Update outdated dependencies (security + patches + minor bumps)#55
Open
domleboss97 wants to merge 5 commits intomainfrom
Open
Update outdated dependencies (security + patches + minor bumps)#55domleboss97 wants to merge 5 commits intomainfrom
domleboss97 wants to merge 5 commits intomainfrom
Conversation
Fixes 4 HIGH audit vulnerabilities: - GHSA-m732-5p4w-x69g: Improper Authorization - GHSA-3vhc-576x-3qv4: JWK Auth JWT algorithm confusion - GHSA-f67f-6cw9-8mq4: JWT Algorithm Confusion via Unsafe Default - GHSA-4w98-8g87-3g3j: Body Limit Middleware Bypass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- @changesets/changelog-github 0.5.1 → 0.5.2 - @changesets/cli 2.29.7 → 2.29.8 - @types/express 5.0.3 → 5.0.6 - did-jwt 8.0.15 → 8.0.18 - did-jwt-vc 4.0.13 → 4.0.16 - strip-ansi 7.1.0 → 7.1.2 - vitest 4.0.5 → 4.0.18 - yoctocolors 2.1.1 → 2.1.2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Catalog: - @hono/node-server 1.14.2 → 1.19.9 - jose 6.0.11 → 6.1.3 - viem 2.29.4 → 2.46.3 Packages: - multiformats 13.3.4 → 13.4.2 - figlet 1.8.1 → 1.10.0 - drizzle-kit 0.31.1 → 0.31.9 Root dev dependencies: - oxlint 1.47.0 → 1.50.0 - tsx 4.20.6 → 4.21.0 - turbo 2.5.8 → 2.8.10 - mintlify 4.2.183 → 4.2.377 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tsdown 0.15→0.20 was attempted but reverted: it changes output extensions from .js/.d.ts to .mjs/.d.mts, requiring package.json export updates across all 8 packages (separate effort). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Auto-formatted 73 files to match updated oxfmt style rules. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughThis pull request reorganizes import statements across multiple files for consistency, including reordering imports and removing blank lines between them. Several dependency versions are updated in package.json files and pnpm-workspace.yaml. A small number of runtime imports are converted to type-only imports where appropriate. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/vc/src/signing/sign-credential.test.ts (1)
30-31:⚠️ Potential issue | 🟡 MinorDuplicate comment
// Generate an unsigned credentialappears on two consecutive lines.🧹 Proposed fix
- // Generate an unsigned credential // Generate an unsigned credential const credential = createCredential({🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/vc/src/signing/sign-credential.test.ts` around lines 30 - 31, Remove the duplicate comment "// Generate an unsigned credential" in sign-credential.test.ts so it only appears once; locate the repeated comment in the test for signing credentials (near the test that exercises signCredential / the unsigned credential setup) and delete the redundant line (or collapse into a single comment) to eliminate the duplicate while leaving the remaining comment intact.
🧹 Nitpick comments (1)
pnpm-workspace.yaml (1)
10-10: Security-critical update — verifyaudclaim opt-in for JWT middleware consumersThe hono bump to 4.12.2 resolves three HIGH-severity CVEs that were open against 4.7.10:
- CVE-2025-59139: the
bodyLimitmiddleware could bypass the configured body size limit when conflictingContent-LengthandTransfer-Encoding: chunkedheaders were present.- CVE-2025-58362: the
getPathutility contained a path-confusion flaw affecting versions 4.8.0–4.9.5 that could allow bypass of proxy-level ACLs.- CVE-2025-62610: hono's JWT middleware did not validate the
audclaim by default, so applications could accept tokens intended for other audiences (cross-service token mix-up).Operational note for CVE-2025-62610: The fix adds a new
verification.audconfiguration option to allow RFC 7519-compliant audience validation; the change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in default deployments. Any route usingjwt()middleware should explicitly configureverification: { aud: '<expected-audience>' }to actually benefit from this fix.Also applies to: 13-14
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pnpm-workspace.yaml` at line 10, Hono was bumped and now requires explicit audience validation for JWTs; audit all usages of the jwt() middleware (search for jwt(...) and any route registration using jwt()) and update their configuration to pass verification: { aud: '<expected-audience>' } (or an array of allowed audiences) so the middleware enforces the aud claim; ensure each route/service sets the correct expected audience string (or environment variable) and add tests/notes verifying tokens without the expected aud are rejected.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@examples/issuer/package.json`:
- Line 39: The package declares an incompatible pair: "drizzle-kit": "0.31.9"
and "drizzle-orm": "0.43.1"; fix by aligning versions in package.json—either
upgrade "drizzle-orm" to a version compatible with drizzle-kit@0.31.9 (check
drizzle-kit release notes for the minimum required drizzle-orm) or downgrade
"drizzle-kit" to a compatible release (e.g., "drizzle-kit": "0.22.0") so both
dependencies match and CLI/migration commands run without the runtime version
check error.
In `@packages/vc/package.json`:
- Around line 62-64: Add the did-jwt-vc package to the pnpm workspace catalog
and update packages/vc/package.json to reference it via "did-jwt-vc": "catalog:"
instead of the fixed "4.0.16"; specifically, add the did-jwt-vc entry to the
catalog section in pnpm-workspace.yaml and then replace the pinned dependency in
the dependencies block of packages/vc/package.json so the project uses the
workspace catalog reference (look for the existing "bit-buffers" and "valibot"
catalog entries to mirror).
---
Outside diff comments:
In `@packages/vc/src/signing/sign-credential.test.ts`:
- Around line 30-31: Remove the duplicate comment "// Generate an unsigned
credential" in sign-credential.test.ts so it only appears once; locate the
repeated comment in the test for signing credentials (near the test that
exercises signCredential / the unsigned credential setup) and delete the
redundant line (or collapse into a single comment) to eliminate the duplicate
while leaving the remaining comment intact.
---
Nitpick comments:
In `@pnpm-workspace.yaml`:
- Line 10: Hono was bumped and now requires explicit audience validation for
JWTs; audit all usages of the jwt() middleware (search for jwt(...) and any
route registration using jwt()) and update their configuration to pass
verification: { aud: '<expected-audience>' } (or an array of allowed audiences)
so the middleware enforces the aud claim; ensure each route/service sets the
correct expected audience string (or environment variable) and add tests/notes
verifying tokens without the expected aud are rejected.
ℹ️ Review info
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (82)
demos/e2e/src/agent.tsdemos/identity-a2a/package.jsondemos/identity-a2a/src/agent.tsdemos/identity/src/agent.tsdemos/identity/src/index.tsdemos/payments/src/constants.tsdemos/skyfire-kya/src/index.tsdocs/package.jsonexamples/issuer/bin/start-server.tsexamples/issuer/package.jsonexamples/issuer/src/db/queries/credentials.tsexamples/issuer/src/db/queries/status-lists.tsexamples/issuer/src/db/schema.tsexamples/issuer/src/lib/credentials/build-signed-credential.test.tsexamples/issuer/src/lib/credentials/build-signed-credential.tsexamples/issuer/src/middleware/did-resolver.tsexamples/issuer/src/middleware/issuer.tsexamples/issuer/src/routes/credentials.test.tsexamples/issuer/src/routes/credentials.tsexamples/issuer/src/routes/receipts.test.tsexamples/issuer/src/routes/receipts.tsexamples/issuer/src/routes/well-known.tsexamples/local-did-host/src/middleware/identities.tsexamples/verifier/src/middleware/verifier.tsexamples/verifier/src/routes/well-known.tspackage.jsonpackages/ack-id/src/a2a/sign-message.tspackages/ack-id/src/a2a/verify.tspackages/ack-id/src/controller-credential.tspackages/ack-pay/src/create-payment-receipt.test.tspackages/ack-pay/src/create-payment-receipt.tspackages/ack-pay/src/create-payment-request-token.test.tspackages/ack-pay/src/create-payment-request-token.tspackages/ack-pay/src/create-signed-payment-request.test.tspackages/ack-pay/src/create-signed-payment-request.tspackages/ack-pay/src/verify-payment-receipt.test.tspackages/ack-pay/src/verify-payment-receipt.tspackages/ack-pay/src/verify-payment-request-token.test.tspackages/ack-pay/src/verify-payment-request-token.tspackages/caip/src/schemas/schemas.test.tspackages/did/src/create-did-document.tspackages/did/src/did-resolvers/get-did-resolver.tspackages/did/src/did-resolvers/web-did-resolver