Skip to content

fix: remediate Dependabot security alerts (2026-06-03)#2427

Merged
TalZaccai merged 2 commits into
mainfrom
automated/fix-dependabot-alerts-20260603-72
Jun 3, 2026
Merged

fix: remediate Dependabot security alerts (2026-06-03)#2427
TalZaccai merged 2 commits into
mainfrom
automated/fix-dependabot-alerts-20260603-72

Conversation

@typeagent-bot
Copy link
Copy Markdown
Contributor

@typeagent-bot typeagent-bot Bot commented Jun 3, 2026

Automated Dependabot Alert Remediation

This PR was automatically generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and build-verified before inclusion.

Summary

  • Applied (11): diff esbuild ip-address lodash-es nodemailer qs underscore uuid vite ws xml2js
  • Blocked (0): (none)
  • No patch available (0): (none)
  • Rolled back (1): @anthropic-ai/sdk
  • Skipped (recent rollback, 0): (none)
  • Workspaces with analysis failures: (none)
  • Build: ✅ Passed
  • Shell packaging: ✅ Passed

Note: the analysis source (fix-dependabot-alerts.mjs) is broader than the GitHub Dependabot REST API — it also audits the lockfile directly. Some packages listed above may not have a corresponding open Dependabot alert, and vice versa.

How this works

  1. Analyses all open Dependabot alerts
  2. Applies each fix individually with build verification
  3. Rolls back any fix that breaks the build
  4. Only passing fixes are included in this PR

Review checklist

  • Check that no breaking changes were introduced
  • Verify rolled-back packages are investigated separately
  • Run tests locally if concerned about specific packages

TalZaccai and others added 2 commits June 2, 2026 23:13
@TalZaccai
Bump exifreader to ^4.39.0 and adopt new TypedTag GPS shape
d3dd6a8 
Resolves Dependabot alerts #399 (medium: unbounded decompression DoS)
and #400 (high: crafted ICC mluc tag DoS), both patched in 4.39.0.

Newer exifreader added a second type parameter to TypedTag that exposes
the parsed value as [number | null, number | null, number | null] for
GPS rational arrays. Widen the exifGPSTagToLatLong signature in
typechat-utils/location.ts to accept the new shape. exifGPSTagToLatLong
only reads .description (a string), so the looser value tuple has no
runtime effect.

This supersedes the temporary `exifreader: 4.30.1` pnpm override
introduced in #2425. The fixer auto-raised that pin during its next
run because the patched version is needed to close the CVEs; this PR
removes the override and updates the type signature so the bump can
actually land.

Verified:
- `pnpm install` clean; lockfile collapses to exifreader@4.40.3 (one
  resolution)
- `pnpm --filter typechat-utils build` passes
- `pnpm --filter agent-dispatcher... build` passes (includes
  knowledge-processor and image-memory consumers)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
fix: remediate Dependabot security alerts
d36b1be 
Automated by fix-dependabot-alerts workflow.

Applied: diff esbuild ip-address lodash-es nodemailer qs underscore uuid vite ws xml2js
Rolled back: @anthropic-ai/sdk
Blocked: 0 package(s)
Shell packaging: passed

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@typeagent-bot typeagent-bot Bot added dependencies Pull requests that update a dependency file security labels Jun 3, 2026
@typeagent-bot typeagent-bot Bot temporarily deployed to development-fork June 3, 2026 07:28 Inactive
@typeagent-bot typeagent-bot Bot had a problem deploying to development-fork June 3, 2026 07:28 Failure
@TalZaccai TalZaccai added this pull request to the merge queue Jun 3, 2026
Merged via the queue into main with commit 056cbfb Jun 3, 2026
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TalZaccai