Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(typescript): resolve 17 pnpm audit vulnerabilities via overrides#1812

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-a5c3
Draft

fix(typescript): resolve 17 pnpm audit vulnerabilities via overrides#1812
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-a5c3

Conversation

@cursor

@cursor cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

Language / Project Scope

  • TypeScript
  • CI/CD or tooling

Changes

Updated root pnpm.overrides and regenerated pnpm-lock.yaml to resolve 17 audit vulnerabilities (1 critical, 2 high, 11 moderate, 3 low). All fixes are patch/minor bumps within existing major versions — no breaking upgrades.

Implementation Details

  1. New overrides: shell-quote >=1.8.4, joi >=18.2.1, @opentelemetry/core >=2.8.0, @babel/core >=7.29.6 <8
  2. Tightened overrides:
    • form-data: >=4.0.4>=4.0.6
    • hono: >=4.12.21>=4.12.25
    • js-yaml: >=3.14.2 || >=4.1.1>=4.2.0 <5 (OR range allowed vulnerable 4.1.1)
    • brace-expansion / @isaacs/brace-expansion: >=5.0.6
    • dompurify: >=3.4.11
    • protobufjs: >=7.6.3 <8
  3. Regenerated libraries/typescript/pnpm-lock.yaml

Testing

  • pnpm audit0 vulnerabilities
  • pnpm --filter mcp-use test:unit — 616 passed
  • pnpm --filter @mcp-use/inspector test:unit — 60 passed
  • pnpm --filter @mcp-use/cli test — 303 passed

Backwards Compatibility

Fully backwards compatible. All version bumps are security patches within the same major versions. Overrides use upper bounds (<8, <5, <14) to prevent accidental major upgrades.

Note on inspector standalone lock

packages/inspector/pnpm-lock.yaml is a minimal peer-dep test lock with no vulnerable transitive deps; it was not modified.

Open in Web View Automation 

…ities

- shell-quote >=1.8.4 (critical)
- form-data >=4.0.6, hono >=4.12.25, joi >=18.2.1 (high)
- js-yaml >=4.2.0 <5 (fix OR range allowing vulnerable 4.1.1)
- brace-expansion >=5.0.6, dompurify >=3.4.11, protobufjs >=7.6.3
- @opentelemetry/core >=2.8.0, @babel/core >=7.29.6 <8
- Regenerated pnpm-lock.yaml

Co-authored-by: Enrico Toniato <[email protected]>
@pkg-pr-new

pkg-pr-new Bot commented Jun 29, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@mcp-use/cli@1812
npm i https://pkg.pr.new/create-mcp-use-app@1812
npm i https://pkg.pr.new/@mcp-use/inspector@1812
npm i https://pkg.pr.new/mcp-use@1812

commit: 2ecd870

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant