mirror of
https://github.com/garrytan/gstack.git
synced 2026-07-18 05:27:32 +02:00
fix(deps): override basic-ftp to 5.3.1 to clear CVE-2026-39983 + 3 sibling HIGH advisories
basic-ftp reaches the tree only transitively: puppeteer-core > @puppeteer/browsers > proxy-agent > pac-proxy-agent > get-uri > basic-ftp Versions <= 5.3.0 carry four HIGH advisories, all fixed in 5.3.1: - GHSA-chqc-8p9q-pq6q (CVE-2026-39983) FTP command injection via CRLF - GHSA-6v7q-wjvx-w8wg incomplete CRLF protection (USER/PASS + MKD bypass) - GHSA-rpmf-866q-6p89 DoS via unbounded multiline control-response buffering - GHSA-rp42-5vxx-qpwr DoS via unbounded memory in Client.list() Pin via a bun `overrides` entry rather than a phantom direct dependency. Overriding forces every basic-ftp in the tree to 5.3.1, including get-uri's nested copy; `bun audit` then reports zero basic-ftp advisories (total 37 -> 33, HIGH 13 -> 9). A direct-dependency bump leaves get-uri/basic-ftp at the vulnerable version and audit still flags all four. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -22,6 +22,9 @@
|
||||
},
|
||||
},
|
||||
},
|
||||
"overrides": {
|
||||
"basic-ftp": "5.3.1",
|
||||
},
|
||||
"packages": {
|
||||
"@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.117", "", { "dependencies": { "@anthropic-ai/sdk": "^0.81.0", "@modelcontextprotocol/sdk": "^1.29.0" }, "optionalDependencies": { "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.2.117", "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.2.117", "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.2.117", "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.2.117", "@anthropic-ai/claude-agent-sdk-linux-x64": "0.2.117", "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.2.117", "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.2.117", "@anthropic-ai/claude-agent-sdk-win32-x64": "0.2.117" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-pVBss1Vu0w87nKCBhWtjMggSgCh6GVUtdRmuE58ZvXv0E2q0JcnUCQHehmn92BAW0+VCwPY8q/k7uKWkgwz/gA=="],
|
||||
|
||||
@@ -201,7 +204,7 @@
|
||||
|
||||
"bare-url": ["bare-url@2.4.0", "", { "dependencies": { "bare-path": "^3.0.0" } }, "sha512-NSTU5WN+fy/L0DDenfE8SXQna4voXuW0FHM7wH8i3/q9khUSchfPbPezO4zSFMnDGIf9YE+mt/RWhZgNRKRIXA=="],
|
||||
|
||||
"basic-ftp": ["basic-ftp@5.2.0", "", {}, "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw=="],
|
||||
"basic-ftp": ["basic-ftp@5.3.1", "", {}, "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw=="],
|
||||
|
||||
"body-parser": ["body-parser@2.2.2", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" } }, "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA=="],
|
||||
|
||||
|
||||
@@ -76,5 +76,8 @@
|
||||
"@anthropic-ai/sdk": "^0.78.0",
|
||||
"xterm": "5",
|
||||
"xterm-addon-fit": "^0.8.0"
|
||||
},
|
||||
"overrides": {
|
||||
"basic-ftp": "5.3.1"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user