Skip to content

deps: bump toolchain to latest + patch transitive form-data/hono advisories#7

Merged
intech merged 2 commits into
mainfrom
deps/bump-toolchain
Jun 20, 2026
Merged

deps: bump toolchain to latest + patch transitive form-data/hono advisories#7
intech merged 2 commits into
mainfrom
deps/bump-toolchain

Conversation

@intech

@intech intech commented Jun 20, 2026

Copy link
Copy Markdown
Member

Summary

Routine dependency refresh for the container toolchain. Two separable commits:

  1. chore(deps) — bump the pinned npm CLIs to their latest releases.
  2. fix(deps) — patch two transitive high-severity advisories (npm audit fix, no top-level pin drift). This commit is independent and can be dropped if you prefer the bumps alone.

Version bumps (tools/package.json + regenerated tools/package-lock.json)

Package From To Kind
@anthropic-ai/claude-code 2.1.177 2.1.183 patch
@agentclientprotocol/claude-agent-acp 0.44.0 0.48.0 minor (0.x)
@colbymchenry/codegraph 1.0.0 1.0.1 patch
pnpm 11.6.0 11.8.0 minor

Already at latest — no change: @fission-ai/openspec (1.4.1), caveman-shrink (0.1.0), @modelcontextprotocol/server-sequential-thinking (2025.12.18), perplexity-mcp (0.2.3), typescript (6.0.3), ts-node (10.9.2), prettier (3.8.4), eslint (10.5.0); and the GitHub-release / build-arg deps rtk (v0.42.4), git-delta (0.19.2), caveman (v1.9.0). The Dockerfile is therefore untouched.

Compatibility verification

  • codegraph 1.0.1 keeps both -linux-x64 and -linux-arm64 prebuilt optionalDependencies (registry-confirmed) — multi-arch parity preserved, so the CI arm64 leg is covered. bin (npm-shim.js) unchanged.
  • claude-agent-acp 0.48.0 keeps the same bin (claude-agent-acp), so the CLAUDE_CODE_EXECUTABLE pinning and run_acp.sh are unaffected. Its bundled (unused) @anthropic-ai/claude-agent-sdk moved 0.3.170 → 0.3.183 (image-size only, not executed at runtime).
  • claude-code 2.1.183: reviewed every documented release in range (178/179/181/183 — 180/182 have no changelog/GitHub release). No removal/rename/behavior change to the settings.json keys this image relies on (advisorModel, tui, statusLine, autoUpdates) or to permission-mode handling. Two relevant fixes land for free: the startup "setup issues" line moved to /doctor, and fullscreen statusline-corruption was fixed.
  • pnpm 11.8.0 requires Node >=22.13; the base node:22-trixie-slim ships v22.22.3 — satisfied.

Transitive security patch (fix(deps) commit)

npm audit fix --package-lock-only cleanly resolves two pre-existing advisories with no top-level pin drift (4 → 2 high-severity):

  • form-data 4.0.5 → 4.0.6 (GHSA-hmw2-7cc7-3qxx, CRLF injection)
  • hono 4.12.23 → 4.12.26 (path-traversal / CORS / body-limit advisories)

Remaining 2 high (accepted residual, documented in SECURITY.md): @modelcontextprotocol/sdk (≤1.25.1), pulled in transitively by perplexity-mcp@0.2.3 (latest, pins the old SDK) — upstream "no fix available". perplexity-mcp runs as a stdio server here, so the DNS-rebinding vector (GHSA-w48q-cv73-mx4w) is not reachable; closing it fully would mean dropping perplexity-mcp or an npm overrides pin (a follow-up that may break its SDK API usage).

Validation

  • npm ci from the regenerated lockfile installs cleanly; all 12 top-level pins resolve to the exact pinned versions.
  • Local image build on amd64 (docker build). The arm64 leg is not exercised locally — it is covered by the registry optionalDeps parity check above and by CI's multi-arch build.

Docs

README.md and CLAUDE.md version strings synced; CLAUDE.md now documents running npm audit after a lockfile regen; SECURITY.md documents the accepted transitive residual.

intech and others added 2 commits June 20, 2026 12:14
- @anthropic-ai/claude-code 2.1.177 -> 2.1.183
- @agentclientprotocol/claude-agent-acp 0.44.0 -> 0.48.0
- @colbymchenry/codegraph 1.0.0 -> 1.0.1
- pnpm 11.6.0 -> 11.8.0

Regenerated tools/package-lock.json inside node:22 (npm ci verified; all 12
top-level pins remain exact). codegraph 1.0.1 keeps both linux-x64 and
linux-arm64 prebuilt optionalDeps (multi-arch parity preserved). claude-agent-acp
bin is unchanged (claude-agent-acp), so the CLAUDE_CODE_EXECUTABLE pinning stays
intact; its transitive claude-agent-sdk moved 0.3.170 -> 0.3.183 (bundled, unused
binary - image size only). No regressions to permission modes or the settings.json
keys (advisorModel, tui, statusLine, autoUpdates) across the documented 2.1.x
releases (178/179/181/183) between the old and new pins.

RTK (v0.42.4), git-delta (0.19.2) and caveman (v1.9.0) are already at their latest
releases - no Dockerfile change. Synced version strings in README.md and CLAUDE.md,
and documented running npm audit after a lockfile regen.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
npm audit fix --package-lock-only (no top-level pin drift):
- form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx: CRLF injection)
- hono 4.12.23 -> 4.12.26 (path traversal / CORS / body-limit advisories)

Reduces npm audit from 4 -> 2 high-severity. The remaining two are in
@modelcontextprotocol/sdk (<=1.25.1), pulled in transitively by perplexity-mcp
0.2.3 (the latest release, which pins the old SDK) - upstream marks both "no fix
available". Documented in SECURITY.md as a deliberately accepted residual:
perplexity-mcp runs as a stdio server here, so the DNS-rebinding vector
(GHSA-w48q-cv73-mx4w) is not reachable; closing it fully would require dropping
perplexity-mcp or an npm overrides pin (user-decided follow-up, may break its SDK
API usage).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@intech intech merged commit 58206e2 into main Jun 20, 2026
3 checks passed
@intech intech deleted the deps/bump-toolchain branch June 20, 2026 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant