Skip to content

fix: patch high dependency advisories#1335

Merged
Astro-Han merged 1 commit into
devfrom
codex/dev-dep-audit-high-fixes
Jun 16, 2026
Merged

fix: patch high dependency advisories#1335
Astro-Han merged 1 commit into
devfrom
codex/dev-dep-audit-high-fixes

Conversation

@Astro-Han

@Astro-Han Astro-Han commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Summary

Patch the current high-severity dependency advisories failing dev-dep-audit by moving the vulnerable packages to their patched floors:

  • form-data -> 4.0.6
  • ws -> 8.21.0
  • vite -> 7.3.5

There is no separate issue; this PR fixes the current dev-dep-audit high advisory failure observed from PR #1315 and re-verified on latest origin/dev.

Why

bun audit --audit-level=high currently fails on dev for:

ws is a direct dependency in packages/opencode and packages/desktop-electron, so those manifests are bumped directly. form-data is only pulled through transitive dependency paths, so the root override pins the patched floor instead of broad-updating electron-builder or Arborist-related packages. ws also has vulnerable transitive paths, so the root override keeps the whole root workspace on 8.21.0. The site has its own bun.lock, so it gets an exact vite override to keep the independent site install on the patched 7.x line without moving to Vite 8.

Related Issue

No separate issue. This is a focused dependency-audit repair for the current dev-dep-audit failure.

Human Review Status

Pending

Review Focus

Please check that the overrides are limited to the vulnerable dependency floors and that the site lock remains on Vite 7.x rather than a Vite 8 major upgrade.

Risk Notes

Dependency risk only. The root lockfile also re-dedupes yaml entries as a Bun 1.3.14 lockfile resolver side effect while syncing the exact dependency changes. No runtime code, CI policy, audit allowlist, UI, copy, permissions, or credential handling changed. The visible UI checklist item is not applicable because this PR changes dependencies only.

How To Verify

RED repro: bun install --frozen-lockfile && bun audit --audit-level=high -> failed with 3 high advisories for form-data, ws, and vite before the fix
Root frozen install: bun install --frozen-lockfile -> pass, no lockfile changes
Root audit: bun audit --audit-level=high -> pass, no high advisories reported
Site frozen install: (cd site && bun install --frozen-lockfile) -> pass, no lockfile changes
Site audit: (cd site && bun audit --audit-level=high) -> pass, no high advisories reported
Diff check: git diff --check -> pass
opencode typecheck: (cd packages/opencode && bun run typecheck) -> pass
desktop typecheck: (cd packages/desktop-electron && bun run typecheck) -> pass
app build: (cd packages/app && bun run build) -> pass with existing Vite build warnings
desktop build: (cd packages/desktop-electron && bun run build) -> pass with existing Vite/eval warnings
desktop CDP bridge smoke: (cd packages/desktop-electron && bun run smoke:cdp-bridge-ws) -> pass, SMOKE-OK
ui typecheck: (cd packages/ui && bun run typecheck) -> pass
site build: (cd site && bun run build) -> pass

Screenshots or Recordings

Not applicable. No visible UI or copy changed.

Checklist

How to use this checklist:

  • Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
  • The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
  • Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.
  • Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
  • Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
  • Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
  • Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
  • I linked the related issue, or stated in Summary why there is no issue.
  • I described the review focus and any meaningful risks.
  • I replaced the example block in How To Verify with the real verification steps and the key result for each.
  • I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
  • (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
  • (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
  • (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
  • I reviewed the final diff for unrelated changes and suspicious dependency changes.
  • I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

@Astro-Han Astro-Han added bug Something isn't working ci Continuous integration / GitHub Actions P1 High priority dependencies Pull requests that update a dependency file labels Jun 16, 2026
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 30 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: aa7f946e-a7d8-4e2c-bf87-a71034ac7918

📥 Commits

Reviewing files that changed from the base of the PR and between 9dc42a7 and 669401e.

⛔ Files ignored due to path filters (2)
  • bun.lock is excluded by !**/*.lock
  • site/bun.lock is excluded by !**/*.lock
📒 Files selected for processing (4)
  • package.json
  • packages/desktop-electron/package.json
  • packages/opencode/package.json
  • site/package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/dev-dep-audit-high-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added ui Design system and user interface platform Electron shell, OS integration, packaging, updater, signing, paths, and permissions harness Model harness, prompts, tool descriptions, and session mechanics labels Jun 16, 2026
github-actions[bot]
github-actions Bot reviewed Jun 16, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 16, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies across the project, including upgrading vite to 7.3.5, ws to 8.21.0, and adding form-data and ws to the root package.json dependencies. It also updates lockfiles and adds overrides for vite in the site package. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@Astro-Han Astro-Han merged commit 46cd7d4 into dev Jun 16, 2026
36 of 37 checks passed
@Astro-Han Astro-Han deleted the codex/dev-dep-audit-high-fixes branch June 16, 2026 02:16
Astro-Han added a commit that referenced this pull request Jun 16, 2026
@Astro-Han
feat(opencli): add Xiaohongshu ask via upstream 1.8.4
a1e9de0 
## Summary
- Bump `@jackwener/opencli` from 1.8.3 to 1.8.4 so PawWork gets the upstream Xiaohongshu `ask` adapter instead of carrying a local overlay.
- Keep the adapter capability and embedded server tests focused on discovering and exposing `xiaohongshu/ask`.
- Refresh the branch on current `dev`, including the dev-dependency audit fix from #1335.

## Verification
- `bun install --frozen-lockfile`
- `git diff --check origin/dev...HEAD`
- `bun audit --audit-level=high`
- `cd packages/opencode && bun test ./test/opencli/adapter-registry.test.ts ./test/tool/opencli-tools.test.ts ./test/opencli/adapter-capabilities.test.ts --timeout 30000`
- `cd packages/opencode && bun test ./test/server/built-node-opencli-adapters.test.ts --timeout 120000`
- PR CI passed. `unit-windows-opencode-server-tools` was rerun after the first attempt passed tests but was cancelled during the cache post step; the rerun completed successfully.

## Risk
- Low. This removes the local adapter implementation path and relies on the published upstream OpenCLI 1.8.4 package, with coverage at the source registry and embedded server boundary.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working ci Continuous integration / GitHub Actions dependencies Pull requests that update a dependency file harness Model harness, prompts, tool descriptions, and session mechanics P1 High priority platform Electron shell, OS integration, packaging, updater, signing, paths, and permissions ui Design system and user interface

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Astro-Han