From f73f523bd18605b34ca487b80514c31b7ad98af9 Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 17:04:57 +1000 Subject: [PATCH 1/4] fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause: the root package.json has a top-level npm-format `overrides` block that pnpm ignores, so earlier fixes (next >=15.5.15, lodash >=4.18.0, postcss >=8.5.10, vite catalog pin) never took effect, and the catalog:security pins for next/vite were referenced by nothing. - Add range-scoped security overrides to pnpm-workspace.yaml (the active location): next, lodash, js-cookie, postcss, vite 7.x, esbuild 0.27/28, js-yaml 3.x/4.x - Reference catalog:security next from packages/nextjs devDependencies so the 15.5.18 pin actually resolves (peer range unchanged) - Give wizard an explicit @anthropic-ai/sdk ^0.106.0 dependency — the vulnerable 0.81.0 was a stale auto-installed peer of claude-agent-sdk (which wants >=0.93.0); overrides don't rewrite peer resolutions - Bump root js-yaml to ^4.2.0; temporarily exclude js-yaml from the 7-day cooldown (3.15.0 security release is 6 days old — remove the exclusion after 2026-07-04) Verified: no vulnerable versions remain in the lockfile; full turbo build (10 packages), wizard tests (139), and script tests (20) pass. --- package.json | 2 +- packages/nextjs/package.json | 1 + packages/wizard/package.json | 1 + pnpm-lock.yaml | 737 +++++++++++------------------------ pnpm-workspace.yaml | 19 + 5 files changed, 256 insertions(+), 504 deletions(-) diff --git a/package.json b/package.json index 0ee6eb63..82f6944c 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ "@biomejs/biome": "^2.4.15", "@changesets/cli": "^2.31.0", "@types/node": "^22.19.19", - "js-yaml": "^4.1.1", + "js-yaml": "^4.2.0", "rimraf": "^6.1.3", "turbo": "2.9.14", "vitest": "catalog:repo" diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json index 5329fe44..228de4b0 100644 --- a/packages/nextjs/package.json +++ b/packages/nextjs/package.json @@ -39,6 +39,7 @@ "devDependencies": { "@clerk/nextjs": "catalog:security", "dotenv": "^17.4.2", + "next": "catalog:security", "tsup": "catalog:repo", "typescript": "catalog:repo", "vitest": "catalog:repo" diff --git a/packages/wizard/package.json b/packages/wizard/package.json index 87c6c73e..9140c966 100644 --- a/packages/wizard/package.json +++ b/packages/wizard/package.json @@ -30,6 +30,7 @@ }, "dependencies": { "@anthropic-ai/claude-agent-sdk": "^0.3.143", + "@anthropic-ai/sdk": "^0.106.0", "@cipherstash/auth": "catalog:repo", "@clack/prompts": "1.4.0", "dotenv": "17.4.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index fdc113c9..7ce7bad6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -43,6 +43,19 @@ catalogs: '@clerk/nextjs': specifier: 7.3.5 version: 7.3.5 + next: + specifier: 15.5.18 + version: 15.5.18 + +overrides: + next@<15.5.18: ~15.5.18 + lodash@<4.18.0: ^4.18.0 + js-cookie@<3.0.7: ^3.0.7 + postcss@<8.5.10: ^8.5.10 + vite@>=7.0.0 <7.3.5: ~7.3.5 + esbuild@>=0.27.3 <0.28.1: ^0.28.1 + js-yaml@<3.15.0: '>=3.15.0 <4' + js-yaml@>=4.0.0 <4.2.0: ^4.2.0 importers: @@ -58,8 +71,8 @@ importers: specifier: ^22.19.19 version: 22.19.19 js-yaml: - specifier: ^4.1.1 - version: 4.1.1 + specifier: ^4.2.0 + version: 4.3.0 rimraf: specifier: ^6.1.3 version: 6.1.3 @@ -358,16 +371,16 @@ importers: jose: specifier: ^6.2.3 version: 6.2.3 - next: - specifier: ^14 || ^15 - version: 15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3) devDependencies: '@clerk/nextjs': specifier: catalog:security - version: 7.3.5(next@15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react-dom@19.2.3(react@19.2.3))(react@19.2.3) + version: 7.3.5(next@15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react-dom@19.2.3(react@19.2.3))(react@19.2.3) dotenv: specifier: ^17.4.2 version: 17.4.2 + next: + specifier: catalog:security + version: 15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3) tsup: specifier: catalog:repo version: 8.5.1(jiti@2.7.0)(postcss@8.5.14)(tsx@4.22.1)(typescript@5.9.3)(yaml@2.9.0) @@ -562,7 +575,7 @@ importers: version: 0.26.0 evlog: specifier: 1.11.0 - version: 1.11.0(next@15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react@19.2.3) + version: 1.11.0(next@15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react@19.2.3) uuid: specifier: 14.0.0 version: 14.0.0 @@ -630,7 +643,10 @@ importers: dependencies: '@anthropic-ai/claude-agent-sdk': specifier: ^0.3.143 - version: 0.3.143(@anthropic-ai/sdk@0.81.0(zod@3.25.76))(@modelcontextprotocol/sdk@1.29.0(zod@3.25.76))(zod@3.25.76) + version: 0.3.143(@anthropic-ai/sdk@0.106.0(zod@3.25.76))(@modelcontextprotocol/sdk@1.29.0(zod@3.25.76))(zod@3.25.76) + '@anthropic-ai/sdk': + specifier: ^0.106.0 + version: 0.106.0(zod@3.25.76) '@cipherstash/auth': specifier: catalog:repo version: 0.40.0(@cipherstash/auth-darwin-arm64@0.40.0)(@cipherstash/auth-darwin-x64@0.40.0)(@cipherstash/auth-linux-arm64-gnu@0.40.0)(@cipherstash/auth-linux-x64-gnu@0.40.0)(@cipherstash/auth-linux-x64-musl@0.40.0)(@cipherstash/auth-win32-x64-msvc@0.40.0) @@ -742,8 +758,8 @@ packages: '@modelcontextprotocol/sdk': ^1.29.0 zod: ^4.0.0 - '@anthropic-ai/sdk@0.81.0': - resolution: {integrity: sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw==} + '@anthropic-ai/sdk@0.106.0': + resolution: {integrity: sha512-ufwVvYNDBj2dzOGupBCTaNzBLxqcTnGOzI4z8Wouxlt+mT3J3HuOmatgCy1VmwCHOUueqZ41ERhm0O99OUcbWA==} hasBin: true peerDependencies: zod: ^3.25.0 || ^4.0.0 @@ -1030,7 +1046,7 @@ packages: resolution: {integrity: sha512-Q2VaWLqnZrvWrbyQdji34fIBBHdZtRHjhd+BmW8a70Gxk2MKGgd9S7CzDFUBC/Q9jBjgGeZAZkH47WEK0opZow==} engines: {node: '>=20.9.0'} peerDependencies: - next: ^15.2.8 || ^15.3.8 || ^15.4.10 || ^15.5.9 || ^15.6.0-0 || ^16.0.10 || ^16.1.0-0 + next: ~15.5.18 react: ^18.0.0 || ~19.0.3 || ~19.1.4 || ~19.2.3 || ~19.3.0-0 react-dom: ^18.0.0 || ~19.0.3 || ~19.1.4 || ~19.2.3 || ~19.3.0-0 @@ -1079,14 +1095,8 @@ packages: cpu: [ppc64] os: [aix] - '@esbuild/aix-ppc64@0.27.7': - resolution: {integrity: sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg==} - engines: {node: '>=18'} - cpu: [ppc64] - os: [aix] - - '@esbuild/aix-ppc64@0.28.0': - resolution: {integrity: sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==} + '@esbuild/aix-ppc64@0.28.1': + resolution: {integrity: sha512-Svl7tq8k/08+p6CXPpRjQ1fKX+1odH/BQbb48fV6fj3CWHhsoIOoY87w1oHXm0qEpkIK3ZfVgp0hed3XBXzXMQ==} engines: {node: '>=18'} cpu: [ppc64] os: [aix] @@ -1103,14 +1113,8 @@ packages: cpu: [arm64] os: [android] - '@esbuild/android-arm64@0.27.7': - resolution: {integrity: sha512-62dPZHpIXzvChfvfLJow3q5dDtiNMkwiRzPylSCfriLvZeq0a1bWChrGx/BbUbPwOrsWKMn8idSllklzBy+dgQ==} - engines: {node: '>=18'} - cpu: [arm64] - os: [android] - - '@esbuild/android-arm64@0.28.0': - resolution: {integrity: sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==} + '@esbuild/android-arm64@0.28.1': + resolution: {integrity: sha512-34EGEbCIAgosYz6goLcopX6Mo7NyGv9tfwEM2/7Ce2VcVRk568iSvniGWcUXIy7wEDR1wzolcxcriFVrWYcwBg==} engines: {node: '>=18'} cpu: [arm64] os: [android] @@ -1127,14 +1131,8 @@ packages: cpu: [arm] os: [android] - '@esbuild/android-arm@0.27.7': - resolution: {integrity: sha512-jbPXvB4Yj2yBV7HUfE2KHe4GJX51QplCN1pGbYjvsyCZbQmies29EoJbkEc+vYuU5o45AfQn37vZlyXy4YJ8RQ==} - engines: {node: '>=18'} - cpu: [arm] - os: [android] - - '@esbuild/android-arm@0.28.0': - resolution: {integrity: sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==} + '@esbuild/android-arm@0.28.1': + resolution: {integrity: sha512-0k2F129Xdio1TdJfzJ8sy1Q47vUD2NnwdhiAf7drUN1EBTfPf4hsFCtmMgu/6m8JSzsBrlmVjudMBQqOfG8usQ==} engines: {node: '>=18'} cpu: [arm] os: [android] @@ -1151,14 +1149,8 @@ packages: cpu: [x64] os: [android] - '@esbuild/android-x64@0.27.7': - resolution: {integrity: sha512-x5VpMODneVDb70PYV2VQOmIUUiBtY3D3mPBG8NxVk5CogneYhkR7MmM3yR/uMdITLrC1ml/NV1rj4bMJuy9MCg==} - engines: {node: '>=18'} - cpu: [x64] - os: [android] - - '@esbuild/android-x64@0.28.0': - resolution: {integrity: sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==} + '@esbuild/android-x64@0.28.1': + resolution: {integrity: sha512-dbwY7ltSMDWsRatcRpCnES4F+im88OCUgGZjy52shC7GqHRE/cYlxNbB4Z4UpJswpcc4Qxd2oE/ufM0p61IKng==} engines: {node: '>=18'} cpu: [x64] os: [android] @@ -1175,14 +1167,8 @@ packages: cpu: [arm64] os: [darwin] - '@esbuild/darwin-arm64@0.27.7': - resolution: {integrity: sha512-5lckdqeuBPlKUwvoCXIgI2D9/ABmPq3Rdp7IfL70393YgaASt7tbju3Ac+ePVi3KDH6N2RqePfHnXkaDtY9fkw==} - engines: {node: '>=18'} - cpu: [arm64] - os: [darwin] - - '@esbuild/darwin-arm64@0.28.0': - resolution: {integrity: sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==} + '@esbuild/darwin-arm64@0.28.1': + resolution: {integrity: sha512-TZbWkQY7kvTAXbXUT7uVACR5cMHsDiSz9z7ZKAX/RTq/WJEk3QyRr0wZpNhBDX+/0CtdqUIJlOiodQcta6tY3Q==} engines: {node: '>=18'} cpu: [arm64] os: [darwin] @@ -1199,14 +1185,8 @@ packages: cpu: [x64] os: [darwin] - '@esbuild/darwin-x64@0.27.7': - resolution: {integrity: sha512-rYnXrKcXuT7Z+WL5K980jVFdvVKhCHhUwid+dDYQpH+qu+TefcomiMAJpIiC2EM3Rjtq0sO3StMV/+3w3MyyqQ==} - engines: {node: '>=18'} - cpu: [x64] - os: [darwin] - - '@esbuild/darwin-x64@0.28.0': - resolution: {integrity: sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==} + '@esbuild/darwin-x64@0.28.1': + resolution: {integrity: