Skip to content

fix(security): upgrade CLI deps and add overrides for vulnerabilities #2952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicktrn merged 2 commits into from
Jan 27, 2026
Merged

fix(security): upgrade CLI deps and add overrides for vulnerabilities #2952

nicktrn merged 2 commits into from
Jan 27, 2026

Conversation

@D-K-P
Copy link
Member

@D-K-P D-K-P commented Jan 27, 2026
edited by devin-ai-integration bot
Loading

  • Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621 ReDoS)
  • Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition)
  • Add pnpm overrides for transitive deps:

Note: undici alert #536 dismissed as tolerable_risk (DoS via malicious server response; consumers only connect to trusted servers)

Closes #

✅ Checklist

  • I have followed every step in the contributing guide
  • The PR title follows the convention.
  • I ran and tested the code works

Testing

[Describe the steps you took to test this change]

Changelog

[Short description of what has changed]

Screenshots

[Screenshots]

💯

Open with Devin

@D-K-P
fix(security): upgrade CLI deps and add overrides for vulnerabilities
a940568 
- Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621 ReDoS)
- Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition)
- Add pnpm overrides for transitive deps:
  - qs <6.14.0 → 6.14.0 (CVE-2025-15284 DoS)
  - systeminformation <5.27.14 → 5.27.14 (CVE-2025-68154 cmd injection)
  - lodash <4.17.23 → 4.17.23 (CVE-2025-13465 prototype pollution)

Note: undici alert #536 dismissed as tolerable_risk (DoS via malicious
server response; consumers only connect to trusted servers)
@changeset-bot
Copy link

changeset-bot bot commented Jan 27, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: f0d02d7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@D-K-P D-K-P marked this pull request as ready for review January 27, 2026 15:24
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 27, 2026
edited
Loading

Walkthrough

The root package.json updates the pnpm overrides map: it preserves the existing jws entry (reformatted) and adds overrides for qs, systeminformation, and lodash (pinning to 6.14.1, 5.27.14, and 4.17.23 respectively). The packages/cli-v3/package.json updates two dependencies: @modelcontextprotocol/sdk from ^1.24.0 to ^1.25.2 and tar from ^7.4.3 to ^7.5.4.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main changes: security upgrades to CLI dependencies and addition of vulnerability fixes via overrides.
Description check ✅ Passed The description includes the template structure with checklist and required sections, but Testing, Changelog, and Screenshots sections are incomplete (marked with placeholder text).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a940568 and f0d02d7.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

  • package.json
🧠 Learnings (3)
📓 Common learnings 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Run commands from root with `pnpm run` in this pnpm 10.23.0 monorepo using Turborepo

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`
📚 Learning: 2026-01-15T11:50:06.067Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`

Applied to files:

  • package.json
📚 Learning: 2026-01-15T10:48:02.687Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0

Applied to files:

  • package.json
🔇 Additional comments (1)
package.json (1)

97-100: Overrides block looks consistent and well-scoped.
Good to see the new pins aligned with existing override patterns, and the formatting matches the rest of the file.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

devin-ai-integration[bot]
devin-ai-integration bot reviewed Jan 27, 2026
View reviewed changes
Copy link

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional flags.

Open in Devin Review

coderabbitai[bot]
coderabbitai bot reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In `@package.json`:
- Around line 97-100: Update the qs override entry in package.json to pin a
non-vulnerable version: replace the existing override "qs@>=6.0.0 <6.14.0":
"6.14.0" with "qs@>=6.0.0 <6.14.1": "6.14.1" so the override satisfies
CVE-2025-15284; ensure you only change the qs override string and keep the
surrounding formatting consistent with the other overrides.

In `@packages/cli-v3/package.json`:
- Line 86: This package update modifies the public package packages/cli-v3 by
bumping the dependency "@modelcontextprotocol/sdk" to ^1.25.2; add a changeset
for this public package using the repository guideline (run pnpm run
changeset:add) and commit the generated changeset file so the release tooling
includes this version change for packages/cli-v3 and documents the security
upgrade in the changelog.
🧹 Nitpick comments (1)
packages/cli-v3/package.json (1)

1-3: Consider adding a changeset for this security update.

This package is public and the dependency upgrades address security vulnerabilities. As per coding guidelines, modifications to public packages in packages/* should include a changeset (pnpm run changeset:add). A patch changeset documenting the security fixes would help users track these updates in the changelog.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eeab6bd and a940568.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • packages/cli-v3/package.json
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

  • packages/cli-v3/package.json
  • package.json
{packages,integrations}/**/*

📄 CodeRabbit inference engine (CLAUDE.md)

Add a changeset when modifying any public package in packages/* or integrations/* using pnpm run changeset:add

Files:

  • packages/cli-v3/package.json
🧠 Learnings (3)
📓 Common learnings 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Run commands from root with `pnpm run` in this pnpm 10.23.0 monorepo using Turborepo
📚 Learning: 2026-01-15T10:48:02.687Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0

Applied to files:

  • packages/cli-v3/package.json
  • package.json
📚 Learning: 2026-01-15T11:50:06.067Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`

Applied to files:

  • package.json

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

nicktrn
nicktrn requested changes Jan 27, 2026
View reviewed changes
@nicktrn nicktrn merged commit 5fb9cc3 into main Jan 27, 2026
32 checks passed
@nicktrn nicktrn deleted the fix/security-cli-overrides branch January 27, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@nicktrn nicktrn nicktrn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@D-K-P @nicktrn