fix(triage): bump deps to address 20 Dependabot security alerts#6
Conversation
- undici 7.18.2+ (6 CVEs: memory exhaustion, WebSocket crashes, smuggling, CRLF) - hono 4.12.7+ (4 CVEs: file access, cookie injection, SSE injection, proto pollution) - @hono/node-server 1.19.10 (CVE-2026-29087: auth bypass) - express-rate-limit 8.2.2 (CVE-2026-30827: IPv6 rate limit bypass) - minimatch 10.2.3 (CVE-2026-27903: ReDoS) - flatted 3.4.2 (CVE-2026-33228: prototype pollution) - js-yaml 4.1.1 (CVE-2025-64718: prototype pollution) - picomatch 4.0.4 (CVE-2026-33672: method injection) Ref: agent-twitter-client-mcp_dependabot_2026-03-30.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "js-yaml": "^4.1.1", | ||
| "minimatch": "^10.2.5", | ||
| "path-to-regexp": "^8.4.0", | ||
| "picomatch": "^4.0.4", |
There was a problem hiding this comment.
Dev-only packages incorrectly added as production dependencies
Medium Severity
flatted, js-yaml, minimatch, and picomatch are transitive dependencies exclusively of dev tooling (eslint, jest, @typescript-eslint) — none are imported in the source code or required by any production dependency. Adding them to dependencies instead of devDependencies means anyone installing this published package (publishConfig: { access: "public" }) gets four unnecessary dependency trees, including a major-version-bumped minimatch v10 and picomatch v4. Moving them to devDependencies would still fix the dev-tool CVEs while keeping the production install clean.
1 participant
Summary
npm auditreports 0 vulnerabilitiesVerification
CVEs Resolved
Ref: agent-twitter-client-mcp_dependabot_2026-03-30.md
🤖 Generated with Claude Code
Note
Medium Risk
Medium risk because it upgrades multiple runtime HTTP/server/matching libraries (
undici,hono,express-rate-limit,minimatch,picomatch), which can introduce subtle behavior changes despite being a security-focused bump.Overview
Security maintenance update: bumps several direct dependencies (and refreshes
package-lock.json) to address reported vulnerabilities, includingundici,hono/@hono/node-server,express-rate-limit,minimatch,picomatch,js-yaml, andflatted.Also updates
.gitignoreto properly ignore*.tsbuildinfoand adds.omc/state to ignored files.Written by Cursor Bugbot for commit 0979a75. This will update automatically on new commits. Configure here.