": "^1.29.0", "@vectorize-io/vectorize-client": "^0.1.3",