.test.tspackages/did/src/did-resolvers/web-did-resolver.tspackages/did/src/methods/did-key.test.tspackages/did/src/methods/did-pkh.tspackages/did/src/methods/did-web.tspackages/did/src/resolve-did.test.tspackages/did/src/resolve-did.tspackages/jwt/package.jsonpackages/jwt/src/create-jwt.tspackages/jwt/src/schemas/valibot.tspackages/jwt/src/schemas/zod/v3.tspackages/jwt/src/schemas/zod/v4.tspackages/jwt/src/signer.tspackages/keys/package.jsonpackages/keys/src/encoding/jwk.tspackages/keys/src/keypair.tspackages/keys/src/public-key.tspackages/vc/package.jsonpackages/vc/src/create-presentation.test.tspackages/vc/src/is-credential.tspackages/vc/src/revocation/is-status-list-credential.tspackages/vc/src/revocation/make-revocable.test.tspackages/vc/src/revocation/status-list-credential.tspackages/vc/src/signing/sign-credential.test.tspackages/vc/src/signing/sign-presentation.test.tspackages/vc/src/verification/is-expired.test.tspackages/vc/src/verification/is-revoked.test.tspackages/vc/src/verification/is-revoked.tspackages/vc/src/verification/parse-jwt-credential.tspackages/vc/src/verification/verify-parsed-credential.test.tspackages/vc/src/verification/verify-parsed-credential.tspackages/vc/src/verification/verify-proof.test.tspackages/vc/src/verification/verify-proof.tspnpm-workspace.yamltools/api-utils/src/api-response.tstools/api-utils/src/middleware/error-handler.tstools/api-utils/src/middleware/signed-payload-validator.tstools/api-utils/src/validate-payload.tstools/cli-tools/package.jsontools/cli-tools/src/update-env-file.ts
💤 Files with no reviewable changes (29)
- examples/issuer/src/db/queries/status-lists.ts
- examples/local-did-host/src/middleware/identities.ts
- examples/issuer/src/db/queries/credentials.ts
- examples/issuer/src/db/schema.ts
- packages/ack-id/src/controller-credential.ts
- packages/ack-pay/src/verify-payment-receipt.ts
- packages/keys/src/encoding/jwk.ts
- packages/vc/src/verification/verify-proof.test.ts
- packages/ack-pay/src/create-payment-request-token.ts
- packages/jwt/src/schemas/zod/v3.ts
- packages/vc/src/verification/is-expired.test.ts
- examples/issuer/src/routes/well-known.ts
- demos/identity-a2a/src/agent.ts
- examples/verifier/src/routes/well-known.ts
- packages/jwt/src/signer.ts
- packages/vc/src/verification/parse-jwt-credential.ts
- packages/ack-pay/src/create-payment-receipt.ts
- packages/did/src/did-resolvers/get-did-resolver.ts
- packages/vc/src/revocation/make-revocable.test.ts
- packages/ack-id/src/a2a/verify.ts
- packages/vc/src/verification/verify-proof.ts
- packages/vc/src/is-credential.ts
- packages/jwt/src/create-jwt.ts
- packages/jwt/src/schemas/zod/v4.ts
- packages/caip/src/schemas/schemas.test.ts
- tools/api-utils/src/validate-payload.ts
- examples/issuer/src/lib/credentials/build-signed-credential.test.ts
- examples/issuer/src/lib/credentials/build-signed-credential.ts
- packages/did/src/did-resolvers/web-did-resolver.test.ts
Comment on lines
62
to
64
| "bit-buffers": "catalog:", | ||
| "did-jwt-vc": "4.0.13", | ||
| "did-jwt-vc": "4.0.16", | ||
| "valibot": "catalog:" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check the pnpm-workspace.yaml catalog configuration
echo "=== Checking pnpm-workspace.yaml ==="
rg -A 50 'catalog:' pnpm-workspace.yaml | head -100
echo ""
echo "=== Checking packages/vc/package.json for did-jwt-vc ==="
rg -n 'did-jwt-vc' packages/vc/package.json
echo ""
echo "=== Checking other packages for did-jwt-vc usage ==="
