Address high severity security advisories in examples by 1egoman · Pull Request #1970 · livekit/client-sdk-js

1egoman · 2026-06-09T15:51:01Z

Warning

None of these security advisories effect the published livekit-client package, these are all in examples

I had a LLM agent go at this and I think update all the effected dependencies. Here's a summary:

Commit	Package	Advisory	Where	Method
`0813b51a`	fast-uri 3.0.6 → 3.1.2	#173/#172 host confusion, path traversal	root	in-range update
`38345c59`	lodash 4.17.x → 4.18.1	#158/#156/#154 code injection	root + examples	override (range too low)
`8180b796`	flatted 3.2.9 → 3.4.2	#124 prototype pollution	root	stale lockfile refresh
`8d826108`	serialize-javascript 6.x → 7.0.5	#120 RCE	root	override (major bump)
`1db64847`	tar 4.4.19 → 7.5.16	#122/#121/#147/#146/#145/#144/#143/#142 path traversal	examples	override (major bump)
`84ebc5d2`	picomatch 2.3.1 → 2.3.2	#128/#148 ReDoS	examples	in-range update
`edd06e81`	path-to-regexp 8.3.0 → 8.4.2	#135/#151 DoS	examples	in-range update

Resolves Dependabot alerts #173 (GHSA-v39h-62p7-jpjc, host confusion via percent-encoded authority delimiters and #172 (GHSA-q3j6-qgpj-74h6, path traversal via percent-encoded dot segments). fast-uri is a transitive devDependency via ajv; bumping within the existing ^3 range. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> EOF )

Resolves Dependabot alerts #158 (root), #156 (examples/rpc) and #154 (examples/data-tracks) for GHSA-r5fr-rjxr-66jc (code injection via lodash _.template import key names). lodash is a transitive devDependency (@trivago/prettier-plugin-sort-imports, concurrently). Pinned via pnpm overrides since the patched 4.18.0 release is outside the parent packages' declared ^4.17.x ranges. In pnpm 10 overrides live in pnpm-workspace.yaml, so this adds that file to each example app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Resolves Dependabot alert #124 (GHSA-rf6f-7fwh-wjgh, prototype pollution via parse()). flatted is a transitive devDependency via flat-cache, whose ^3.4.2 range already required the patched version; the lockfile was stale. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Resolves Dependabot alert #120 (GHSA-5c6j-r48x-rmvq, RCE via RegExp.flags and Date.prototype.toISOString). serialize-javascript is a transitive devDependency of the terser build plugins, whose ^6 ranges predate the 7.0.3 fix, so it is pinned via a pnpm override. Resolves to 7.0.5. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

… advisories Resolves Dependabot alerts #122/#121 (examples/rpc) and #147/#146/#145/#144/ #143/#142/#140 (examples/data-tracks) for the node-tar path-traversal and DoS advisories (GHSA-9ppj-qmqm-q256, GHSA-qffp-2rhf-9h96, GHSA-83g3-92jg-28cx, GHSA-34x7-hfp2-rc4v, GHSA-r6q2-hw4h-h46w, GHSA-8qq5-rm4j-mr97, GHSA-f5x3-32g6-xq36). tar was pinned to ^4 by an old node-pre-gyp pulled in transitively via vite-plugin-mix (@vercel/nft). The patched line is >=7.5.11, a major bump, so it is forced via a pnpm override. Verified the data-tracks vite build (which exercises the vite-plugin-mix/@vercel/nft chain) still succeeds. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Resolves Dependabot alerts #128 (examples/rpc) and #148 (examples/data-tracks) for GHSA-c2c7-rcm5-vvqj (ReDoS via extglob quantifiers). picomatch is a transitive dependency via micromatch; 2.3.2 is the patched 2.x release and is within the existing range, so no override is needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…visory Resolves Dependabot alerts #135 (examples/rpc) and #151 (examples/data-tracks) for GHSA-j3q9-mxjg-w52f (DoS via sequential optional groups). path-to-regexp is a transitive dependency via router (express 5); 8.4.2 is within the existing range, so no override is needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

changeset-bot · 2026-06-09T15:51:05Z

⚠️ No Changeset found

Latest commit: edd06e8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

github-actions · 2026-06-09T15:53:07Z

size-limit report 📦

Path	Size
dist/livekit-client.esm.mjs	100.49 KB (-0.01% 🔽)
dist/livekit-client.umd.js	109.53 KB (-0.04% 🔽)

1egoman · 2026-06-09T15:53:05Z

+overrides:
+  lodash: '>=4.18.0'
+  # Security: node-tar path-traversal advisories (GHSA-9ppj-qmqm-q256,
+  # GHSA-qffp-2rhf-9h96, GHSA-83g3-92jg-28cx, GHSA-34x7-hfp2-rc4v,
+  # GHSA-r6q2-hw4h-h46w, GHSA-8qq5-rm4j-mr97, GHSA-f5x3-32g6-xq36). tar is
+  # pinned to ^4 by node-pre-gyp via vite-plugin-mix; force the patched line.
+  tar: '>=7.5.11'


thought: I'm not convinced doing this is the best way to handle some of these, I think that I have tended to prefer forcing updates to newer dependencies whenever possible rather than force overriding dependencies in the tree.

yeah, not a fan of this either. I opened #1972 where I think all of these are addressed by simply updating the original dependencies that pull them in. I'd prefer that approach

Nice, I do too too, approved over there ✅

ah, I based mine on this PR, so this just got merged in here. I'll approve this one.

xianshijing-lk

defer to Lukas on the actually review, but you have my stamp

1egoman and others added 7 commits June 9, 2026 10:58

1egoman requested review from lukasIO and xianshijing-lk as code owners June 9, 2026 15:51

1egoman commented Jun 9, 2026

View reviewed changes

xianshijing-lk approved these changes Jun 9, 2026

View reviewed changes

update deps (#1972)

f80989c

lukasIO approved these changes Jun 10, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address high severity security advisories in examples#1970

Address high severity security advisories in examples#1970
1egoman wants to merge 8 commits into
mainfrom
fix/high-severity-dependabot

1egoman commented Jun 9, 2026 •

edited

Loading

Uh oh!

changeset-bot Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026 •

edited

Loading

Uh oh!

1egoman Jun 9, 2026

Uh oh!

lukasIO Jun 10, 2026

Uh oh!

1egoman Jun 10, 2026

Uh oh!

lukasIO Jun 10, 2026

Uh oh!

xianshijing-lk left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

1egoman commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

changeset-bot Bot commented Jun 9, 2026

⚠️ No Changeset found

Uh oh!

github-actions Bot commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

1egoman Jun 9, 2026

Choose a reason for hiding this comment

Uh oh!

lukasIO Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

1egoman Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

lukasIO Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

xianshijing-lk left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

1egoman commented Jun 9, 2026 •

edited

Loading

github-actions Bot commented Jun 9, 2026 •

edited

Loading