From d3dd6a818b6491ba6d166212b1196aa7c779f797 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Tue, 2 Jun 2026 23:13:31 -0700 Subject: [PATCH 1/2] Bump exifreader to ^4.39.0 and adopt new TypedTag GPS shape Resolves Dependabot alerts #399 (medium: unbounded decompression DoS) and #400 (high: crafted ICC mluc tag DoS), both patched in 4.39.0. Newer exifreader added a second type parameter to TypedTag that exposes the parsed value as [number | null, number | null, number | null] for GPS rational arrays. Widen the exifGPSTagToLatLong signature in typechat-utils/location.ts to accept the new shape. exifGPSTagToLatLong only reads .description (a string), so the looser value tuple has no runtime effect. This supersedes the temporary `exifreader: 4.30.1` pnpm override introduced in #2425. The fixer auto-raised that pin during its next run because the patched version is needed to close the CVEs; this PR removes the override and updates the type signature so the bump can actually land. Verified: - `pnpm install` clean; lockfile collapses to exifreader@4.40.3 (one resolution) - `pnpm --filter typechat-utils build` passes - `pnpm --filter agent-dispatcher... build` passes (includes knowledge-processor and image-memory consumers) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- ts/examples/chat/package.json | 2 +- ts/examples/commandHistogram/package.json | 2 +- ts/package.json | 1 - ts/packages/defaultAgentProvider/package.json | 2 +- .../dispatcher/dispatcher/package.json | 2 +- ts/packages/knowledgeProcessor/package.json | 2 +- ts/packages/utils/typechatUtils/package.json | 2 +- .../utils/typechatUtils/src/location.ts | 10 ++++- ts/pnpm-lock.yaml | 39 +++++++++---------- 9 files changed, 33 insertions(+), 29 deletions(-) diff --git a/ts/examples/chat/package.json b/ts/examples/chat/package.json index 7b05d95240..0fa0d7cc12 100644 --- a/ts/examples/chat/package.json +++ b/ts/examples/chat/package.json @@ -34,7 +34,7 @@ "conversation-memory": "workspace:*", "dotenv": "^16.3.1", "examples-lib": "workspace:*", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "image-memory": "workspace:*", "interactive-app": "workspace:*", "knowledge-processor": "workspace:*", diff --git a/ts/examples/commandHistogram/package.json b/ts/examples/commandHistogram/package.json index 6360327716..800962181d 100644 --- a/ts/examples/commandHistogram/package.json +++ b/ts/examples/commandHistogram/package.json @@ -32,7 +32,7 @@ "code-processor": "workspace:*", "conversation-memory": "workspace:*", "dotenv": "^16.3.1", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "image-memory": "workspace:*", "interactive-app": "workspace:*", "knowledge-processor": "workspace:*", diff --git a/ts/package.json b/ts/package.json index 419a653004..99234246d3 100644 --- a/ts/package.json +++ b/ts/package.json @@ -131,7 +131,6 @@ }, "overrides": { "@azure/core-xml": ">=1.5.0 <2.0.0", - "exifreader": "4.30.1", "express>path-to-regexp": "0.1.13", "fast-xml-parser": ">=5.5.7 <6.0.0", "hono": ">=4.12.8 <5.0.0", diff --git a/ts/packages/defaultAgentProvider/package.json b/ts/packages/defaultAgentProvider/package.json index 3fc0b7405a..b9aac5385c 100644 --- a/ts/packages/defaultAgentProvider/package.json +++ b/ts/packages/defaultAgentProvider/package.json @@ -57,7 +57,7 @@ "discord-agent": "workspace:*", "dispatcher-node-providers": "workspace:*", "email": "workspace:*", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "file-size": "^1.0.0", "github-cli-agent": "workspace:*", "glob": "^13.0.0", diff --git a/ts/packages/dispatcher/dispatcher/package.json b/ts/packages/dispatcher/dispatcher/package.json index d3a18e1d2b..ebea60d1d6 100644 --- a/ts/packages/dispatcher/dispatcher/package.json +++ b/ts/packages/dispatcher/dispatcher/package.json @@ -62,7 +62,7 @@ "chalk": "^5.4.1", "conversation-memory": "workspace:*", "debug": "^4.4.0", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "file-size": "^1.0.0", "glob": "^13.0.0", "grammar-tools-core": "workspace:*", diff --git a/ts/packages/knowledgeProcessor/package.json b/ts/packages/knowledgeProcessor/package.json index 2f569e44e9..55b2b1e536 100644 --- a/ts/packages/knowledgeProcessor/package.json +++ b/ts/packages/knowledgeProcessor/package.json @@ -38,7 +38,7 @@ "@typeagent/config": "workspace:*", "aiclient": "workspace:*", "debug": "^4.4.0", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "sharp": "^0.33.5", "typeagent": "workspace:*", "typechat": "^0.1.1", diff --git a/ts/packages/utils/typechatUtils/package.json b/ts/packages/utils/typechatUtils/package.json index fab8cea209..dcae1f433e 100644 --- a/ts/packages/utils/typechatUtils/package.json +++ b/ts/packages/utils/typechatUtils/package.json @@ -37,7 +37,7 @@ "chalk": "^5.4.1", "date-fns": "^4.1.0", "debug": "^4.4.0", - "exifreader": "^4.30.1", + "exifreader": "^4.39.0", "telemetry": "workspace:*", "typechat": "^0.1.1" }, diff --git a/ts/packages/utils/typechatUtils/src/location.ts b/ts/packages/utils/typechatUtils/src/location.ts index 24c7421175..1aa838f296 100644 --- a/ts/packages/utils/typechatUtils/src/location.ts +++ b/ts/packages/utils/typechatUtils/src/location.ts @@ -56,12 +56,18 @@ export type LatLong = { export function exifGPSTagToLatLong( exifLat: | XmpTag - | TypedTag<[[number, number], [number, number], [number, number]]> + | TypedTag< + [[number, number], [number, number], [number, number]], + [number | null, number | null, number | null] + > | undefined, exifLatRef: XmpTag | StringArrayTag | undefined, exifLong: | XmpTag - | TypedTag<[[number, number], [number, number], [number, number]]> + | TypedTag< + [[number, number], [number, number], [number, number]], + [number | null, number | null, number | null] + > | undefined, exifLongRef: XmpTag | StringArrayTag | undefined, ): LatLong | undefined { diff --git a/ts/pnpm-lock.yaml b/ts/pnpm-lock.yaml index 57c5fa9dbb..0532c5900e 100644 --- a/ts/pnpm-lock.yaml +++ b/ts/pnpm-lock.yaml @@ -6,7 +6,6 @@ settings: overrides: '@azure/core-xml': '>=1.5.0 <2.0.0' - exifreader: 4.30.1 express>path-to-regexp: 0.1.13 fast-xml-parser: '>=5.5.7 <6.0.0' hono: '>=4.12.8 <5.0.0' @@ -156,7 +155,7 @@ importers: version: 8.18.1 jest: specifier: ^29.7.0 - version: 29.7.0(@types/node@25.9.1)(ts-node@10.9.2(@types/node@25.9.1)(typescript@5.4.5)) + version: 29.7.0(@types/node@22.19.19)(ts-node@10.9.2(@types/node@22.19.19)(typescript@5.4.5)) prettier: specifier: ^3.5.3 version: 3.5.3 @@ -200,8 +199,8 @@ importers: specifier: workspace:* version: link:../examplesLib exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 image-memory: specifier: workspace:* version: link:../../packages/memory/image @@ -307,8 +306,8 @@ importers: specifier: ^16.3.1 version: 16.5.0 exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 image-memory: specifier: workspace:* version: link:../../packages/memory/image @@ -1392,7 +1391,7 @@ importers: version: 29.5.14 jest: specifier: ^29.7.0 - version: 29.7.0(@types/node@22.19.19)(ts-node@10.9.2(@types/node@22.19.19)(typescript@5.4.5)) + version: 