Dozens of security vulnerabilities resolved
Over 80 security vulnerabilities are being closed across the repository. Critical alerts in remote code execution and cross-site scripting paths are patched through direct bumps and strict scoped overrides.
Approximately 80 Dependabot security alerts are cleared from the codebase. Vulnerabilities ranging from remote code execution flaws to cross-site scripting risks are patched.
Direct dependencies are bumped where possible, and strict overrides are applied for nested transitive dependencies to force safe versions without breaking major version contracts. Because ESM-only packages like UUID are updated, they are now directly bundled in the server configuration to maintain compatibility.
The updates span the monorepo, securing the web application, CLI tooling, and internal test containers. Both cloud and self-hosted deployments are protected against exploits like path traversal and prototype pollution.
View Original GitHub Description
Closes ~80 dependabot alerts (3 critical, ~25 high, ~31 medium) by bumping direct deps where possible and narrowly overriding the rest. Cloud uses resend email transport and Node 20 - all bumps are safe for both cloud and self-hosters.
Direct upgrades
| Package | Where | From | To | Why |
|---|---|---|---|---|
vite | root devDeps | ^5.4.21 | (removed) | dead pin; vitest pulls vite transitively |
dompurify | apps/webapp | ^3.2.6 | ^3.4.1 | XSS CVEs |
effect | apps/webapp | ^3.11.7 | ^3.21.2 | AsyncLocalStorage CVE in Effect fibers |
nodemailer | internal-packages/emails | ^7.0.11 | ^8.0.6 | SMTP CRLF injection (only affects self-hosters w/ smtp/aws-ses transport) |
uuid | apps/webapp | ^9.0.0 | ^14.0.0 | buffer bounds check; ESM-only but bundled by Remix |
uuid + @types/uuid | packages/trigger-sdk | ^9.0.0 | (removed) | dead deps, no usage |
@types/uuid | apps/webapp | ^9.0.0 | (removed) | uuid 14 ships its own types |
tar | packages/cli-v3 | ^7.5.4 | ^7.5.13 | path traversal CVEs |
testcontainers + @testcontainers/postgresql + @testcontainers/redis | internal-packages/testcontainers | ^10.28.0 | ^11.14.0 | dev/test cleanup; one-line API fix for RedisContainer(image) |
rimraf | webapp + 6 packages | ^3.0.2 / ^5.0.7 | ^6.0.1 | dev/build tool consolidation |
Scoped overrides
All bound by both >= and < to avoid major-version yanks.
| Override | Closes |
|---|---|
tar@>=7 <7.5.11 → ^7.5.11 | supervisor's @kubernetes/client-node 1.0.0 chain |
axios@>=1.0.0 <1.15.0 → ^1.15.0 | replaces older 1.9.0 pin |
systeminformation@>=5.0.0 <5.31.0 → ^5.31.0 | bumps existing 5.27.14 pin |
lodash@>=4.0.0 <4.18.0 → ^4.18.0 | bumps existing 4.17.23 pin |
lodash-es@>=4.0.0 <4.18.0 → ^4.18.0 | new (mirrors lodash) |
dompurify@>=3 <3.4.0 → ^3.4.1 | catches transitive dompurify via mermaid |
vite@>=5.0.0 <6.4.2 → ^6.4.2 | path traversal; vite 5 has no patch |
rollup@>=4 <4.59.0 → ^4.59.0 | path traversal in vite/vitest chain |
flatted@>=3 <3.4.2 → ^3.4.2 | prototype pollution in eslint flat-cache |
picomatch@>=2 <2.3.2 → ^2.3.2 | ReDoS in 2.x branch (transitive) |
picomatch@>=4 <4.0.4 → ^4.0.4 | ReDoS in 4.x branch (vitest/tinyglobby) |
minimatch@>=3 <3.1.3 → ^3.1.3 | ReDoS in eslint 8 chain |
protobufjs@>=7 <7.5.5 → ^7.5.5 | critical RCE via @opentelemetry/otlp-transformer |
fast-xml-parser@>=4 <4.5.5 → ^4.5.5 | DOCTYPE bypass + others (4.x branch via aws-sdk in supervisor) |
fast-xml-parser@>=5 <5.7.0 → ^5.7.0 | critical + others (5.x branch via aws-sdk in webapp) |
path-to-regexp@>=0.1 <0.1.13 → ^0.1.13 | ReDoS in express 4 / @remix-run/express |
ajv@>=8 <8.18.0 → ^8.18.0 | DoS |
socket.io-parser@>=4 <4.2.6 → ^4.2.6 | DoS in @trigger.dev/core's socket.io |
postcss@>=8 <8.5.10 → ^8.5.10 | XSS via stringify |
yaml@>=2 <2.8.3 → ^2.8.3 | DoS |
semver@>=5 <5.7.2 → ^5.7.2 | ReDoS in 5.x |
defu@>=6 <6.1.5 → ^6.1.5 | prototype pollution via proto in @prisma/config c12 chain |
Dismissed (~47)
| Reason | Cluster | Count |
|---|---|---|
not_used | langsmith + next 15.x in references/* | 10 |
not_used | minimatch 8.x via prisma-generator-ts-enums (references/prisma-6) | 3 |
not_used | basic-ftp via puppeteer in references/hello-world + references/seed | 2 |
not_used | hono / @hono/node-server / express-rate-limit / path-to-regexp 8.x / @modelcontextprotocol/sdk - all via mcp-sdk chain (dormant in webapp; dev-only localhost in cli-v3) | 22 |
not_used | fastify / @fastify/static / file-type via evalite devDep | 5 |
tolerable_risk | rollup 3 + minimatch 5/8/9/10 dev/build tooling | 13 |
Notes
- mcp-sdk chain:
@vercel/sdkin webapp importsVercelAPI client only;mcp-server/*subpath isn't loaded at runtime. cli-v3's MCP server runs only viatrigger mcpon developer machines. Bumping@modelcontextprotocol/sdkto latest (1.29.0) wouldn't close these alerts anyway - it ships hono ^4.11.4 which is still vulnerable - so dismissal is the cleaner call. - References ignore list: confirmed with current dependabot ignore config; added
references/seed/package.json(only gap). - undici alerts (CVE-2026-1527, 4 alerts) will auto-close: lockfile already at 6.25.0 > patched 6.24.0; just needs Dependabot rescan.
- Effect 3.20 fix is a runtime-only scheduler fix, no public API changes - verified with research agent against our four
effect/*imports. - uuid 14 is ESM-only; we only call
validate/version(no crypto needed) so Node 20 requirement isn't load-bearing for us.
Public packages (packages/*)
Minimal surface, deliberately. None of these change published runtime behaviour - all changesets-worthy public package changes are deferred to a regular release pass.
| Package | Change | Runtime impact |
|---|---|---|
packages/trigger-sdk | Removed dead uuid dep (no source imports) | None - dep was unused |
packages/cli-v3 | tar ^7.5.4 → ^7.5.13 | Patch bump within already-allowed 7.x range; nothing CLI consumers see |
packages/core / packages/build / packages/python / packages/rsc / packages/react-hooks / packages/schema-to-json | rimraf ^3.0.2 → ^6.0.1 in devDeps | Build-time only, no runtime change |
No changeset added because nothing in these packages affects what published consumers run.
Validation
- Webapp typecheck (forced, no cache) passes after every commit
- Smoke-tested testcontainers v11 changes via real
postgresTest+redisTest(sync.test.ts, releaseConcurrency.test.ts) - both pass - Webapp built + verified
require("uuid")no longer in CJS server output (now bundled inline) - Test env webapp deployed at
dependabot-q2.rc0(cloud#740) - no issues observed - Test suite run with package prerelease passed