Skip to content

fix(security): resolve pnpm audit failures from 2026-06-09 audit#3746

Closed
cursor[bot] wants to merge 4 commits into
mainfrom
cursor/pnpm-audit-failures-45c6
Closed

fix(security): resolve pnpm audit failures from 2026-06-09 audit#3746
cursor[bot] wants to merge 4 commits into
mainfrom
cursor/pnpm-audit-failures-45c6

Conversation

@cursor

@cursor cursor Bot commented Jun 9, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixed:

  • apps/js-sdk: removed stale uuid audit allowlist after current 14.0.0 audit result clears GHSA-w5hq-g745-h8pq
  • apps/js-sdk/firecrawl: removed stale uuid audit allowlist after current 14.0.0 audit result clears GHSA-w5hq-g745-h8pq

Deferred:

  • GHSA-v2v4-37r5-5v8g / ip-address in apps/api: blocked
    • Reason: Compatible upstream dependency still resolves to affected ip-address; no safe patch/minor path is available.
    • Next action: waiting on upstream
    • Tracking: create internal ticket
  • GHSA-866g-f22w-33x8 / @ai-sdk/provider-utils in apps/api: needs-major
    • Reason: Compatible higher-level package lines still resolve to affected provider-utils; non-affected line requires coordinated major-family upgrades.
    • Next action: needs approval
    • Tracking: create internal ticket

Verification:

  • CI-equivalent audit: passed with approved deferment
Open in Web View Automation 

Summary by cubic

Fixes 2026-06-09 pnpm audit/audit-ci failures by removing stale uuid allowlists and syncing dependency overrides across apps/api, apps/js-sdk, and apps/js-sdk/firecrawl.

  • Dependencies
    • apps/api: pin shell-quote@1.8.4.
    • apps/js-sdk: enforce diff>=4.0.4 and follow-redirects>=1.16.0 <2.0.0.
    • apps/js-sdk/firecrawl: add overrides for minimatch, picomatch, brace-expansion/@isaacs/brace-expansion, axios@1.16.1, rollup>=4.59.0, handlebars>=4.7.9, and follow-redirects>=1.16.0 <2.0.0.

Written for commit 8198d93. Summary will update on new commits.

Review in cubic

@cursoragent @abimaelmartell
fix(security): resolve pnpm audit failures
7a36679 
Co-authored-by: Abimael Martell <abimaelmartell@users.noreply.github.com>
@blacksmith-sh

This comment has been minimized.

Sign in to view
@abimaelmartell abimaelmartell marked this pull request as ready for review June 9, 2026 17:12
cursoragent and others added 3 commits June 9, 2026 17:18
@cursoragent @abimaelmartell
fix(security): sync js sdk lockfile overrides
7904b0c 
Co-authored-by: Abimael Martell <abimaelmartell@users.noreply.github.com>
@cursoragent @abimaelmartell
fix(security): pin shell-quote for api audit
f210c2f 
Co-authored-by: Abimael Martell <abimaelmartell@users.noreply.github.com>
@cursoragent @abimaelmartell
fix(security): sync firecrawl sdk lockfile overrides
8198d93 
Co-authored-by: Abimael Martell <abimaelmartell@users.noreply.github.com>
@blacksmith-sh

blacksmith-sh Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Found 2 test failures on Blacksmith runners:

Failures

Test View Logs
src/tests/snips/v2/batch-scrape.test.ts/
Batch scrape tests cancel flips batch status to cancelled immediately		 View Logs
src/tests/snips/v2/batch-scrape.test.ts/
Batch scrape tests cancel flips batch status to cancelled immediately		 View Logs

Fix in Cursor

@mogery

mogery commented Jun 25, 2026

Copy link
Copy Markdown
Member

Closing as outdated: this older audit snapshot no longer matches the current alert set, and its package override changes are already covered on origin/main.

@mogery mogery closed this Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mogery mogery Awaiting requested review from mogery mogery is a code owner
@nickscamara nickscamara Awaiting requested review from nickscamara nickscamara is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mogery @cursoragent