Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore(typescript): fix pnpm audit vulnerabilities and refresh lockfile#1829

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-20ba
Draft

chore(typescript): fix pnpm audit vulnerabilities and refresh lockfile#1829
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/workspace-npm-audit-20ba

Conversation

@cursor

@cursor cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

Language / Project Scope

  • TypeScript
  • CI/CD or tooling

Changes

Fix 17 pnpm audit vulnerabilities (1 critical, 2 high, 11 moderate, 3 low) by tightening root pnpm.overrides and regenerating pnpm-lock.yaml. No breaking major-version upgrades.

Implementation Details

  1. Updated root pnpm.overrides for transitive security fixes:
    • shell-quote >=1.8.4 (critical)
    • form-data >=4.0.6 (high)
    • hono >=4.12.25 (high)
    • joi >=18.2.1, js-yaml >=4.2.0 <5, brace-expansion >=5.0.6 (moderate)
    • dompurify >=3.4.11, protobufjs >=7.6.3 <8, @opentelemetry/core >=2.8.0 (moderate)
    • @babel/core >=7.29.6 <8 (low)
  2. Bumped @mcp-use/inspector direct hono dep from ^4.12.12 to ^4.12.25.
  3. Regenerated workspace lockfile via pnpm install --no-frozen-lockfile.
  4. Fixed js-yaml override pattern: replaced >=3.14.2 || >=4.1.1 with >=4.2.0 <5 so vulnerable 4.1.1 cannot satisfy the override.

Testing

  • pnpm audit — 0 known vulnerabilities
  • pnpm --filter mcp-use build — success
  • pnpm --filter mcp-use test:unit — 616 passed
  • pnpm --filter @mcp-use/inspector test:unit — 60 passed

Backwards Compatibility

Fully backwards compatible. All updates are patch/minor bumps within existing major versions, applied via overrides and lockfile refresh.

Documentation Updates

  • Changeset added for patch release notes.
Open in Web View Automation 

Tighten root pnpm overrides for shell-quote, form-data, hono, joi,
js-yaml, brace-expansion, dompurify, protobufjs, @opentelemetry/core,
and @babel/core. Bump inspector hono direct dep to ^4.12.25.

pnpm audit now reports 0 known vulnerabilities.

Co-authored-by: Enrico Toniato <[email protected]>
@pkg-pr-new

pkg-pr-new Bot commented Jul 1, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@mcp-use/cli@1829
npm i https://pkg.pr.new/create-mcp-use-app@1829
npm i https://pkg.pr.new/@mcp-use/inspector@1829
npm i https://pkg.pr.new/mcp-use@1829

commit: 94341d8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant