Skip to content

fix: resolve all bun audit vulnerabilities with package overrides#338

Open
DaniAkash wants to merge 1 commit intomainfrom
claude/slack-fix-bun-vulnerabilities-5FddC
Open

fix: resolve all bun audit vulnerabilities with package overrides#338
DaniAkash wants to merge 1 commit intomainfrom
claude/slack-fix-bun-vulnerabilities-5FddC

Conversation

@DaniAkash
Copy link
Contributor

@DaniAkash DaniAkash commented Feb 16, 2026

Add overrides for 8 vulnerable transitive dependencies: qs, markdown-it, lodash-es, @modelcontextprotocol/sdk, axios, diff, @isaacs/brace-expansion, and hono. This resolves 11 security vulnerabilities including DoS, ReDoS, prototype pollution, XSS, and data leak issues.

@claude
fix: resolve all bun audit vulnerabilities with package overrides
32ee992 
Add overrides for 8 vulnerable transitive dependencies: qs, markdown-it,
lodash-es, @modelcontextprotocol/sdk, axios, diff, @isaacs/brace-expansion,
and hono. This resolves 11 security vulnerabilities including DoS, ReDoS,
prototype pollution, XSS, and data leak issues.

https://claude.ai/code/session_01D3vmc2S4564FJSFqsRaTfM
@github-actions
Copy link
Contributor

github-actions bot commented Feb 16, 2026

Thank you for your contribution! Before we can merge this PR, we need you to sign our Contributor License Agreement.

To sign the CLA, please add a comment to this PR with the following text:

I have read the CLA Document and I hereby sign the CLA

You only need to sign once. After signing, this check will pass automatically.

Troubleshooting
  • Already signed but still failing? Comment recheck to trigger a re-verification.
  • Signed with a different email? Make sure your commit email matches your GitHub account email, or add your commit email to your GitHub account.
- - - I have read the CLA Document and I hereby sign the CLA - - - You can retrigger this bot by commenting **recheck** in this Pull Request. Posted by the **CLA Assistant Lite bot**.

@github-actions github-actions bot added the fix label Feb 16, 2026
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 16, 2026

Greptile Summary

Adds overrides in package.json to pin 8 transitive dependencies to patched versions, resolving 11 security vulnerabilities (DoS, ReDoS, prototype pollution, XSS, data leak). The lockfile is regenerated accordingly.

  • Most overrides are safe patch/minor bumps within their declared semver ranges (qs, markdown-it, lodash-es, axios, @isaacs/brace-expansion).
  • @modelcontextprotocol/sdk (1.25.3 → 1.26.0) and hono (4.11.4 → 4.11.9) are direct dependencies that are upgraded within their caret ranges—low risk but should be tested.
  • diff (7.0.0 → 8.0.3) is a major version override that exceeds the ^7.0.0 range declared by @google/gemini-cli-core. This is the highest-risk change and should be validated to ensure no runtime breakage in gemini CLI core functionality.

Confidence Score: 3/5

  • Mostly safe security maintenance PR, but one override forces a major version bump that could break a transitive consumer.
  • 7 of the 8 overrides are safe patch/minor bumps within compatible semver ranges. However, the diff override forces version 8.0.3 on a dependency (@google/gemini-cli-core) that declares ^7.0.0, crossing a major version boundary. This is the main risk. No source code changes are involved, reducing the surface area, but runtime breakage in gemini CLI core is possible if diff@8 introduced breaking changes.
  • Pay close attention to package.json — specifically the diff override crossing a major version boundary for @google/gemini-cli-core.

Important Files Changed

Filename Overview
package.json Adds 8 package overrides for security vulnerability resolution. Most are safe patch/minor bumps, but diff is a major version override (7.x → 8.x) that crosses the declared semver range of @google/gemini-cli-core.
bun.lock Lockfile correctly reflects the overrides. Deduplicates previously scoped lodash-es copies. Also picks up incidental updates to chrome-devtools-mcp, express-rate-limit, and ip-address from the MCP SDK upgrade.

Flowchart

flowchart TD
    A["package.json overrides"] --> B["Transitive-only overrides"]
    A --> C["Direct dependency overrides"]
    
    B --> B1["qs 6.14.1 → 6.15.0<br/>patch"]
    B --> B2["markdown-it 14.1.0 → 14.1.1<br/>patch"]
    B --> B3["lodash-es 4.17.21 → 4.17.23<br/>patch"]
    B --> B4["axios 1.13.2 → 1.13.5<br/>patch"]
    B --> B5["@isaacs/brace-expansion 5.0.0 → 5.0.1<br/>patch"]
    B --> B6["diff 7.0.0 → 8.0.3<br/>⚠️ MAJOR"]
    
    C --> C1["@modelcontextprotocol/sdk 1.25.3 → 1.26.0<br/>minor"]
    C --> C2["hono 4.11.4 → 4.11.9<br/>patch"]
    
    B6 -->|"crosses ^7.0.0 range"| D["@google/gemini-cli-core"]
    
    style B6 fill:#f9f,stroke:#f00,stroke-width:2px
    style D fill:#fdd,stroke:#f00
Loading

Last reviewed commit: 32ee992

greptile-apps[bot]
greptile-apps bot reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

package.json
"lodash-es": "4.17.23",
"@modelcontextprotocol/sdk": "1.26.0",
"axios": "1.13.5",
"diff": "8.0.3",
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major version override crosses semver boundary

The diff override forces version 8.0.3, but @google/gemini-cli-core declares "diff": "^7.0.0" as its dependency. This is a major version bump (7.x → 8.x) that crosses the declared semver range. Unlike the other overrides which are patch/minor bumps within compatible ranges, this one forces a version that @google/gemini-cli-core was not designed or tested against.

If diff@8 introduced breaking API changes (renamed exports, removed functions, changed signatures), this could cause runtime errors in @google/gemini-cli-core. Consider verifying that the gemini CLI core functionality still works correctly after this override, or check whether @google/gemini-cli-core has a newer version that declares compatibility with diff@8.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 69:69

Comment:
**Major version override crosses semver boundary**

The `diff` override forces version `8.0.3`, but `@google/gemini-cli-core` declares `"diff": "^7.0.0"` as its dependency. This is a **major version bump** (7.x → 8.x) that crosses the declared semver range. Unlike the other overrides which are patch/minor bumps within compatible ranges, this one forces a version that `@google/gemini-cli-core` was not designed or tested against.

If `diff@8` introduced breaking API changes (renamed exports, removed functions, changed signatures), this could cause runtime errors in `@google/gemini-cli-core`. Consider verifying that the gemini CLI core functionality still works correctly after this override, or check whether `@google/gemini-cli-core` has a newer version that declares compatibility with `diff@8`.

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaniAkash @claude