fix(deps): bump undici → 7.28.0 / 8.5.0 and dompurify → 3.4.11 (osv-scan)#554
Merged
Conversation
…can) Fresh OSV advisories reddened osv-scan on main and every open PR without any code change — the classic fresh-advisory pattern. Focused dep-bump so main goes green and open PRs only need a rebase. Vulnerabilities (all production-reachable, not test-only devDeps): * undici@8.3.0 — direct prod dep of the pinchy-web plugin (web fetch), ships in the image. GHSA-38rv-x7px-6hhq (7.5), GHSA-pr7r-676h-xcf6 (5.9), GHSA-vmh5-mc38-953g (7.4). Fixed in 8.5.0. * undici@7.25.0 — pulled by the jsdom/vitest test toolchain. GHSA-pr7r-676h-xcf6, GHSA-vmh5-mc38-953g. Fixed in 7.28.0. * dompurify@3.4.10 — via mermaid in the docs site (docs.heypinchy.com). GHSA-cmwh-pvxp-8882 (5.1). Fixed in 3.4.11. Done via `pnpm.overrides` (the established pattern in this repo): * `undici@>=7.0.0 <7.28.0` → `>=7.28.0 <8`. The `<8` upper bound is load-bearing: jsdom@29.1.1 imports the undici-internal `undici/lib/handler/wrap-handler.js`, which exists in 7.x but was removed in 8.x. Without the bound, pnpm deduped jsdom's undici up to 8.5.0 and every jsdom-env test crashed with MODULE_NOT_FOUND. Pinning to the 7.x line keeps jsdom working while still clearing the advisory. * `undici@>=8.0.0 <8.5.0` → `>=8.5.0` for the pinchy-web 8.x line. * docs `dompurify@<3.4.6` → `<3.4.11`. Lockfile now resolves undici 7.28.0 (test tooling) + 8.5.0 (prod) and dompurify 3.4.11 — two undici majors, same as before the bump. Verified: `pnpm -C packages/web test` green (6194 passed, 0 errors — the jsdom MODULE_NOT_FOUND regression is gone), `cd docs && pnpm build` clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Fresh OSV advisories reddened
Security audit / osv-scanonmainand every open PR without any code change — the classic fresh-advisory pattern (cf. PR #505). This is the focused dep-bump so main goes green and open PRs only need a rebase. Not bundled into any feature PR.Vulnerabilities (all production-reachable)
undiciundiciundiciundiciundicidompurifyundici@8.3.0is a direct production dependency of thepinchy-webplugin (web fetch) — ships in the image.undici@7.25.0comes from the jsdom/vitest test toolchain.dompurify@3.4.10comes viamermaidin the docs site (docs.heypinchy.com).None qualify for
osv-scanner.tomlIgnoredVulns (those are reserved for openclaw-only test-tool transitive devDeps).How
Via
pnpm.overrides(the established repo pattern):undici@>=7.0.0 <7.28.0→>=7.28.0 <8undici@>=8.0.0 <8.5.0→>=8.5.0(new)dompurify@<3.4.6→<3.4.11The
<8upper bound on the 7.x override is load-bearing. jsdom@29.1.1 imports the undici-internal pathundici/lib/handler/wrap-handler.js, which exists in 7.x but was removed in 8.x. Without the bound, pnpm deduped jsdom's undici up to 8.5.0 and every jsdom-env test crashed withCannot find module 'undici/lib/handler/wrap-handler.js'(448 unhandled errors). Pinning to the 7.x line keeps jsdom working while still clearing the advisory.Lockfile now resolves undici 7.28.0 (test tooling) + 8.5.0 (prod) + dompurify 3.4.11 — two undici majors, same shape as before the bump.
Test plan
pnpm -C packages/web test— green (6194 passed, 0 errors; the jsdom MODULE_NOT_FOUND regression introduced by a naive bump is gone)cd docs && pnpm build— cleanFollow-up
Open PRs (#552, #517, #553, …) rebase on the new main to pick this up.