29.7.0(@types/node@25.9.1)(ts-node@10.9.2(@types/node@25.9.1)(typescript@5.4.5)) rimraf: specifier: ^6.0.1 version: 6.0.1 @@ -4226,8 +4225,8 @@ importers: specifier: workspace:* version: link:../agents/email exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 file-size: specifier: ^1.0.0 version: 1.0.0 @@ -4431,8 +4430,8 @@ importers: specifier: ^4.4.0 version: 4.4.3(supports-color@8.1.1) exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 file-size: specifier: ^1.0.0 version: 1.0.0 @@ -4819,8 +4818,8 @@ importers: specifier: ^4.4.0 version: 4.4.1 exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 sharp: specifier: ^0.33.5 version: 0.33.5 @@ -5722,8 +5721,8 @@ importers: specifier: ^4.4.0 version: 4.4.3(supports-color@8.1.1) exifreader: - specifier: 4.30.1 - version: 4.30.1 + specifier: ^4.39.0 + version: 4.40.3 telemetry: specifier: workspace:* version: link:../../telemetry @@ -11800,8 +11799,8 @@ packages: resolution: {integrity: sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==} engines: {node: '>=10'} - exifreader@4.30.1: - resolution: {integrity: sha512-XoEKKQ0FmJwCKHnuErceFAM+MSfZ+px7Nci5BhBP1cgEHi/fHSBvQySsdfd0MaFHzNh8ITsRNwpnvkMuIPicrg==} + exifreader@4.40.3: + resolution: {integrity: sha512-58NvuV/lmrUoxR6Y3s5U3rwxn8ITB8xod2WgOkwew0oR5ziQj2bcJSXMbOTQPytnZi3grztHQhgZnHBSe3/P4A==} exit@0.1.2: resolution: {integrity: sha512-Zk/eNKV2zbjpKzrsQ+n1G6poVbErQxJ0LBOJXaKZ1EViLzH+hrLu9cdXI4zw9dBQJslwBEpbQ2P1oS7nDxs6jQ==} @@ -16708,7 +16707,7 @@ snapshots: '@anthropic-ai/claude-agent-sdk@0.2.105': dependencies: - '@anthropic-ai/sdk': 0.81.0(zod@4.1.13) + '@anthropic-ai/sdk': 0.81.0(zod@3.25.76) '@modelcontextprotocol/sdk': 1.29.0 optionalDependencies: '@img/sharp-darwin-arm64': 0.34.5 @@ -20062,7 +20061,7 @@ snapshots: json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 raw-body: 3.0.2 - zod-to-json-schema: 3.25.1(zod@4.1.13) + zod-to-json-schema: 3.25.1(zod@3.25.76) transitivePeerDependencies: - supports-color @@ -24590,7 +24589,7 @@ snapshots: signal-exit: 3.0.7 strip-final-newline: 2.0.0 - exifreader@4.30.1: + exifreader@4.40.3: optionalDependencies: '@xmldom/xmldom': 0.9.10 From d36b1be28f09974ffd5eebcfb086da8f1a61891f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 07:27:52 +0000 Subject: [PATCH 2/2] fix: remediate Dependabot security alerts Automated by fix-dependabot-alerts workflow. Applied: diff esbuild ip-address lodash-es nodemailer qs underscore uuid vite ws xml2js Rolled back: @anthropic-ai/sdk Blocked: 0 package(s) Shell packaging: passed Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- ts/packages/agents/browser/package.json | 2 +- ts/packages/agents/markdown/package.json | 2 +- ts/packages/shell/package.json | 2 +- ts/pnpm-lock.yaml | 26 ++++++++++++------------ 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/ts/packages/agents/browser/package.json b/ts/packages/agents/browser/package.json index b0248018a6..a88c258c88 100644 --- a/ts/packages/agents/browser/package.json +++ b/ts/packages/agents/browser/package.json @@ -146,7 +146,7 @@ "rollup-plugin-copy": "^3.5.0", "ts-jest": "^29.3.2", "ts-loader": "^9.5.1", - "vite": "^6.4.2" + "vite": "^6.4.3" }, "fluidBuild": { "tasks": { diff --git a/ts/packages/agents/markdown/package.json b/ts/packages/agents/markdown/package.json index 857eaee4b2..ffc00a8651 100644 --- a/ts/packages/agents/markdown/package.json +++ b/ts/packages/agents/markdown/package.json @@ -79,7 +79,7 @@ "rimraf": "^6.0.1", "sanitize-filename": "^1.6.3", "typescript": "~5.4.5", - "vite": "^6.4.2" + "vite": "^6.4.3" }, "fluidBuild": { "tasks": { diff --git a/ts/packages/shell/package.json b/ts/packages/shell/package.json index a5e1ba8622..219fb0ffe7 100644 --- a/ts/packages/shell/package.json +++ b/ts/packages/shell/package.json @@ -109,7 +109,7 @@ "run-script-os": "^1.1.6", "type-fest": "^4.39.1", "typescript": "~5.4.5", - "vite": "^6.4.2" + "vite": "^6.4.3" }, "fluidBuild": { "tasks": { diff --git a/ts/pnpm-lock.yaml b/ts/pnpm-lock.yaml index 0532c5900e..8beb02dd65 100644 --- a/ts/pnpm-lock.yaml +++ b/ts/pnpm-lock.yaml @@ -2032,8 +2032,8 @@ importers: specifier: ^9.5.1 version: 9.5.2(typescript@5.4.5)(webpack@5.105.0(esbuild@0.27.7)) vite: - specifier: ^6.4.2 - version: 6.4.2(@types/node@22.15.18)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) + specifier: ^6.4.3 + version: 6.4.3(@types/node@22.15.18)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) packages/agents/calendar: dependencies: @@ -2641,8 +2641,8 @@ importers: specifier: ~5.4.5 version: 5.4.5 vite: - specifier: ^6.4.2 - version: 6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) + specifier: ^6.4.3 + version: 6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) packages/agents/montage: dependencies: @@ -5473,7 +5473,7 @@ importers: version: 26.8.1(dmg-builder@26.8.1) electron-vite: specifier: ^4.0.1 - version: 4.0.1(vite@6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3)) + version: 4.0.1(vite@6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3)) jest: specifier: ^29.7.0 version: 29.7.0(@types/node@25.9.1)(ts-node@10.9.2(@types/node@25.9.1)(typescript@5.4.5)) @@ -5493,8 +5493,8 @@ importers: specifier: ~5.4.5 version: 5.4.5 vite: - specifier: ^6.4.2 - version: 6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) + specifier: ^6.4.3 + version: 6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) packages/telemetry: dependencies: @@ -16182,8 +16182,8 @@ packages: terser: optional: true - vite@6.4.2: - resolution: {integrity: sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==} + vite@6.4.3: + resolution: {integrity: sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==} engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true peerDependencies: @@ -24201,7 +24201,7 @@ snapshots: transitivePeerDependencies: - supports-color - electron-vite@4.0.1(vite@6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3)): + electron-vite@4.0.1(vite@6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3)): dependencies: '@babel/core': 7.28.4 '@babel/plugin-transform-arrow-functions': 7.27.1(@babel/core@7.28.4) @@ -24209,7 +24209,7 @@ snapshots: esbuild: 0.25.12 magic-string: 0.30.17 picocolors: 1.1.1 - vite: 6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) + vite: 6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3) transitivePeerDependencies: - supports-color @@ -30298,7 +30298,7 @@ snapshots: less: 4.3.0 terser: 5.39.2 - vite@6.4.2(@types/node@22.15.18)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3): + vite@6.4.3(@types/node@22.15.18)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3): dependencies: esbuild: 0.25.11 fdir: 6.5.0(picomatch@4.0.4) @@ -30315,7 +30315,7 @@ snapshots: tsx: 4.21.0 yaml: 2.8.3 - vite@6.4.2(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3): + vite@6.4.3(@types/node@25.9.1)(jiti@2.5.1)(less@4.3.0)(terser@5.39.2)(tsx@4.21.0)(yaml@2.8.3): dependencies: esbuild: 0.25.11 fdir: 6.5.0(picomatch@4.0.4)