Skip to content

deps: weekly upgrade 2026-05-17#166

Closed
pokle wants to merge 3 commits into
masterfrom
claude/fervent-ptolemy-5rFMN
Closed

deps: weekly upgrade 2026-05-17#166
pokle wants to merge 3 commits into
masterfrom
claude/fervent-ptolemy-5rFMN

Conversation

@pokle
Copy link
Copy Markdown
Owner

@pokle pokle commented May 17, 2026

Summary

  • Fix HIGH kysely vulnerability (GHSA-pv5w-4p9q-p3v2): JSON-path traversal injection via unsanitized metacharacters in JSONPathBuilder.key() / .at(). Direct dep was already at 0.28.17 but transitive deps from better-auth/kysely-d1 resolved to older versions — added override.
  • better-auth 1.6.11 security hardening: constant-time secret comparison in OAuth/MCP plugins, OAuth 2.1 compliance (removed "none" algorithm, disabled plain PKCE), invitation takeover fix, SSRF protection for OIDC endpoints.
  • Routine bumps: hono 4.12.19, agents 0.12.4, katex 0.16.47, vitest 4.1.6, Playwright 1.60.0 (Chromium 148), weekly type updates.

Full details in docs/dependency-review-log.md (2026-05-17 entry).

Verification

  • bun run typecheck:all — 6 workspace typechecks pass
  • bun run test:all — 411 engine + 229 competition-api + 21 mcp-api tests pass
  • bun run test:e2e — 1 chromium spec passes (Playwright 1.60.0)
  • bun audit — 0 vulnerabilities

Test plan

  • bun audit clean
  • All typechecks pass
  • All unit/integration tests pass
  • E2E test passes (exercises wrangler dev startup)
  • CI branch deploy passes

https://claude.ai/code/session_0184bAU3Yt56ffJfoEnv8pFS

Generated by Claude Code

claude and others added 3 commits May 17, 2026 21:41
@claude
deps: weekly upgrade 2026-05-17 — fix HIGH kysely vuln, security hard…
e43903b 
…ening

- Fix HIGH kysely JSON-path traversal injection (GHSA-pv5w-4p9q-p3v2) via override
- better-auth 1.6.11: constant-time secrets, OAuth 2.1 compliance, invitation takeover fix
- hono 4.12.19, agents 0.12.4, katex 0.16.47, vitest 4.1.6, Playwright 1.60.0
- Weekly type updates: @cloudflare/workers-types, @types/bun, @types/node

See docs/dependency-review-log.md (2026-05-17 entry) for full details.

https://claude.ai/code/session_0184bAU3Yt56ffJfoEnv8pFS
@claude
Merge remote-tracking branch 'origin/master' into claude/fervent-ptol…
641d718 
…emy-5rFMN
@pokle
Merge branch 'master' into claude/fervent-ptolemy-5rFMN
96ee77f
@pokle pokle marked this pull request as ready for review May 23, 2026 08:26
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 23, 2026

Preview Deployment
https://fc438cc2.glidecomp.pages.dev
Commit: 96ee77f

@pokle pokle closed this May 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pokle @claude