Skip to content

fix: upgrade dependencies and fix security vulnerabilities#1474

Open
Optischa wants to merge 5 commits intogperdomor:mainfrom
Optischa:main
Open

fix: upgrade dependencies and fix security vulnerabilities#1474
Optischa wants to merge 5 commits intogperdomor:mainfrom
Optischa:main

Conversation

@Optischa
Copy link
Copy Markdown

@Optischa Optischa commented Apr 15, 2026

Current Behavior

  • Several CVEs in direct dependencies: next (DoS/CSRF), vite (server.fs.deny bypass), handlebars (JS injection), @actions/github (undici CVE via @actions/http-client), oclif (fast-xml-parser CVE)
  • Tests in nx-prisma and nx-graphql-codegen fail in pnpm workspaces because they hardcode npx instead of resolving the actual package manager command
  • TypeScript strict mode rejects the Object.values(Type).includes(value) check in container-metadata
  • ci-context GitHub tests fail with @actions/github v9 because the ESM module initializes its context singleton at load time, before tests set environment variables
  • TeamCity SSH-style git URLs (git@host:path) throw in Node.js v25 due to stricter url.parse() port validation

Expected Behavior

  • No known fixable security vulnerabilities in direct dependencies
  • Tests pass regardless of package manager
  • TypeScript compiles cleanly under strict mode
  • ci-context GitHub tests correctly read environment variables set during test setup
  • TeamCity SSH URLs are parsed correctly on Node.js v25

Related Issue(s)

Fixes #

▎ The "Fixes #" can stay empty or be removed if there's no linked issue. If the repo uses vulnerability tracking issues, link them there.

Optischa added 5 commits April 15, 2026 10:35
@Optischa
chore(deps): upgrade dependencies and fix security vulnerabilities
42e1855 
- Bump next 16.1.x → 16.2.3 (DoS/CSRF CVEs) across all packages
- Bump vite 7.3.1 → 7.3.2 (server.fs.deny bypass)
- Bump handlebars ^4.7.8 → ^4.7.9 (JS injection CVE)
- Bump @actions/github ^6.0.1 → ^9.1.0 (undici CVE)
- Bump oclif 4.22.73 → 4.23.0 (fast-xml-parser CVE)
- Update packageManager to pnpm@10.33.0
- Run pnpm dedupe to remove nx@22.5.3 duplicate
- Disable nx analytics
@Optischa
fix(ci-context): fix compatibility with @actions/github v9 and Node.j…
70dbf49 
…s v25

- Read process.env directly instead of using github.context singleton
  (v9 ESM module initializes context at load time, before tests set env vars)
- Normalize SSH-style git URLs before url.parse() to avoid Node.js v25
  strict port validation throwing on git@host:path format
@Optischa
fix(container-metadata): fix type narrowing for Type enum check
bc702b8 
Cast Object.values(Type) to string[] so TypeScript strict mode accepts
the includes() call with a string argument, then cast the validated
value as Type.
@Optischa
test(nx-graphql-codegen): use package manager command instead of hard…
dff34d8 
…coded npx

Resolve the binary and args dynamically via getPackageManagerCommand()
so tests pass in pnpm workspaces where the executor uses pnpm exec.
@Optischa
test(nx-prisma): use package manager command instead of hardcoded npx
365c100 
Resolve the binary and args dynamically via getPackageManagerCommand()
so tests pass in pnpm workspaces where the executor uses pnpm exec.
@Optischa Optischa requested a review from gperdomor as a code owner April 15, 2026 08:42
@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Apr 15, 2026

@Optischa is attempting to deploy a commit to the Gustavo Perdomo's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gperdomor gperdomor Awaiting requested review from gperdomor gperdomor is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Optischa