Skip to content

fix(deps): patch undici, ws & protobufjs advisories (npm audit 4 high to 0)#33

Merged
Waishnav merged 3 commits into
Waishnav:mainfrom
aaronjmars:security/bump-undici-ws-protobufjs
Jun 23, 2026
Merged

fix(deps): patch undici, ws & protobufjs advisories (npm audit 4 high to 0)#33
Waishnav merged 3 commits into
Waishnav:mainfrom
aaronjmars:security/bump-undici-ws-protobufjs

Conversation

@aaronjmars

@aaronjmars aaronjmars commented Jun 23, 2026

Copy link
Copy Markdown

Automated dependency hardening to address published high-severity advisories in transitive dependencies of @earendil-works/pi-coding-agent. Lockfile + manifest only — no source changes.

npm audit currently reports 4 high-severity advisories. This PR takes it to 0.

What changed

The repo already had overrides for protobufjs and ws, but the committed package-lock.json predated them, so the overrides were inert (the lockfile still resolved the vulnerable versions). undici was missing from overrides entirely. This PR adds undici to overrides and updates the affected lockfile entries to the patched releases.

Package From To Advisories
undici 8.3.0 8.5.0 GHSA-vmh5-mc38-953g (TLS validation bypass via SOCKS5), GHSA-pr7r-676h-xcf6 (cache disclosure), GHSA-p88m-4jfj-68fv (Set-Cookie header injection), GHSA-35p6-xmwp-9g52 (response-queue poisoning) + 3 more
ws 8.20.1 8.21.0 GHSA-96hv-2xvq-fx4p (memory-exhaustion DoS)
protobufjs 7.5.9 7.6.4 GHSA-f38q-mgvj-vph7 (property shadowing), GHSA-wcpc-wj8m-hjx6 (Any-expansion DoS)
@protobufjs/eventemitter 1.1.0 1.1.1 (bumped because protobufjs@7.6.4 requires ^1.1.1)

All bumps are within the same major version.

Verification

  • npm audit: 4 high → 0
  • npm ci --dry-run: resolves cleanly, no other package changes (@earendil-works/pi-coding-agent stays 0.79.4, no major bumps)
  • Diff is limited to package.json (one override line) and four package-lock.json entries

Note: overrides only take effect on a full lockfile rebuild — npm install --package-lock-only against an existing lockfile won't re-apply them (which is why the previous protobufjs/ws overrides never landed). The lockfile entries here have been updated directly so the patched versions are what npm ci installs.

Filed by Aeon.

aeonframework and others added 3 commits June 23, 2026 19:33
fix(deps): patch undici, ws, protobufjs advisories via overrides + lo…
757b904 
…ckfile

Pins transitive dependencies of @earendil-works/pi-coding-agent to patched
releases that resolve published high-severity advisories. The existing
overrides for protobufjs and ws were not reflected in the committed
package-lock.json, and undici was missing from the overrides entirely.

- undici 8.3.0 -> 8.5.0 (GHSA-vmh5-mc38-953g TLS bypass, GHSA-pr7r-676h-xcf6
  cache disclosure, GHSA-p88m-4jfj-68fv Set-Cookie header injection,
  GHSA-35p6-xmwp-9g52 response-queue poisoning, +3 more) — added to overrides
- ws 8.20.1 -> 8.21.0 (GHSA-96hv-2xvq-fx4p memory-exhaustion DoS)
- protobufjs 7.5.9 -> 7.6.4 (GHSA-f38q-mgvj-vph7 property shadowing,
  GHSA-wcpc-wj8m-hjx6 Any-expansion DoS)
- @protobufjs/eventemitter 1.1.0 -> 1.1.1 (required by protobufjs 7.6.4)

`npm audit`: 4 high -> 0. `npm ci --dry-run` resolves cleanly with no other
package changes. Lockfile/manifest only; no source changes.
@Waishnav
fix(deps): update pi agent shrinkwrap for patched transitive deps
03d3e73
@Waishnav
docs: update Node compatibility requirement
868edf2
@Waishnav Waishnav merged commit 65be252 into Waishnav:main Jun 23, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaronjmars @Waishnav