Skip to content

fix(deps): refresh lockfile pins for vulnerable transitive deps#285

Merged
chargome merged 1 commit intosentry-v2from
cg/refresh-lockfile-vulns
Apr 24, 2026
Merged

fix(deps): refresh lockfile pins for vulnerable transitive deps#285
chargome merged 1 commit intosentry-v2from
cg/refresh-lockfile-vulns

Conversation

@chargome
Copy link
Copy Markdown
Member

@chargome chargome commented Apr 20, 2026
edited
Loading

Summary

Updates stale yarn.lock resolutions to patched versions within their existing semver ranges, plus fixes a build breakage in rrweb-worker.

Lockfile refreshes (no package.json changes):

  • basic-ftp 5.0.5 -> 5.3.0 (via puppeteer -> proxy-agent -> get-uri)
  • node-forge 1.3.1 -> 1.4.0 (via vite-plugin-web-extension -> web-ext-run -> @devicefarmer/adbkit)
  • picomatch 2.3.1 -> 2.3.2 (via chokidar, micromatch, @rollup/pluginutils)
  • picomatch 4.0.2 -> 4.0.4 (via @rollup/pluginutils)
  • flatted 3.3.2 -> 3.4.2 (via eslint -> flat-cache)

rrweb-worker build fix: Replaces rollup-plugin-typescript2 with @rollup/plugin-typescript — the old plugin can't parse import type syntax with the newer rollup version pulled in by the @rollup/plugin-terser v1 bump.

Breaking changes

  • Lockfile refreshes: none — all within existing semver ranges
  • rollup-plugin-typescript2 -> @rollup/plugin-typescript: drop-in replacement, same rollup plugin API. @rollup/plugin-typescript is the officially maintained plugin. Config options (tsconfig, sourceMap, inlineSourceMap, inlineSources) are compatible. Build verified passing.

Dependabot alerts resolved

  • Alert #249 (high) — basic-ftp CRLF injection
  • Alert #202 (critical) — basic-ftp path traversal
  • Alert #237 (high) — node-forge basicConstraints bypass
  • Alert #236 (high) — node-forge Ed25519 signature forgery
  • Alert #235 (high) — node-forge RSA-PKCS signature forgery
  • Alert #234 (high) — node-forge DoS via BigInteger.modInverse
  • Alert #164 (high) — node-forge ASN.1 unbounded recursion
  • Alert #163 (medium) — node-forge ASN.1 OID integer truncation
  • Alert #162 (high) — node-forge ASN.1 desynchronization
  • Alert #232 (medium) — picomatch POSIX class method injection
  • Alert #230 (medium) — picomatch POSIX class method injection (4.x)
  • Alert #229 (high) — picomatch ReDoS via extglob quantifiers
  • Alert #227 (high) — flatted prototype pollution via parse

🤖 Generated with Claude Code

@chargome @claude
fix(deps): refresh lockfile pins for vulnerable transitive deps
2038970 
Updates stale yarn.lock resolutions to patched versions within
their existing semver ranges — no package.json changes needed.

- basic-ftp 5.0.5 -> 5.3.0 (fixes path traversal + CRLF injection)
- node-forge 1.3.1 -> 1.4.0 (fixes cert chain bypass, signature
  forgery, and DoS via BigInteger.modInverse)
- picomatch 2.3.1 -> 2.3.2 (fixes POSIX class method injection)
- picomatch 4.0.2 -> 4.0.4 (fixes ReDoS + method injection)
- flatted 3.3.2 -> 3.4.2 (fixes prototype pollution via parse)

Also replaces rollup-plugin-typescript2 with @rollup/plugin-typescript
in rrweb-worker to fix build breakage from the @rollup/plugin-terser
v1 bump (the old plugin can't parse import type with newer rollup).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@chargome chargome force-pushed the cg/refresh-lockfile-vulns branch from 501daa8 to 2038970 Compare April 20, 2026 14:07
cursor[bot]
cursor Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 2038970. Configure here.

Comment thread packages/rrweb-worker/rollup.config.mjs
import commonjs from '@rollup/plugin-commonjs';
import resolve from '@rollup/plugin-node-resolve';
import typescript from 'rollup-plugin-typescript2';
import typescript from '@rollup/plugin-typescript';
Copy link
Copy Markdown

@cursor cursor Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plugin swap may break build with composite tsconfig

Medium Severity

Switching from rollup-plugin-typescript2 to @rollup/plugin-typescript while tsconfig.json has composite: true (which implies declaration: true) may cause a build failure. The @rollup/plugin-typescript docs require declarationDir to be set when declaration is enabled, but neither the plugin options nor the tsconfig specify declarationDir. The old plugin handled this differently. This change also goes beyond what the PR description claims ("No package.json changes — only the lockfile is updated").

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 2038970. Configure here.

@chargome chargome requested a review from logaretm April 22, 2026 11:01
@chargome chargome merged commit db898b9 into sentry-v2 Apr 24, 2026
22 of 23 checks passed
@chargome chargome deleted the cg/refresh-lockfile-vulns branch April 24, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@logaretm logaretm logaretm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @logaretm