From 9331aa94a40a0f7b142c70625c725ac94d02e813 Mon Sep 17 00:00:00 2001 From: What If We Dig Deeper <1247548+WhatIfWeDigDeeper@users.noreply.github.com> Date: Wed, 6 May 2026 08:06:54 -0400 Subject: [PATCH 1/3] fix(deps): bump simple-git in nuxt-api to patch GHSA-hffm-xvc3-vprc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves the high-severity Remote Code Execution advisory by bumping the transitive simple-git from 3.35.2 to 3.36.0 (via npm audit fix). Pulled in via nuxt → @nuxt/devtools → simple-git. Other packages in the monorepo do not depend on simple-git, so no other lockfiles change. CI's audit:ci:all step was failing on this advisory. --- nuxt-api/package-lock.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/nuxt-api/package-lock.json b/nuxt-api/package-lock.json index 13d8224d..3c2bfb5d 100644 --- a/nuxt-api/package-lock.json +++ b/nuxt-api/package-lock.json @@ -4056,18 +4056,18 @@ ] }, "node_modules/@simple-git/args-pathspec": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/@simple-git/args-pathspec/-/args-pathspec-1.0.2.tgz", - "integrity": "sha512-nEFVejViHUoL8wU8GTcwqrvqfUG40S5ts6S4fr1u1Ki5CklXlRDYThPVA/qurTmCYFGnaX3XpVUmICLHdvhLaA==", + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@simple-git/args-pathspec/-/args-pathspec-1.0.3.tgz", + "integrity": "sha512-ngJMaHlsWDTfjyq9F3VIQ8b7NXbBLq5j9i5bJ6XLYtD6qlDXT7fdKY2KscWWUF8t18xx052Y/PUO1K1TRc9yKA==", "license": "MIT" }, "node_modules/@simple-git/argv-parser": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/@simple-git/argv-parser/-/argv-parser-1.0.3.tgz", - "integrity": "sha512-NMKv9sJcSN2VvnPT9Ja7eKfGy8Q8mMFLwPTCcuZMtv3+mYcLIZflg31S/tp2XCCyiY7YAx6cgBHQ0fwA2fWHpQ==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@simple-git/argv-parser/-/argv-parser-1.1.1.tgz", + "integrity": "sha512-Q9lBcfQ+VQCpQqGJFHe5yooOS5hGdLFFbJ5R+R5aDsnkPCahtn1hSkMcORX65J2Z5lxSkD0lQorMsncuBQxYUw==", "license": "MIT", "dependencies": { - "@simple-git/args-pathspec": "^1.0.2" + "@simple-git/args-pathspec": "^1.0.3" } }, "node_modules/@sindresorhus/is": { @@ -10180,15 +10180,15 @@ } }, "node_modules/simple-git": { - "version": "3.35.2", - "resolved": "https://registry.npmjs.org/simple-git/-/simple-git-3.35.2.tgz", - "integrity": "sha512-ZMjl06lzTm1EScxEGuM6+mEX+NQd14h/B3x0vWU+YOXAMF8sicyi1K4cjTfj5is+35ChJEHDl1EjypzYFWH2FA==", + "version": "3.36.0", + "resolved": "https://registry.npmjs.org/simple-git/-/simple-git-3.36.0.tgz", + "integrity": "sha512-cGQjLjK8bxJw4QuYT7gxHw3/IouVESbhahSsHrX97MzCL1gu2u7oy38W6L2ZIGECEfIBG4BabsWDPjBxJENv9Q==", "license": "MIT", "dependencies": { "@kwsites/file-exists": "^1.1.1", "@kwsites/promise-deferred": "^1.1.1", - "@simple-git/args-pathspec": "^1.0.2", - "@simple-git/argv-parser": "^1.0.3", + "@simple-git/args-pathspec": "^1.0.3", + "@simple-git/argv-parser": "^1.1.0", "debug": "^4.4.0" }, "funding": { From 1ade966421ddc8bafda1ef0c5529b0bb6e148958 Mon Sep 17 00:00:00 2001 From: What If We Dig Deeper <1247548+WhatIfWeDigDeeper@users.noreply.github.com> Date: Wed, 6 May 2026 15:17:11 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fix(deps):=20sync=20tanstack-start-ui=20loc?