Skip to content

chore: resolve open dependabot security alerts#571

Merged
jonathannorris merged 1 commit into
mainfrom
chore/dependabot-alerts
May 20, 2026
Merged

chore: resolve open dependabot security alerts#571
jonathannorris merged 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented May 20, 2026

Summary

  • Resolved 7 open Dependabot security alerts by bumping vulnerable dependencies

Dependabot Alerts Resolved

Alert Package Severity Fix
#232 hono medium Bumped resolution to ^4.12.18 (resolves to 4.12.21)
#230 hono low Bumped resolution to ^4.12.18 (resolves to 4.12.21)
#228 hono medium Bumped resolution to ^4.12.18 (resolves to 4.12.21)
#227 fast-uri high Added resolution ^3.1.2 (resolves to 3.1.2)
#226 fast-uri high Added resolution ^3.1.2 (resolves to 3.1.2)
#224 hono medium Bumped resolution to ^4.12.18 (resolves to 4.12.21)
#222 hono medium Bumped resolution to ^4.12.18 (resolves to 4.12.21)

Alert #213 (ip-address) was already resolved in a prior merged PR.

Notes

  • hono is a direct dependency in mcp-worker/package.json; bumped to ^4.12.18 there as well
  • fast-uri is a transitive dependency via ajv; resolved via yarn resolutions

@jonathannorris
chore: resolve open dependabot security alerts
e3233b9 
- hono ^4.12.16 -> ^4.12.18 (resolves to 4.12.21) (medium/low, alerts #222, #224, #228, #230, #232)
- fast-uri ^3.0.1 -> ^3.1.2 (high, alerts #226, #227)
- mcp-worker hono 4.12.14 -> ^4.12.18
@jonathannorris jonathannorris requested a review from a team as a code owner May 20, 2026 13:37
Copilot AI review requested due to automatic review settings May 20, 2026 13:37
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 20, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 devcycle-mcp-server e3233b9 May 20 2026, 01:39 PM

@jonathannorris jonathannorris enabled auto-merge (squash) May 20, 2026 13:40
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves outstanding Dependabot security alerts by updating dependency versions across the Yarn workspace, primarily via package.json resolutions and an explicit bump of hono in the mcp-worker workspace.

Changes:

  • Bump hono minimum version via root resolutions, and align mcp-worker to ^4.12.18 (lock resolves to 4.12.21).
  • Add a Yarn resolution to force fast-uri to ^3.1.2 (lock resolves to 3.1.2).
  • Update yarn.lock to reflect the new resolved versions.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
yarn.lock Updates locked versions for hono and fast-uri to pick up patched releases.
package.json Adjusts Yarn resolutions to enforce non-vulnerable versions for hono and fast-uri.
mcp-worker/package.json Updates direct hono dependency range to ^4.12.18 to match the security bump intent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jonathannorris jonathannorris merged commit 7a9840e into main May 20, 2026
11 checks passed
@jonathannorris jonathannorris deleted the chore/dependabot-alerts branch May 20, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamieSinn JamieSinn JamieSinn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @JamieSinn