From 730771fb503fd91974c1494944cd5426cf74a552 Mon Sep 17 00:00:00 2001 From: Laurin Date: Fri, 17 Apr 2026 08:34:37 +0200 Subject: [PATCH] fix: address vulnerabilities 2026-04-17 (#7993) Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- .changeset/all-pumas-shine.md | 5 +++ .changeset/chilly-ducks-check.md | 5 +++ .changeset/dull-mails-deny.md | 5 +++ .changeset/few-rules-accept.md | 5 +++ .changeset/slow-eyes-fly.md | 5 +++ packages/web/app/package.json | 2 +- pnpm-lock.yaml | 52 +++++++++++++------------------- 7 files changed, 47 insertions(+), 32 deletions(-) create mode 100644 .changeset/all-pumas-shine.md create mode 100644 .changeset/chilly-ducks-check.md create mode 100644 .changeset/dull-mails-deny.md create mode 100644 .changeset/few-rules-accept.md create mode 100644 .changeset/slow-eyes-fly.md diff --git a/.changeset/all-pumas-shine.md b/.changeset/all-pumas-shine.md new file mode 100644 index 000000000..40ea9ebf2 --- /dev/null +++ b/.changeset/all-pumas-shine.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [GHSA-72c6-fx6q-fr5w](https://github.com/advisories/GHSA-72c6-fx6q-fr5w). diff --git a/.changeset/chilly-ducks-check.md b/.changeset/chilly-ducks-check.md new file mode 100644 index 000000000..2ae5d1888 --- /dev/null +++ b/.changeset/chilly-ducks-check.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [GHSA-v9ww-2j6r-98q6](https://github.com/advisories/GHSA-v9ww-2j6r-98q6). diff --git a/.changeset/dull-mails-deny.md b/.changeset/dull-mails-deny.md new file mode 100644 index 000000000..b1f282465 --- /dev/null +++ b/.changeset/dull-mails-deny.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [GHSA-xq3m-2v4x-88gg](https://github.com/advisories/GHSA-xq3m-2v4x-88gg). diff --git a/.changeset/few-rules-accept.md b/.changeset/few-rules-accept.md new file mode 100644 index 000000000..97d5baac1 --- /dev/null +++ b/.changeset/few-rules-accept.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [CVE-2026-6414](https://github.com/advisories/GHSA-x428-ghpx-8j92). diff --git a/.changeset/slow-eyes-fly.md b/.changeset/slow-eyes-fly.md new file mode 100644 index 000000000..0e3f52a83 --- /dev/null +++ b/.changeset/slow-eyes-fly.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [CVE-2026-6410](https://github.com/advisories/GHSA-pr96-94w5-mx2h). diff --git a/packages/web/app/package.json b/packages/web/app/package.json index 7090cd09e..faaa2c101 100644 --- a/packages/web/app/package.json +++ b/packages/web/app/package.json @@ -18,7 +18,7 @@ "@dnd-kit/sortable": "^10.0.0", "@dnd-kit/utilities": "^3.2.2", "@fastify/cors": "11.2.0", - "@fastify/static": "9.0.0", + "@fastify/static": "9.1.1", "@fastify/vite": "8.4.1", "@graphiql/plugin-explorer": "4.0.0-alpha.2", "@graphiql/react": "1.0.0-alpha.4", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index ee292725c..90ee0e741 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -2091,8 +2091,8 @@ importers: specifier: 11.2.0 version: 11.2.0 '@fastify/static': - specifier: 9.0.0 - version: 9.0.0 + specifier: 9.1.1 + version: 9.1.1 '@fastify/vite': specifier: 8.4.1 version: 8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.5)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3)) @@ -4058,8 +4058,8 @@ packages: '@fastify/merge-json-schemas@0.2.1': resolution: {integrity: sha512-OA3KGBCy6KtIvLf8DINC5880o5iBlDX4SxzLQS8HorJAbqluzLRn80UXU0bxZn7UOFhFgpRJDasfwn9nG4FG4A==} - '@fastify/middie@9.3.1': - resolution: {integrity: sha512-5uvKKF5zkocgsSiTyBU7AW2LmQ1Fwn4MNJ/8bORAuFwsQ0hqHjtpYaPqO79BkP4aqH5T7P3F2gJ3b3kerAIk7A==} + '@fastify/middie@9.3.2': + resolution: {integrity: sha512-5C3xMHJxpfqoHd+xZSHPBI71fpzkoF6wMsYtgzXRyQUNvsIAxJm2yY4r2fUjF0h3rS9MXlo/aXLaXv3s4TL+JQ==} '@fastify/proxy-addr@5.1.0': resolution: {integrity: sha512-INS+6gh91cLUjB+PVHfu1UqcB76Sqtpyp7bnL+FYojhjygvOPA9ctiD/JDKsyD9Xgu4hUhCSJBPig/w7duNajw==} @@ -4067,8 +4067,8 @@ packages: '@fastify/send@4.1.0': resolution: {integrity: sha512-TMYeQLCBSy2TOFmV95hQWkiTYgC/SEx7vMdV+wnZVX4tt8VBLKzmH8vV9OzJehV0+XBfg+WxPMt5wp+JBUKsVw==} - '@fastify/static@9.0.0': - resolution: {integrity: sha512-r64H8Woe/vfilg5RTy7lwWlE8ZZcTrc3kebYFMEUBrMqlydhQyoiExQXdYAy2REVpST/G35+stAM8WYp1WGmMA==} + '@fastify/static@9.1.1': + resolution: {integrity: sha512-LHxFea3qdwe0Pbbkh/yux7/k6nFNLGTNcbLKVYgmRDB6LdDE/8TFSO7qWZ0IzM/nF6iwR8W03oFlwe4v79R1Ow==} '@fastify/vite@8.4.1': resolution: {integrity: sha512-phfSE+GPL0hvFOPDRVCIk2y24elodtSKDbTodddQ8dxxNIhLzz90afSSOPTabOu3QiofJyOhJi/IvemXGnVJ3A==} @@ -11178,8 +11178,8 @@ packages: resolution: {integrity: sha512-ZCQ9GEWl73BVm8bu5Fts8nt7MHdbt5vY9bP6WGnUh+r3l8M7CgfyTlwsgCbMC66BNxPr6Xoce3j66Ms5YUQTNA==} hasBin: true - basic-ftp@5.2.2: - resolution: {integrity: sha512-1tDrzKsdCg70WGvbFss/ulVAxupNauGnOlgpyjKzeQxzyllBLS0CGLV7tjIXTK3ZQA9/FBEm9qyFFN1bciA6pw==} + basic-ftp@5.3.0: + resolution: {integrity: sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==} engines: {node: '>=10.0.0'} bcp-47-match@2.0.3: @@ -13361,10 +13361,6 @@ packages: deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me hasBin: true - glob@13.0.0: - resolution: {integrity: sha512-tvZgpqk6fz4BaNZ66ZsRaZnbHvP/jG3uKJvAZOwEVUL4RTA5nJeeLYfyN9/VA8NX/V3IBG+hkeuGpKjvELkVhA==} - engines: {node: 20 || >=22} - glob@13.0.6: resolution: {integrity: sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==} engines: {node: 18 || 20 || >=22} @@ -16674,8 +16670,8 @@ packages: proto-list@1.2.4: resolution: {integrity: sha512-vtK/94akxsTMhe0/cbfpR+syPuszcuwhqVjJq26CuNDgFGj682oRBXOP5MJpv2r7JtE8MsiepGIqvvOTBwn2vA==} - protobufjs@7.4.0: - resolution: {integrity: sha512-mRUWCc3KUU4w1jU8sGxICXH/gNS94DvI1gxqDvBzhj1JpcsimQkYiOJfwsPUykUI5ZaspFbSgmBLER8IrQ3tqw==} + protobufjs@7.5.5: + resolution: {integrity: sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==} engines: {node: '>=12.0.0'} proxy-addr@2.0.7: @@ -22082,7 +22078,7 @@ snapshots: dependencies: dequal: 2.0.3 - '@fastify/middie@9.3.1': + '@fastify/middie@9.3.2': dependencies: '@fastify/error': 4.2.0 fastify-plugin: 5.1.0 @@ -22103,20 +22099,20 @@ snapshots: http-errors: 2.0.1 mime: 3.0.0 - '@fastify/static@9.0.0': + '@fastify/static@9.1.1': dependencies: '@fastify/accept-negotiator': 2.0.1 '@fastify/send': 4.1.0 content-disposition: 1.0.1 fastify-plugin: 5.1.0 fastq: 1.19.1 - glob: 13.0.0 + glob: 13.0.6 '@fastify/vite@8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.5)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3))': dependencies: '@fastify/deepmerge': 3.2.0 - '@fastify/middie': 9.3.1 - '@fastify/static': 9.0.0 + '@fastify/middie': 9.3.2 + '@fastify/static': 9.1.1 fastify: 5.8.5 fastify-plugin: 5.1.0 fs-extra: 11.3.3 @@ -25322,7 +25318,7 @@ snapshots: dependencies: lodash.camelcase: 4.3.0 long: 5.2.3 - protobufjs: 7.4.0 + protobufjs: 7.5.5 yargs: 17.7.2 '@hapi/address@5.1.1': @@ -27176,7 +27172,7 @@ snapshots: '@opentelemetry/sdk-logs': 0.208.0(@opentelemetry/api@1.9.0) '@opentelemetry/sdk-metrics': 2.2.0(@opentelemetry/api@1.9.0) '@opentelemetry/sdk-trace-base': 2.2.0(@opentelemetry/api@1.9.0) - protobufjs: 7.4.0 + protobufjs: 7.5.5 '@opentelemetry/propagator-b3@1.30.0(@opentelemetry/api@1.9.0)': dependencies: @@ -32462,7 +32458,7 @@ snapshots: baseline-browser-mapping@2.9.4: {} - basic-ftp@5.2.2: {} + basic-ftp@5.3.0: {} bcp-47-match@2.0.3: {} @@ -33647,7 +33643,7 @@ snapshots: '@grpc/grpc-js': 1.12.5 '@grpc/proto-loader': 0.7.13 docker-modem: 5.0.6 - protobufjs: 7.4.0 + protobufjs: 7.5.5 tar-fs: 2.1.4 uuid: 10.0.0 transitivePeerDependencies: @@ -35053,7 +35049,7 @@ snapshots: get-uri@6.0.5: dependencies: - basic-ftp: 5.2.2 + basic-ftp: 5.3.0 data-uri-to-buffer: 6.0.2 debug: 4.4.3(supports-color@8.1.1) transitivePeerDependencies: @@ -35094,12 +35090,6 @@ snapshots: package-json-from-dist: 1.0.1 path-scurry: 1.11.1 - glob@13.0.0: - dependencies: - minimatch: 10.2.4 - minipass: 7.1.3 - path-scurry: 2.0.2 - glob@13.0.6: dependencies: minimatch: 10.2.4 @@ -39160,7 +39150,7 @@ snapshots: proto-list@1.2.4: {} - protobufjs@7.4.0: + protobufjs@7.5.5: dependencies: '@protobufjs/aspromise': 1.1.2 '@protobufjs/base64': 1.1.2