Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore(typescript): fix pnpm audit vulnerabilities and regenerate lockfile#1810

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-5abf
Draft

chore(typescript): fix pnpm audit vulnerabilities and regenerate lockfile#1810
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-5abf

Conversation

@cursor

@cursor cursor Bot commented Jun 28, 2026

Copy link
Copy Markdown

Language / Project Scope

  • TypeScript
  • CI/CD or tooling

Changes

Resolve 17 pnpm audit vulnerabilities across the TypeScript monorepo by tightening root pnpm overrides and regenerating pnpm-lock.yaml. No breaking major-version upgrades.

Review Readiness

  • The PR is scoped to one issue or one clearly related change
  • The PR description explains the user-visible problem and the fix
  • The diff avoids unrelated formatting, generated files, and bulk rewrites
  • I verified the affected package/docs path with the commands listed below
  • I checked for existing open PRs that already solve the same issue

Implementation Details

  1. Updated root pnpm.overrides for patched transitive deps:
    • shell-quote >=1.8.4, form-data >=4.0.6, hono >=4.12.25
    • brace-expansion / @isaacs/brace-expansion >=5.0.6
    • joi >=18.2.1, protobufjs >=7.6.3 <8
    • js-yaml >=4.2.0 <5 (fixed OR override that still allowed 4.1.1)
    • @opentelemetry/core >=2.8.0, dompurify >=3.4.11
    • @babel/core >=7.29.6 <8 (avoided accidental v8 resolution)
  2. Added js-yaml to minimumReleaseAgeExclude so the security patch can install before the 3-day release-age gate.
  3. Bumped @mcp-use/inspector direct hono dep to ^4.12.25.
  4. Regenerated libraries/typescript/pnpm-lock.yaml.

TypeScript Checklist

Packages Modified

  • inspector

Pre-commit Checklist

  • Ran pnpm auditNo known vulnerabilities found
  • Ran pnpm changeset to create a changeset

Testing

  • pnpm install --no-frozen-lockfile in libraries/typescript
  • pnpm audit in workspace root and packages/inspector — clean
  • Verified resolved versions stay on compatible semver lines (js-yaml 4.3.0, @babel/core 7.29.7, hono 4.12.27)

Backwards Compatibility

Fully backwards compatible. All updates are patch/minor security fixes within existing semver ranges. Explicit caps prevent accidental js-yaml v5 or @babel/core v8 upgrades.

Related Issues

Scheduled cron audit maintenance.

Open in Web View Automation 

…file

Tighten root pnpm overrides for 17 transitive dependency advisories:
- shell-quote, form-data, hono, brace-expansion, joi, protobufjs
- js-yaml, @opentelemetry/core, dompurify, @babel/core

Cap js-yaml to v4.x and @babel/core to v7.x to avoid breaking majors.
Exclude js-yaml from minimumReleaseAge for the security patch.
Bump inspector hono direct dep to ^4.12.25.

Co-authored-by: Enrico Toniato <[email protected]>
@pkg-pr-new

pkg-pr-new Bot commented Jun 28, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@mcp-use/cli@1810
npm i https://pkg.pr.new/create-mcp-use-app@1810
npm i https://pkg.pr.new/@mcp-use/inspector@1810
npm i https://pkg.pr.new/mcp-use@1810

commit: 648bdfe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant