Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security Assessment — chore: bump btst db version
Summary
No high-confidence vulnerabilities were introduced by the core dependency bump (@btst/db 2.1.1 → 2.2.1, @btst/adapter-memory 2.1.1 → 2.2.1, better-call peer minimum ≥ 1.3.5). All pinned packages carry integrity hashes in the lockfile and the auth library upgrade (@better-auth/core 1.5.x → 1.6.2) follows a transitively locked resolution.
One moderate supply-chain concern and one informational note are flagged below.
Findings
[MODERATE] nitro pinned to specifier: latest — resolves to a beta pre-release
File: pnpm-lock.yaml (codegen-projects/tanstack importer block, line ~319)
nitro:
specifier: latest
version: 3.0.260311-beta(...)The latest dist-tag on npm resolves to whatever the registry considers "latest" at install time, and it can include beta / pre-release versions (as it does here: 3.0.260311-beta). Risks:
- Lockfile bypass: any fresh
pnpm installwithout--frozen-lockfile(e.g. after apnpm updateor CI cache miss) will pull in the newestlatest, which may be a different beta or even a malicious replacement if the package is compromised between now and that install. - Template propagation: if
codegen-projects/tanstackis a scaffold that is copied or generated into consumer projects, thelatestspecifier propagates to end-userpackage.jsonfiles, leaving their production servers pinned to an ever-changing beta framework version. - Beta stability: pre-release builds of a server framework like Nitro may include unreviewed security changes or regressions.
Remediation: Pin nitro to an explicit stable semver range (e.g. ^3.0.0 or the exact 3.0.x once a stable release is cut) in the codegen template's package.json rather than latest.
[INFORMATIONAL] @better-auth/core upgraded 1.5.x → 1.6.2 (transitive, via @btst/db)
The lockfile drops @better-auth/core@1.5.4 and @1.5.6 entirely in favour of 1.6.2. This is a non-trivial minor bump for an auth library — the @better-auth/utils peer moved from 0.3.1 to 0.4.0 and @opentelemetry/api was added as a new peer in 1.6.2. The resolved version carries an integrity hash so there is no substitution risk, but the @btst/db maintainer should confirm that @better-auth/core 1.6.x does not introduce session-handling or token-management regressions relevant to @btst/stack consumers.
What was checked and found clean
| Area | Verdict |
|---|---|
| SQL / command injection surface | No new query construction or shell execution in diff |
| Authn/authz boundaries | No permission logic changed; auth library upgrade is lockfile-pinned |
| Secret / token leakage | No new logging or env variable handling |
| SSRF / XSS vectors | No new HTTP client or template rendering code |
| Package integrity | All packages have resolution: {integrity: sha512-...} in lockfile |
better-call peer bump (≥ 1.3.5) |
Resolved to 1.3.5(zod@4.2.1) with integrity hash — no gap |
Sent by Cursor Automation: Find vulnerabilities
| version: 5.0.94(zod@4.2.1) | ||
| class-variance-authority: | ||
| specifier: ^0.7.1 | ||
| version: 0.7.1 |
There was a problem hiding this comment.
Supply-chain risk: specifier: latest pinned to a beta pre-release.
The nitro dependency in codegen-projects/tanstack uses latest as its version specifier, which resolved here to 3.0.260311-beta. latest on npm can include pre-release builds and will silently advance on any fresh install without --frozen-lockfile.
If this codegen project is used as a scaffold template, the latest specifier is copied into consumer package.json files, leaving their production servers on an ever-changing, unreviewed beta of a server framework.
Recommended fix: Replace specifier: latest with an explicit stable range such as "nitro": "^3.0.0" (or the first stable 3.x release) in codegen-projects/tanstack/package.json.
|
✅ Shadcn registry validated — no registry changes detected. |
1 participant
Summary
closes #94
Type of change
Checklist
pnpm buildpassespnpm typecheckpassespnpm lintpassesdocs/content/docs/) if consumer-facing types or behavior changedScreenshots
Note
Low Risk
Low-risk change limited to package metadata and dependency version bumps; main risk is any behavioral/compatibility change introduced by the upgraded
@btst/db/@btst/adapter-memoryandbetter-callpeer requirement.Overview
Bumps
@btst/stackfrom2.11.2to2.11.3and upgrades@btst/dbto2.2.1(plus@btst/adapter-memoryto2.2.1).Updates the
better-callpeer dependency minimum from>=1.3.2to>=1.3.5.Reviewed by Cursor Bugbot for commit 9b26bd9. Bugbot is set up for automated code reviews on this repo. Configure here.