Skip to content

fix(security): update vulnerable dependencies#104

Merged
anoncam merged 1 commit intomainfrom
fix/dependency-security-updates
Jan 23, 2026
Merged

fix(security): update vulnerable dependencies#104
anoncam merged 1 commit intomainfrom
fix/dependency-security-updates

Conversation

@anoncam
Copy link
Owner

@anoncam anoncam commented Jan 23, 2026

Summary

  • openpgp: 6.1.0 → 6.2.2 — fixes CVE-2025-47934 (CVSS 8.7 HIGH)
  • wrangler: 4.20.0 → 4.60.0 — fixes CVE-2026-0933 (CVSS 7.7 HIGH)
  • mocha: 10.2.0 → 11.7.5 — updated to latest
  • chai: 5.0.0 → 6.2.2 — updated to latest

Security Analysis

Dependency analysis performed using Sonatype MCP tools which identified:

Package Vulnerability CVSS Severity
openpgp@6.1.0 CVE-2025-47934 8.7 🔴 HIGH
openpgp@6.1.0 sonatype-2013-0185 4.8 🟡 MEDIUM
wrangler@4.20.0 CVE-2026-0933 7.7 🔴 HIGH

Verification

  • ✅ TypeScript build passes
  • ✅ Test suite: 21/23 passing (2 pre-existing failures on main, unrelated to this change)
  • ✅ npm audit reduced from 5 vulnerabilities to 2 low-severity transitive issues
  • ✅ No breaking changes introduced

Test plan

  • Run npm run build — TypeScript compiles successfully
  • Run npm test — Same test results as main branch
  • Run npm audit — Vulnerability count reduced
  • Manual verification of CLI functionality

🤖 Generated with Claude Code

@anoncam @claude
fix(security): update vulnerable dependencies
40c0484 
- openpgp: 6.1.0 → 6.2.2 (fixes CVE-2025-47934, CVSS 8.7)
- wrangler: 4.20.0 → 4.60.0 (fixes CVE-2026-0933, CVSS 7.7)
- mocha: 10.2.0 → 11.7.5 (update)
- chai: 5.0.0 → 6.2.2 (update)

Security analysis performed via Sonatype MCP tools.
All builds pass. Pre-existing test failures unchanged.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@anoncam anoncam added minor New features that don't break backward compatibility javascript Pull requests that update javascript code labels Jan 23, 2026
@anoncam anoncam merged commit f3e15b3 into main Jan 23, 2026
3 checks passed
github-actions bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
Bump version to 1.21.4
6b77d8b 
Version bump type: patch
PR: #104
Title: fix(security): update vulnerable dependencies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

javascript Pull requests that update javascript code minor New features that don't break backward compatibility

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anoncam