rg -r '$FILENAME' 'did-jwt-vc' packages/*/package.jsonRepository: agentcommercekit/ack
Length of output: 655
🏁 Script executed:
#!/bin/bash
# Check all external dependencies in package.json files to understand the pattern
echo "=== External dependencies in packages/vc/package.json ==="
rg -A 30 '"dependencies"' packages/vc/package.json | grep -E '("|:)'
echo ""
echo "=== External dependencies in other packages ==="
rg -A 20 '"dependencies"' packages/*/package.json | grep -v workspace | grep -v catalog | head -40Repository: agentcommercekit/ack
Length of output: 2247
🏁 Script executed:
#!/bin/bash
# Check if there are any linting or configuration files enforcing dependency patterns
echo "=== Looking for dependency validation configs ==="
find . -maxdepth 2 -type f \( -name ".npmrc" -o -name "package.json" -o -name "*.yaml" -o -name "*.yml" \) | grep -v node_modules | head -20
echo ""
echo "=== Check root package.json for constraints ==="
head -30 package.json
echo ""
echo "=== Check for any pnpm-workspace configuration ==="
cat -n pnpm-workspace.yaml | head -50Repository: agentcommercekit/ack
Length of output: 2023
Add did-jwt-vc to the pnpm workspace catalog and use the catalog reference for consistency.
The package.json inconsistently uses catalog: for bit-buffers and valibot but pins did-jwt-vc to 4.0.16. To align with the catalog pattern already established in this file, add did-jwt-vc to pnpm-workspace.yaml and reference it via catalog:.
♻️ Suggested changes
In pnpm-workspace.yaml, add to the catalog section:
viem: 2.46.3
zod: 3.25.4
+ did-jwt-vc: 4.0.16In packages/vc/package.json:
- "did-jwt-vc": "4.0.16",
+ "did-jwt-vc": "catalog:",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "bit-buffers": "catalog:", | |
| "did-jwt-vc": "4.0.13", | |
| "did-jwt-vc": "4.0.16", | |
| "valibot": "catalog:" | |
| "bit-buffers": "catalog:", | |
| "did-jwt-vc": "catalog:", | |
| "valibot": "catalog:" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/vc/package.json` around lines 62 - 64, Add the did-jwt-vc package to
the pnpm workspace catalog and update packages/vc/package.json to reference it
via "did-jwt-vc": "catalog:" instead of the fixed "4.0.16"; specifically, add
the did-jwt-vc entry to the catalog section in pnpm-workspace.yaml and then
replace the pinned dependency in the dependencies block of
packages/vc/package.json so the project uses the workspace catalog reference
(look for the existing "bit-buffers" and "valibot" catalog entries to mirror).
pitluga
approved these changes
Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hono4.7.10 → 4.12.2 fixing 4 HIGH audit vulnerabilities (improper authorization, JWT algorithm confusion, body limit bypass)@changesets/cli,vitest,did-jwt,did-jwt-vc,strip-ansi,yoctocolors,@types/express,@changesets/changelog-github@hono/node-server,jose,viem,multiformats,figlet,oxlint,tsx,turbo,mintlify,drizzle-kitoxfmt0.32→0.35,oxlint-tsgolint0.12→0.14 (+ codebase reformat for new oxfmt rules)Skipped (major/breaking — separate efforts)
tsdown0.15→0.20 (changes output extensions.js→.mjs, requires updating all package.json exports)uuid11→13,zod3→4,@ai-sdk/valibot0.1→2.0,wrap-ansi9→10,vite-tsconfig-paths5→6@a2a-js/sdk0.2→0.3,@hono/standard-validator0.1→0.2,@libsql/client0.15→0.17@solana-program/*,drizzle-orm0.43→0.45Test plan
pnpm run checkpasses (format + types + lint + test) — verified with clean cache🤖 Generated with Claude Code
Summary by CodeRabbit
Release Notes