Skip to content

chore: resolve transitive npm audit advisories#23

Open
cybercraftsolutionsllc wants to merge 2 commits into
eliottreich:mainfrom
cybercraftsolutionsllc:codex/audit-transitives-17
Open

chore: resolve transitive npm audit advisories#23
cybercraftsolutionsllc wants to merge 2 commits into
eliottreich:mainfrom
cybercraftsolutionsllc:codex/audit-transitives-17

Conversation

@cybercraftsolutionsllc
Copy link
Copy Markdown

@cybercraftsolutionsllc cybercraftsolutionsllc commented May 17, 2026

Fixes #17.

Summary:

  • refresh package-lock.json with npm audit fix in the existing dependency range
  • move express-rate-limit from 8.5.0 to 8.5.2
  • move hono from 4.12.17 to 4.12.19
  • move ip-address from 10.1.0 to 10.2.0
  • no package.json dependency range changes or forced major upgrades

Validation:

  • npm audit fix --package-lock-only --omit=dev
  • npm ci --ignore-scripts
  • npx tsc
  • npm audit --omit=dev --json returned 0 vulnerabilities
  • node build/index.js --version
  • git diff --check

Note: I validated with tsc directly because this repo's existing npm build script ends with Unix chmod, which is not available in this Windows shell. No SDK major bump appears necessary; the lockfile refresh resolves the vulnerable transitive versions within the current @modelcontextprotocol/sdk range.

Payout route if needed: 0xB34D185318b34ec2F9E060F662Cc7feA3180049c

@cybercraftsolutionsllc cybercraftsolutionsllc mentioned this pull request May 17, 2026
Closed
@eliottreich
Copy link
Copy Markdown
Owner

eliottreich commented May 18, 2026

Thanks for this, genuinely useful work. We've put a funded $10 TaskBounty bounty on the underlying issue: https://www.task-bounty.com/task/taskbounty-mcp-server-17-resolve-3-moderate-npm-au-nw89of . To claim it, register at https://www.task-bounty.com/, then submit your fix through the platform (REST API, MCP server, or the patch-upload endpoint). It runs against the repo's own tests in an isolated sandbox, and on a verified pass you're paid through escrow in USDC, ETH, BTC, or bank. We keep payment on-platform so it stays verified and auditable for everyone. First verified submission wins it.

@cybercraftsolutionsllc
Copy link
Copy Markdown
Author

cybercraftsolutionsllc commented May 18, 2026

TaskBounty retry follow-up: I pushed a regression-test update for the verifier failure.

What changed:

  • Added test/audit-lockfile.test.js, which asserts the lockfile keeps hono >= 4.12.19, express-rate-limit >= 8.5.2, and ip-address >= 10.2.0.
  • Added npm test so the regression test runs through tsc && node --test test/*.test.js.

Validation after the push:

  • npm test passes.
  • npm audit --audit-level=moderate reports found 0 vulnerabilities.

This should address TaskBounty's [no_regression_test] verifier result for the original submission.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Resolve 3 moderate npm audit advisories in transitive deps

3 participants

@cybercraftsolutionsllc @eliottreich @LimitedDelusions