fix: upgrade fast-uri to 3.1.1 (CVE-2026-6321)

[orbisai0security]

Summary

Upgrade fast-uri from 3.1.0 to 3.1.1 to fix CVE-2026-6321.

Vulnerability

Field	Value
ID	CVE-2026-6321
Severity	HIGH
Scanner	trivy
Rule	CVE-2026-6321
File	packages/bruno-tests/collection/package-lock.json
Assessment	Likely exploitable

Description: fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies

Evidence

Scanner confirmation: trivy rule CVE-2026-6321 flagged this pattern.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

• packages/bruno-tests/collection/package.json
• packages/bruno-tests/collection/package-lock.json

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.

---

Automated security fix by OrbisAI Security

Summary by CodeRabbit

• Chores
  • Added a new library dependency to support ongoing maintenance and compatibility improvements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 28582208-1d6a-4651-896f-a3ca7026c464

📥 Commits

Reviewing files that changed from the base of the PR and between 87f7426 and 6fb933c.

⛔ Files ignored due to path filters (1)

• packages/bruno-tests/collection/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• packages/bruno-tests/collection/package.json

---

Walkthrough

The collection package manifest adds fast-uri to its dependencies.

Changes

Collection manifest update

Layer / File(s)	Summary
Dependency entry added packages/bruno-tests/collection/package.json	fast-uri is added to dependencies with version ^3.1.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

One tiny key in the package hall,
fast-uri joins the dependency call.
A single line, neat and true,
Quietly stitching the manifest blue.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading fast-uri to 3.1.1 to address CVE-2026-6321.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}