= =?UTF-8?q?kfile=20(seroval=201.5.2=20=E2=86=92=201.5.4)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI's `cd tanstack-start-ui && npm ci` step has been failing on every PR against main with: npm error Invalid: lock file's seroval@1.5.2 does not satisfy seroval@1.5.4 npm error Invalid: lock file's seroval-plugins@1.5.2 does not satisfy seroval-plugins@1.5.4 `npm install` in tanstack-start-ui/ regenerates the lockfile to 1.5.4 for both packages, restoring `npm ci` and `audit-ci` to working order. Folded into this PR (the simple-git fix) because both are pre-existing main-level CI breakages blocking every open PR; landing them together unblocks the queue in one go. Co-Authored-By: Claude Opus 4.7 --- tanstack-start-ui/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tanstack-start-ui/package-lock.json b/tanstack-start-ui/package-lock.json index dacadfd5..f9794a34 100644 --- a/tanstack-start-ui/package-lock.json +++ b/tanstack-start-ui/package-lock.json @@ -5761,18 +5761,18 @@ } }, "node_modules/seroval": { - "version": "1.5.2", - "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.2.tgz", - "integrity": "sha512-xcRN39BdsnO9Tf+VzsE7b3JyTJASItIV1FVFewJKCFcW4s4haIKS3e6vj8PGB9qBwC7tnuOywQMdv5N4qkzi7Q==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.4.tgz", + "integrity": "sha512-46uFvgrXTVxZcUorgSSRZ4y+ieqLLQRMlG4bnCZKW3qI6BZm7Rg4ntMW4p1mILEEBZWrFlcpp0AyIIlM6jD9iw==", "license": "MIT", "engines": { "node": ">=10" } }, "node_modules/seroval-plugins": { - "version": "1.5.2", - "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.2.tgz", - "integrity": "sha512-qpY0Cl+fKYFn4GOf3cMiq6l72CpuVaawb6ILjubOQ+diJ54LfOWaSSPsaswN8DRPIPW4Yq+tE1k5aKd7ILyaFg==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.4.tgz", + "integrity": "sha512-S0xQPhUTefAhNvNWFg0c1J8qJArHt5KdtJ/cFAofo06KD1MVSeFWyl4iiu+ApDIuw0WhjpOfCdgConOfAnLgkw==", "license": "MIT", "engines": { "node": ">=10" From ec44aef61e938a7dbe08f2c1c8aa6c7ff4b9fc52 Mon Sep 17 00:00:00 2001 From: What If We Dig Deeper <1247548+WhatIfWeDigDeeper@users.noreply.github.com> Date: Wed, 6 May 2026 15:31:34 -0400 Subject: [PATCH 3/3] =?UTF-8?q?fix(deps):=20sync=20react-apollo-ui=20lockf?= =?UTF-8?q?ile=20(seroval=201.5.2=20=E2=86=92=201.5.4)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After the previous commit fixed tanstack-start-ui's lockfile, CI surfaced the same drift in react-apollo-ui — `cd react-apollo-ui && npm ci` was failing with the same seroval@1.5.2 vs 1.5.4 mismatch. `npm install` in react-apollo-ui/ regenerates its lockfile to match. tanstack-ui and nuxt-api both have seroval@1.5.2 in their lockfiles too, but their package.json constraints accept 1.5.2 cleanly — `npm install` didn't touch them. Only the two tanstack-start consumers (tanstack-start-ui, react-apollo-ui) needed bumping. Co-Authored-By: Claude Opus 4.7 --- react-apollo-ui/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/react-apollo-ui/package-lock.json b/react-apollo-ui/package-lock.json index a96cb40d..2a32994a 100644 --- a/react-apollo-ui/package-lock.json +++ b/react-apollo-ui/package-lock.json @@ -5029,18 +5029,18 @@ } }, "node_modules/seroval": { - "version": "1.5.2", - "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.2.tgz", - "integrity": "sha512-xcRN39BdsnO9Tf+VzsE7b3JyTJASItIV1FVFewJKCFcW4s4haIKS3e6vj8PGB9qBwC7tnuOywQMdv5N4qkzi7Q==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.4.tgz", + "integrity": "sha512-46uFvgrXTVxZcUorgSSRZ4y+ieqLLQRMlG4bnCZKW3qI6BZm7Rg4ntMW4p1mILEEBZWrFlcpp0AyIIlM6jD9iw==", "license": "MIT", "engines": { "node": ">=10" } }, "node_modules/seroval-plugins": { - "version": "1.5.2", - "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.2.tgz", - "integrity": "sha512-qpY0Cl+fKYFn4GOf3cMiq6l72CpuVaawb6ILjubOQ+diJ54LfOWaSSPsaswN8DRPIPW4Yq+tE1k5aKd7ILyaFg==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.4.tgz", + "integrity": "sha512-S0xQPhUTefAhNvNWFg0c1J8qJArHt5KdtJ/cFAofo06KD1MVSeFWyl4iiu+ApDIuw0WhjpOfCdgConOfAnLgkw==", "license": "MIT", "engines": { "node": ">=10"