sha512-zfdzgK9ACBNZLI/CyHTOx81SyNbM6YXn7rxSgX97VjyiPl9W1i4Ka4fgKECEoFCKGpvBj5qArWIGgQjOwkgskQ==} engines: {node: '>=18'} cpu: [x64] os: [darwin] @@ -1223,14 +1203,8 @@ packages: cpu: [arm64] os: [freebsd] - '@esbuild/freebsd-arm64@0.27.7': - resolution: {integrity: sha512-B48PqeCsEgOtzME2GbNM2roU29AMTuOIN91dsMO30t+Ydis3z/3Ngoj5hhnsOSSwNzS+6JppqWsuhTp6E82l2w==} - engines: {node: '>=18'} - cpu: [arm64] - os: [freebsd] - - '@esbuild/freebsd-arm64@0.28.0': - resolution: {integrity: sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==} + '@esbuild/freebsd-arm64@0.28.1': + resolution: {integrity: sha512-wG2EA8ENdEI0qhkSZMjfqrdY+ziCYCPMmtZjjIwOmXFjmyzEHn+UUxk5of+SYsjtfs3VpnlC7QLzSI5hY/rOAw==} engines: {node: '>=18'} cpu: [arm64] os: [freebsd] @@ -1247,14 +1221,8 @@ packages: cpu: [x64] os: [freebsd] - '@esbuild/freebsd-x64@0.27.7': - resolution: {integrity: sha512-jOBDK5XEjA4m5IJK3bpAQF9/Lelu/Z9ZcdhTRLf4cajlB+8VEhFFRjWgfy3M1O4rO2GQ/b2dLwCUGpiF/eATNQ==} - engines: {node: '>=18'} - cpu: [x64] - os: [freebsd] - - '@esbuild/freebsd-x64@0.28.0': - resolution: {integrity: sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==} + '@esbuild/freebsd-x64@0.28.1': + resolution: {integrity: sha512-i7dZ9vQgnvSCzi/rYCXNgtF/U+eKZNJBzu3eTQbRgHnM7tNSizLOkRFAl3qzVc/Op/u5YkHHa4pf/3DOYHthLQ==} engines: {node: '>=18'} cpu: [x64] os: [freebsd] @@ -1271,14 +1239,8 @@ packages: cpu: [arm64] os: [linux] - '@esbuild/linux-arm64@0.27.7': - resolution: {integrity: sha512-RZPHBoxXuNnPQO9rvjh5jdkRmVizktkT7TCDkDmQ0W2SwHInKCAV95GRuvdSvA7w4VMwfCjUiPwDi0ZO6Nfe9A==} - engines: {node: '>=18'} - cpu: [arm64] - os: [linux] - - '@esbuild/linux-arm64@0.28.0': - resolution: {integrity: sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==} + '@esbuild/linux-arm64@0.28.1': + resolution: {integrity: sha512-yHs+0uc8+nvEAfAfxrWQKK5peSNzBc4PegcMO0EJ2hT71uA7vB8Ihg2e77R2P7SG5uYjPbHlLLmve4LLLRCf0g==} engines: {node: '>=18'} cpu: [arm64] os: [linux] @@ -1295,14 +1257,8 @@ packages: cpu: [arm] os: [linux] - '@esbuild/linux-arm@0.27.7': - resolution: {integrity: sha512-RkT/YXYBTSULo3+af8Ib0ykH8u2MBh57o7q/DAs3lTJlyVQkgQvlrPTnjIzzRPQyavxtPtfg0EopvDyIt0j1rA==} - engines: {node: '>=18'} - cpu: [arm] - os: [linux] - - '@esbuild/linux-arm@0.28.0': - resolution: {integrity: sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==} + '@esbuild/linux-arm@0.28.1': + resolution: {integrity: sha512-qVXBOHQS+d5Y722GwJzJUtOLlX7km3CraOaGormF1pDtPd2C/l1SHRPgjLunLGe51Sh5YYWKMFDyV4SxgMQYTQ==} engines: {node: '>=18'} cpu: [arm] os: [linux] @@ -1319,14 +1275,8 @@ packages: cpu: [ia32] os: [linux] - '@esbuild/linux-ia32@0.27.7': - resolution: {integrity: sha512-GA48aKNkyQDbd3KtkplYWT102C5sn/EZTY4XROkxONgruHPU72l+gW+FfF8tf2cFjeHaRbWpOYa/uRBz/Xq1Pg==} - engines: {node: '>=18'} - cpu: [ia32] - os: [linux] - - '@esbuild/linux-ia32@0.28.0': - resolution: {integrity: sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==} + '@esbuild/linux-ia32@0.28.1': + resolution: {integrity: sha512-d1z4ZuP0ajrfz/FhGT4vv278rX8KnPPJx8i5+AtK7TYbx9Le9F1hyzurZpkEyjkGa9dUGhQow4C1NmeGvqxN2w==} engines: {node: '>=18'} cpu: [ia32] os: [linux] @@ -1343,14 +1293,8 @@ packages: cpu: [loong64] os: [linux] - '@esbuild/linux-loong64@0.27.7': - resolution: {integrity: sha512-a4POruNM2oWsD4WKvBSEKGIiWQF8fZOAsycHOt6JBpZ+JN2n2JH9WAv56SOyu9X5IqAjqSIPTaJkqN8F7XOQ5Q==} - engines: {node: '>=18'} - cpu: [loong64] - os: [linux] - - '@esbuild/linux-loong64@0.28.0': - resolution: {integrity: sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==} + '@esbuild/linux-loong64@0.28.1': + resolution: {integrity: sha512-M5sRjUVZrkm1OAPR3dlOYzNmN+loZKGVi1VUQGrwuqLcbR6qeAz+famMhjASeH3YVKvZz+zT1jlh/keC3Rj/lg==} engines: {node: '>=18'} cpu: [loong64] os: [linux] @@ -1367,14 +1311,8 @@ packages: cpu: [mips64el] os: [linux] - '@esbuild/linux-mips64el@0.27.7': - resolution: {integrity: sha512-KabT5I6StirGfIz0FMgl1I+R1H73Gp0ofL9A3nG3i/cYFJzKHhouBV5VWK1CSgKvVaG4q1RNpCTR2LuTVB3fIw==} - engines: {node: '>=18'} - cpu: [mips64el] - os: [linux] - - '@esbuild/linux-mips64el@0.28.0': - resolution: {integrity: sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==} + '@esbuild/linux-mips64el@0.28.1': + resolution: {integrity: sha512-mRObBZeHh2OxcBFPWE/FjylkRgZdYuiTR3vaTozquCGOH14iP9oN4x4Ge81CoIDYQrXmIxpFumJBu5MtZpnQJQ==} engines: {node: '>=18'} cpu: [mips64el] os: [linux] @@ -1391,14 +1329,8 @@ packages: cpu: [ppc64] os: [linux] - '@esbuild/linux-ppc64@0.27.7': - resolution: {integrity: sha512-gRsL4x6wsGHGRqhtI+ifpN/vpOFTQtnbsupUF5R5YTAg+y/lKelYR1hXbnBdzDjGbMYjVJLJTd2OFmMewAgwlQ==} - engines: {node: '>=18'} - cpu: [ppc64] - os: [linux] - - '@esbuild/linux-ppc64@0.28.0': - resolution: {integrity: sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==} + '@esbuild/linux-ppc64@0.28.1': + resolution: {integrity: sha512-slScBsMAb3GFDcdrCgLwZtPYRoH2H/youv10QiZyRjmsP48fznoveWytSgCI/R0ZcUgpc0ZhIUEx6LHts8yrfQ==} engines: {node: '>=18'} cpu: [ppc64] os: [linux] @@ -1415,14 +1347,8 @@ packages: cpu: [riscv64] os: [linux] - '@esbuild/linux-riscv64@0.27.7': - resolution: {integrity: sha512-hL25LbxO1QOngGzu2U5xeXtxXcW+/GvMN3ejANqXkxZ/opySAZMrc+9LY/WyjAan41unrR3YrmtTsUpwT66InQ==} - engines: {node: '>=18'} - cpu: [riscv64] - os: [linux] - - '@esbuild/linux-riscv64@0.28.0': - resolution: {integrity: sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==} + '@esbuild/linux-riscv64@0.28.1': + resolution: {integrity: sha512-kw0owk1o0GFETUJyW0jc0G4Yzs0BHZn0JDZ8JRT088vjJYX777BAs1fDGxAC+q831qOs2DTC96mNsG2opdfyyQ==} engines: {node: '>=18'} cpu: [riscv64] os: [linux] @@ -1439,14 +1365,8 @@ packages: cpu: [s390x] os: [linux] - '@esbuild/linux-s390x@0.27.7': - resolution: {integrity: sha512-2k8go8Ycu1Kb46vEelhu1vqEP+UeRVj2zY1pSuPdgvbd5ykAw82Lrro28vXUrRmzEsUV0NzCf54yARIK8r0fdw==} - engines: {node: '>=18'} - cpu: [s390x] - os: [linux] - - '@esbuild/linux-s390x@0.28.0': - resolution: {integrity: sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==} + '@esbuild/linux-s390x@0.28.1': + resolution: {integrity: sha512-/lAIjX8aYFRByhh6L5rYtPEDRqa9de/4V/juOXcta5frjvzXO4/sqEtyytse0g3zZFuWu5cDN0MkLz2qRDD2Ag==} engines: {node: '>=18'} cpu: [s390x] os: [linux] @@ -1463,26 +1383,14 @@ packages: cpu: [x64] os: [linux] - '@esbuild/linux-x64@0.27.7': - resolution: {integrity: sha512-hzznmADPt+OmsYzw1EE33ccA+HPdIqiCRq7cQeL1Jlq2gb1+OyWBkMCrYGBJ+sxVzve2ZJEVeePbLM2iEIZSxA==} + '@esbuild/linux-x64@0.28.1': + resolution: {integrity: sha512-u/anNYF2mmVOEDwLtnQ1wOr3EZ9sTNGLWrsYGYwHWzGA3Si84IOkHXlbWTD1NB+9/1lcnweYKO54uhxZydNzfA==} engines: {node: '>=18'} cpu: [x64] os: [linux] - '@esbuild/linux-x64@0.28.0': - resolution: {integrity: sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==} - engines: {node: '>=18'} - cpu: [x64] - os: [linux] - - '@esbuild/netbsd-arm64@0.27.7': - resolution: {integrity: sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==} - engines: {node: '>=18'} - cpu: [arm64] - os: [netbsd] - - '@esbuild/netbsd-arm64@0.28.0': - resolution: {integrity: sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==} + '@esbuild/netbsd-arm64@0.28.1': + resolution: {integrity: sha512-oks0DYbLwWMmaakTsCb+zL4E+aHRVLom9IJZOAthMQEPiQmydXHkziYEsGYRx0uNV/IjEKGAV941JzH02pflqw==} engines: {node: '>=18'} cpu: [arm64] os: [netbsd] @@ -1499,26 +1407,14 @@ packages: cpu: [x64] os: [netbsd] - '@esbuild/netbsd-x64@0.27.7': - resolution: {integrity: sha512-OfatkLojr6U+WN5EDYuoQhtM+1xco+/6FSzJJnuWiUw5eVcicbyK3dq5EeV/QHT1uy6GoDhGbFpprUiHUYggrw==} - engines: {node: '>=18'} - cpu: [x64] - os: [netbsd] - - '@esbuild/netbsd-x64@0.28.0': - resolution: {integrity: sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==} + '@esbuild/netbsd-x64@0.28.1': + resolution: {integrity: sha512-aeL6lAnN89Hz43Mlh1G8ARasbuoYvSITDEx0tHh5b7jJnHcssqgjy9Yx430GDpmCa6OyrKoS0aNRjKundRizGg==} engines: {node: '>=18'} cpu: [x64] os: [netbsd] - '@esbuild/openbsd-arm64@0.27.7': - resolution: {integrity: sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==} - engines: {node: '>=18'} - cpu: [arm64] - os: [openbsd] - - '@esbuild/openbsd-arm64@0.28.0': - resolution: {integrity: sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==} + '@esbuild/openbsd-arm64@0.28.1': + resolution: {integrity: sha512-MEFJe5C3R8pwXdZ5Y21oo6m7ePiS0d9pWucn99O/wvyJZChoIQKrQDxKrGeW8F5+T0okTHesAmDeiHDTIq0V/Q==} engines: {node: '>=18'} cpu: [arm64] os: [openbsd] @@ -1535,26 +1431,14 @@ packages: cpu: [x64] os: [openbsd] - '@esbuild/openbsd-x64@0.27.7': - resolution: {integrity: sha512-+A1NJmfM8WNDv5CLVQYJ5PshuRm/4cI6WMZRg1by1GwPIQPCTs1GLEUHwiiQGT5zDdyLiRM/l1G0Pv54gvtKIg==} + '@esbuild/openbsd-x64@0.28.1': + resolution: {integrity: sha512-i/ZLIOafE0Z8cI/XANJAixoJL/uRAoS2xOA3rb0xN+KK0K177cMAsQYkzHtBrtMXAKuAc7HGgcWiZ/sRC1Nxgw==} engines: {node: '>=18'} cpu: [x64] os: [openbsd] - '@esbuild/openbsd-x64@0.28.0': - resolution: {integrity: sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==} - engines: {node: '>=18'} - cpu: [x64] - os: [openbsd] - - '@esbuild/openharmony-arm64@0.27.7': - resolution: {integrity: sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==} - engines: {node: '>=18'} - cpu: [arm64] - os: [openharmony] - - '@esbuild/openharmony-arm64@0.28.0': - resolution: {integrity: sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==} + '@esbuild/openharmony-arm64@0.28.1': + resolution: {integrity: sha512-ge+Z7EXFNt2BO1oAMsVpiQ8EwndV9i1xXerAeTIK7AtPs3bKFXQM7nlRxDSIUIMeueR1CNXxqztLzdNeReKBJg==} engines: {node: '>=18'} cpu: [arm64] os: [openharmony] @@ -1571,14 +1455,8 @@ packages: cpu: [x64] os: [sunos] - '@esbuild/sunos-x64@0.27.7': - resolution: {integrity: sha512-ikktIhFBzQNt/QDyOL580ti9+5mL/YZeUPKU2ivGtGjdTYoqz6jObj6nOMfhASpS4GU4Q/Clh1QtxWAvcYKamA==} - engines: {node: '>=18'} - cpu: [x64] - os: [sunos] - - '@esbuild/sunos-x64@0.28.0': - resolution: {integrity: sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==} + '@esbuild/sunos-x64@0.28.1': + resolution: {integrity: sha512-BEjgtECkL3vY+SaSQ6nzVfiALUeFxpawyp8Jmf5PtYhf1Ug40N1h/hxlhts+f1FvSvarEigdxS3BlSMI2PJLcQ==} engines: {node: '>=18'} cpu: [x64] os: [sunos] @@ -1595,14 +1473,8 @@ packages: cpu: [arm64] os: [win32] - '@esbuild/win32-arm64@0.27.7': - resolution: {integrity: sha512-7yRhbHvPqSpRUV7Q20VuDwbjW5kIMwTHpptuUzV+AA46kiPze5Z7qgt6CLCK3pWFrHeNfDd1VKgyP4O+ng17CA==} - engines: {node: '>=18'} - cpu: [arm64] - os: [win32] - - '@esbuild/win32-arm64@0.28.0': - resolution: {integrity: sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==} + '@esbuild/win32-arm64@0.28.1': + resolution: {integrity: sha512-lCv9eK/H6ZJWbE7bh2nw54CZ9M2nupBxJcTsdk/QQnWkdSjKGuxmmH8/GWrlT1eMmZfn4dGcCjRte397WqfQXA==} engines: {node: '>=18'} cpu: [arm64] os: [win32] @@ -1619,14 +1491,8 @@ packages: cpu: [ia32] os: [win32] - '@esbuild/win32-ia32@0.27.7': - resolution: {integrity: sha512-SmwKXe6VHIyZYbBLJrhOoCJRB/Z1tckzmgTLfFYOfpMAx63BJEaL9ExI8x7v0oAO3Zh6D/Oi1gVxEYr5oUCFhw==} - engines: {node: '>=18'} - cpu: [ia32] - os: [win32] - - '@esbuild/win32-ia32@0.28.0': - resolution: {integrity: sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==} + '@esbuild/win32-ia32@0.28.1': + resolution: {integrity: sha512-zvb/mB2bSCoJOpoCBgYKKpX6YM6mJBlBUVUtVj41DlZJVEB6/0CKlRYxP5wWl1C1ILiCoAU5wZZ4q1P3qeS6Eg==} engines: {node: '>=18'} cpu: [ia32] os: [win32] @@ -1643,14 +1509,8 @@ packages: cpu: [x64] os: [win32] - '@esbuild/win32-x64@0.27.7': - resolution: {integrity: sha512-56hiAJPhwQ1R4i+21FVF7V8kSD5zZTdHcVuRFMW0hn753vVfQN8xlx4uOPT4xoGH0Z/oVATuR82AiqSTDIpaHg==} - engines: {node: '>=18'} - cpu: [x64] - os: [win32] - - '@esbuild/win32-x64@0.28.0': - resolution: {integrity: sha512-pEl1bO9mfAmIC+tW5btTmrKaujg3zGtUmWNdCw/xs70FBjwAL3o9OEKNHvNmnyylD6ubxUERiEhdsL0xBQ9efw==} + '@esbuild/win32-x64@0.28.1': + resolution: {integrity: sha512-bm4Mowrv+GXMlpWX++EcXw/iLyd1o3+bJkC2DkWXYVvgZCqD/bSj9ctZeAMC3cIxgjRVR2Dufaiu4YPxr5gW1A==} engines: {node: '>=18'} cpu: [x64] os: [win32] @@ -1861,57 +1721,57 @@ packages: '@neon-rs/load@0.1.82': resolution: {integrity: sha512-H4Gu2o5kPp+JOEhRrOQCnJnf7X6sv9FBLttM/wSbb4efsgFWeHzfU/ItZ01E5qqEk+U6QGdeVO7lxXIAtYHr5A==} - '@next/env@15.5.10': - resolution: {integrity: sha512-plg+9A/KoZcTS26fe15LHg+QxReTazrIOoKKUC3Uz4leGGeNPgLHdevVraAAOX0snnUs3WkRx3eUQpj9mreG6A==} + '@next/env@15.5.18': + resolution: {integrity: sha512-hAV85Ckd9QR6RvH04MEKwsfLTksvFpO47j9xwtoIuvuPnlwecpSi+uZTtm8HirVbtlI2Fnz//xpcSTjFdyJk+g==} - '@next/swc-darwin-arm64@15.5.7': - resolution: {integrity: sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw==} + '@next/swc-darwin-arm64@15.5.18': + resolution: {integrity: sha512-w0WvQf1n+txiwns/9pwIQteCJpZTbxzO2SE0FLcwuD4v0WEh1JPOjdyxWL21XwJsdpx8cFRjyzxzCS/siP7HcQ==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.5.7': - resolution: {integrity: sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg==} + '@next/swc-darwin-x64@15.5.18': + resolution: {integrity: sha512-znn71QmDuxm+BOaglihMZfvyySMnNljkVIY5Z2TCssBmm+WqL6c19VhtH5ktFkHa8EZ2bnTUpcNcmNSQsg67og==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@15.5.7': - resolution: {integrity: sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA==} + '@next/swc-linux-arm64-gnu@15.5.18': + resolution: {integrity: sha512-yPPe5MNL+igZUa+OsqQJisqSfh6oarIuA1Q0BDxljGJhRQyZeP+WRHh7rs/jZUGMh5aY0YdIjXZG0VohkKkUdw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] libc: [glibc] - '@next/swc-linux-arm64-musl@15.5.7': - resolution: {integrity: sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw==} + '@next/swc-linux-arm64-musl@15.5.18': + resolution: {integrity: sha512-glaCczEWIrHsokFZ3pP08U4BpKxwIdnT+txdOM32OBgpL9Yw4aqx8NejmgtZQZOdstQ5f0L3CasIZudzCuD+nw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] libc: [musl] - '@next/swc-linux-x64-gnu@15.5.7': - resolution: {integrity: sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw==} + '@next/swc-linux-x64-gnu@15.5.18': + resolution: {integrity: sha512-oUfg2EgJmU3R0OCOWiokGFUTvZiPfXtriXiuF3YNxRoROCdgvTedHIzYoeKH34gsZxS/V7mHbfq2hpAHwhH1/A==} engines: {node: '>= 10'} cpu: [x64] os: [linux] libc: [glibc] - '@next/swc-linux-x64-musl@15.5.7': - resolution: {integrity: sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA==} + '@next/swc-linux-x64-musl@15.5.18': + resolution: {integrity: sha512-JLxSP3KTd9iu/bvUMQxH7RJo9xKSHf55/6RPE4a6FTSZygGn7uvZbCej0AHXydwkggQGSD9UddSjwv6Xz5ESfA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] libc: [musl] - '@next/swc-win32-arm64-msvc@15.5.7': - resolution: {integrity: sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ==} + '@next/swc-win32-arm64-msvc@15.5.18': + resolution: {integrity: sha512-ir1v7enP52K2HNz3tQQvwF+x7VNxBk1ciiZ18WBPvxf4C59IqdfmHPJYK3vH7rSxpuCVw/8C712wTXNAtEp+NA==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-x64-msvc@15.5.7': - resolution: {integrity: sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw==} + '@next/swc-win32-x64-msvc@15.5.18': + resolution: {integrity: sha512-LIu5me6QTANCd25E7I5uIEfvgQ06RK7tvHAbYo3zCb3VpxQEPvMcSpd87NwUABDT6MbGPdEGR5VRiK4PPTJhQg==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -2441,7 +2301,7 @@ packages: resolution: {integrity: sha512-EZOrpDbkKotFAP7wPAQV1UIyoGOk4oX7ynWhBhLB7v+meMHbQhU16oPpIYGTTe4oFlhpryGpgpcZP/sin3hYuw==} peerDependencies: msw: ^2.4.9 - vite: ^5.0.0 || ^6.0.0 || ^7.0.0-0 + vite: ~7.3.5 peerDependenciesMeta: msw: optional: true @@ -2558,7 +2418,7 @@ packages: resolution: {integrity: sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} peerDependencies: - esbuild: '>=0.18' + esbuild: ^0.28.1 bytes@3.1.2: resolution: {integrity: sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==} @@ -2849,7 +2709,7 @@ packages: esbuild-register@3.6.0: resolution: {integrity: sha512-H2/S7Pm8a9CL1uhp9OvjwrBh5Pvx0H8qVOxNu8Wed9Y7qv56MPtq+GGM8RJpq6glYJn9Wspr8uw7l55uyinNeg==} peerDependencies: - esbuild: '>=0.12 <1' + esbuild: ^0.28.1 esbuild@0.18.20: resolution: {integrity: sha512-ceqxoedUrcayh7Y7ZX6NdbbDzGROiyVBgC4PriJThBKSVPWnnFHZAkfI1lJT8QFkOwH4qOS2SJkS4wvpGl8BpA==} @@ -2861,13 +2721,8 @@ packages: engines: {node: '>=12'} hasBin: true - esbuild@0.27.7: - resolution: {integrity: sha512-IxpibTjyVnmrIQo5aqNpCgoACA/dTKLTlhMHihVHhdkxKyPO1uBBthumT0rdHmcsk9uMonIWS0m4FljWzILh3w==} - engines: {node: '>=18'} - hasBin: true - - esbuild@0.28.0: - resolution: {integrity: sha512-sNR9MHpXSUV/XB4zmsFKN+QgVG82Cc7+/aaxJ8Adi8hyOac+EXptIp45QBPaVyX3N70664wRbTcLTOemCAnyqw==} + esbuild@0.28.1: + resolution: {integrity: sha512-HrJrvZv5ayxBzPfwphOoNzkzOIIlifzk0KJrGK2c8R4+LKpMtpYLQeUdjnwjWv/LZlkH2laZk+4w78pi99D4Vw==} engines: {node: '>=18'} hasBin: true @@ -2899,7 +2754,7 @@ packages: peerDependencies: '@nuxt/kit': ^4.3.1 h3: ^1.15.5 - next: '>=14.0.0' + next: ~15.5.18 nitro: ^3.0.1-alpha.2 nitropack: ^2.13.1 ofetch: ^1.5.1 @@ -2964,8 +2819,8 @@ packages: fast-string-width@3.0.2: resolution: {integrity: sha512-gX8LrtNEI5hq8DVUfRQMbr5lpaS4nMIWV+7XEbXk2b8kiQIizgnlr12B4dA3ZEx3308ze0O4Q1R+cHts8kyUJg==} - fast-uri@3.1.3: - resolution: {integrity: sha512-i70LwGWUduXqzicKXWshooq+sWL1K3WUU5rKZNG/0i3a1OSoX3HqhH5WbWwTmqWfor4urUakGPiRQcleRZTwOg==} + fast-uri@3.1.2: + resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==} fast-wrap-ansi@0.2.0: resolution: {integrity: sha512-rLV8JHxTyhVmFYhBJuMujcrHqOT2cnO5Zxj37qROj23CP39GXubJRBUFF0z8KFK77Uc0SukZUf7JZhsVEQ6n8w==} @@ -3181,19 +3036,18 @@ packages: resolution: {integrity: sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw==} engines: {node: '>=10'} - js-cookie@3.0.5: - resolution: {integrity: sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==} - engines: {node: '>=14'} + js-cookie@3.0.8: + resolution: {integrity: sha512-yeJd4aNAdYZQjaon2bpD/Gb0B/omw7HQOsynXXcOiWVCacbBcPlgn8S/d1X6blFSaHao7ozqtW7NZW19xpCtIw==} js-tokens@9.0.1: resolution: {integrity: sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==} - js-yaml@3.14.2: - resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} + js-yaml@3.15.0: + resolution: {integrity: sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==} hasBin: true - js-yaml@4.1.1: - resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==} + js-yaml@4.3.0: + resolution: {integrity: sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==} hasBin: true json-schema-to-ts@3.1.1: @@ -3309,8 +3163,8 @@ packages: lodash.startcase@4.4.0: resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} - lodash@4.17.23: - resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==} + lodash@4.18.1: + resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==} long@5.3.2: resolution: {integrity: sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==} @@ -3389,11 +3243,6 @@ packages: resolution: {integrity: sha512-Tz09sEL2EEuv5fFowm419c1+a/jSMiBjI9gHxVLrVdbUkkNUUfjsVYs9pVZu5oCon/kmRh9TfLEObFtkVxmY0w==} engines: {node: '>=8.0.0'} - nanoid@3.3.11: - resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==} - engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} - hasBin: true - nanoid@3.3.12: resolution: {integrity: sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==} engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} @@ -3403,8 +3252,8 @@ packages: resolution: {integrity: sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==} engines: {node: '>= 0.6'} - next@15.5.10: - resolution: {integrity: sha512-r0X65PNwyDDyOrWNKpQoZvOatw7BcsTPRKdwEqtc9cj3wv7mbBIk9tKed4klRaFXJdX0rugpuMTHslDrAU1bBg==} + next@15.5.18: + resolution: {integrity: sha512-eKL8zUJkX9Y5lE+RX/2YJoItVdGlIscyVyboeD9wSpp0PaGqjoA4tTpT2qPqz9ax+5IzGESyLSeZ/RCwbSZ2uQ==} engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} hasBin: true peerDependencies: @@ -3607,7 +3456,7 @@ packages: engines: {node: '>= 18'} peerDependencies: jiti: '>=1.21.0' - postcss: '>=8.0.9' + postcss: ^8.5.10 tsx: ^4.8.1 yaml: ^2.4.2 peerDependenciesMeta: @@ -3620,10 +3469,6 @@ packages: yaml: optional: true - postcss@8.4.31: - resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==} - engines: {node: ^10 || ^12 || >=14} - postcss@8.5.14: resolution: {integrity: sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==} engines: {node: ^10 || ^12 || >=14} @@ -3997,7 +3842,7 @@ packages: peerDependencies: '@microsoft/api-extractor': ^7.36.0 '@swc/core': ^1 - postcss: ^8.4.12 + postcss: ^8.5.10 typescript: '>=4.5.0' peerDependenciesMeta: '@microsoft/api-extractor': @@ -4068,8 +3913,8 @@ packages: engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true - vite@7.3.3: - resolution: {integrity: sha512-/4XH147Ui7OGTjg3HbdWe5arnZQSbfuRzdr9Ec7TQi5I7R+ir0Rlc9GIvD4v0XZurELqA035KVXJXpR61xhiTA==} + vite@7.3.6: + resolution: {integrity: sha512-4XP60spRGjSZFf1qYH+dJIkK2znL3zQfl9KkOV9MkkRR/3Dls0dxaBsQPTloEc5BLXWPL9vsOxopxyKoMmDueg==} engines: {node: ^20.19.0 || >=22.12.0} hasBin: true peerDependencies: @@ -4205,9 +4050,9 @@ snapshots: '@anthropic-ai/claude-agent-sdk-win32-x64@0.3.143': optional: true - '@anthropic-ai/claude-agent-sdk@0.3.143(@anthropic-ai/sdk@0.81.0(zod@3.25.76))(@modelcontextprotocol/sdk@1.29.0(zod@3.25.76))(zod@3.25.76)': + '@anthropic-ai/claude-agent-sdk@0.3.143(@anthropic-ai/sdk@0.106.0(zod@3.25.76))(@modelcontextprotocol/sdk@1.29.0(zod@3.25.76))(zod@3.25.76)': dependencies: - '@anthropic-ai/sdk': 0.81.0(zod@3.25.76) + '@anthropic-ai/sdk': 0.106.0(zod@3.25.76) '@modelcontextprotocol/sdk': 1.29.0(zod@3.25.76) zod: 3.25.76 optionalDependencies: @@ -4220,9 +4065,10 @@ snapshots: '@anthropic-ai/claude-agent-sdk-win32-arm64': 0.3.143 '@anthropic-ai/claude-agent-sdk-win32-x64': 0.3.143 - '@anthropic-ai/sdk@0.81.0(zod@3.25.76)': + '@anthropic-ai/sdk@0.106.0(zod@3.25.76)': dependencies: json-schema-to-ts: 3.1.1 + standardwebhooks: 1.0.0 optionalDependencies: zod: 3.25.76 @@ -4230,7 +4076,7 @@ snapshots: dependencies: '@jsdevtools/ono': 7.1.3 '@types/json-schema': 7.0.15 - js-yaml: 4.1.1 + js-yaml: 4.3.0 '@ark/schema@0.56.0': dependencies: @@ -4387,7 +4233,7 @@ snapshots: '@changesets/parse@0.4.3': dependencies: '@changesets/types': 6.1.0 - js-yaml: 4.1.1 + js-yaml: 4.3.0 '@changesets/pre@2.0.2': dependencies: @@ -4540,12 +4386,12 @@ snapshots: - react - react-dom - '@clerk/nextjs@7.3.5(next@15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react-dom@19.2.3(react@19.2.3))(react@19.2.3)': + '@clerk/nextjs@7.3.5(next@15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react-dom@19.2.3(react@19.2.3))(react@19.2.3)': dependencies: '@clerk/backend': 3.4.9(react-dom@19.2.3(react@19.2.3))(react@19.2.3) '@clerk/react': 6.6.4(react-dom@19.2.3(react@19.2.3))(react@19.2.3) '@clerk/shared': 4.12.0(react-dom@19.2.3(react@19.2.3))(react@19.2.3) - next: 15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3) + next: 15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3) react: 19.2.3 react-dom: 19.2.3(react@19.2.3) server-only: 0.0.1 @@ -4563,7 +4409,7 @@ snapshots: '@tanstack/query-core': 5.100.9 dequal: 2.0.3 glob-to-regexp: 0.4.1 - js-cookie: 3.0.5 + js-cookie: 3.0.8 std-env: 3.10.0 optionalDependencies: react: 19.2.3 @@ -4595,10 +4441,7 @@ snapshots: '@esbuild/aix-ppc64@0.19.12': optional: true - '@esbuild/aix-ppc64@0.27.7': - optional: true - - '@esbuild/aix-ppc64@0.28.0': + '@esbuild/aix-ppc64@0.28.1': optional: true '@esbuild/android-arm64@0.18.20': @@ -4607,10 +4450,7 @@ snapshots: '@esbuild/android-arm64@0.19.12': optional: true - '@esbuild/android-arm64@0.27.7': - optional: true - - '@esbuild/android-arm64@0.28.0': + '@esbuild/android-arm64@0.28.1': optional: true '@esbuild/android-arm@0.18.20': @@ -4619,10 +4459,7 @@ snapshots: '@esbuild/android-arm@0.19.12': optional: true - '@esbuild/android-arm@0.27.7': - optional: true - - '@esbuild/android-arm@0.28.0': + '@esbuild/android-arm@0.28.1': optional: true '@esbuild/android-x64@0.18.20': @@ -4631,10 +4468,7 @@ snapshots: '@esbuild/android-x64@0.19.12': optional: true - '@esbuild/android-x64@0.27.7': - optional: true - - '@esbuild/android-x64@0.28.0': + '@esbuild/android-x64@0.28.1': optional: true '@esbuild/darwin-arm64@0.18.20': @@ -4643,10 +4477,7 @@ snapshots: '@esbuild/darwin-arm64@0.19.12': optional: true - '@esbuild/darwin-arm64@0.27.7': - optional: true - - '@esbuild/darwin-arm64@0.28.0': + '@esbuild/darwin-arm64@0.28.1': optional: true '@esbuild/darwin-x64@0.18.20': @@ -4655,10 +4486,7 @@ snapshots: '@esbuild/darwin-x64@0.19.12': optional: true - '@esbuild/darwin-x64@0.27.7': - optional: true - - '@esbuild/darwin-x64@0.28.0': + '@esbuild/darwin-x64@0.28.1': optional: true '@esbuild/freebsd-arm64@0.18.20': @@ -4667,10 +4495,7 @@ snapshots: '@esbuild/freebsd-arm64@0.19.12': optional: true - '@esbuild/freebsd-arm64@0.27.7': - optional: true - - '@esbuild/freebsd-arm64@0.28.0': + '@esbuild/freebsd-arm64@0.28.1': optional: true '@esbuild/freebsd-x64@0.18.20': @@ -4679,10 +4504,7 @@ snapshots: '@esbuild/freebsd-x64@0.19.12': optional: true - '@esbuild/freebsd-x64@0.27.7': - optional: true - - '@esbuild/freebsd-x64@0.28.0': + '@esbuild/freebsd-x64@0.28.1': optional: true '@esbuild/linux-arm64@0.18.20': @@ -4691,10 +4513,7 @@ snapshots: '@esbuild/linux-arm64@0.19.12': optional: true - '@esbuild/linux-arm64@0.27.7': - optional: true - - '@esbuild/linux-arm64@0.28.0': + '@esbuild/linux-arm64@0.28.1': optional: true '@esbuild/linux-arm@0.18.20': @@ -4703,10 +4522,7 @@ snapshots: '@esbuild/linux-arm@0.19.12': optional: true - '@esbuild/linux-arm@0.27.7': - optional: true - - '@esbuild/linux-arm@0.28.0': + '@esbuild/linux-arm@0.28.1': optional: true '@esbuild/linux-ia32@0.18.20': @@ -4715,10 +4531,7 @@ snapshots: '@esbuild/linux-ia32@0.19.12': optional: true - '@esbuild/linux-ia32@0.27.7': - optional: true - - '@esbuild/linux-ia32@0.28.0': + '@esbuild/linux-ia32@0.28.1': optional: true '@esbuild/linux-loong64@0.18.20': @@ -4727,10 +4540,7 @@ snapshots: '@esbuild/linux-loong64@0.19.12': optional: true - '@esbuild/linux-loong64@0.27.7': - optional: true - - '@esbuild/linux-loong64@0.28.0': + '@esbuild/linux-loong64@0.28.1': optional: true '@esbuild/linux-mips64el@0.18.20': @@ -4739,10 +4549,7 @@ snapshots: '@esbuild/linux-mips64el@0.19.12': optional: true - '@esbuild/linux-mips64el@0.27.7': - optional: true - - '@esbuild/linux-mips64el@0.28.0': + '@esbuild/linux-mips64el@0.28.1': optional: true '@esbuild/linux-ppc64@0.18.20': @@ -4751,10 +4558,7 @@ snapshots: '@esbuild/linux-ppc64@0.19.12': optional: true - '@esbuild/linux-ppc64@0.27.7': - optional: true - - '@esbuild/linux-ppc64@0.28.0': + '@esbuild/linux-ppc64@0.28.1': optional: true '@esbuild/linux-riscv64@0.18.20': @@ -4763,10 +4567,7 @@ snapshots: '@esbuild/linux-riscv64@0.19.12': optional: true - '@esbuild/linux-riscv64@0.27.7': - optional: true - - '@esbuild/linux-riscv64@0.28.0': + '@esbuild/linux-riscv64@0.28.1': optional: true '@esbuild/linux-s390x@0.18.20': @@ -4775,10 +4576,7 @@ snapshots: '@esbuild/linux-s390x@0.19.12': optional: true - '@esbuild/linux-s390x@0.27.7': - optional: true - - '@esbuild/linux-s390x@0.28.0': + '@esbuild/linux-s390x@0.28.1': optional: true '@esbuild/linux-x64@0.18.20': @@ -4787,16 +4585,10 @@ snapshots: '@esbuild/linux-x64@0.19.12': optional: true - '@esbuild/linux-x64@0.27.7': - optional: true - - '@esbuild/linux-x64@0.28.0': - optional: true - - '@esbuild/netbsd-arm64@0.27.7': + '@esbuild/linux-x64@0.28.1': optional: true - '@esbuild/netbsd-arm64@0.28.0': + '@esbuild/netbsd-arm64@0.28.1': optional: true '@esbuild/netbsd-x64@0.18.20': @@ -4805,16 +4597,10 @@ snapshots: '@esbuild/netbsd-x64@0.19.12': optional: true - '@esbuild/netbsd-x64@0.27.7': + '@esbuild/netbsd-x64@0.28.1': optional: true - '@esbuild/netbsd-x64@0.28.0': - optional: true - - '@esbuild/openbsd-arm64@0.27.7': - optional: true - - '@esbuild/openbsd-arm64@0.28.0': + '@esbuild/openbsd-arm64@0.28.1': optional: true '@esbuild/openbsd-x64@0.18.20': @@ -4823,16 +4609,10 @@ snapshots: '@esbuild/openbsd-x64@0.19.12': optional: true - '@esbuild/openbsd-x64@0.27.7': + '@esbuild/openbsd-x64@0.28.1': optional: true - '@esbuild/openbsd-x64@0.28.0': - optional: true - - '@esbuild/openharmony-arm64@0.27.7': - optional: true - - '@esbuild/openharmony-arm64@0.28.0': + '@esbuild/openharmony-arm64@0.28.1': optional: true '@esbuild/sunos-x64@0.18.20': @@ -4841,10 +4621,7 @@ snapshots: '@esbuild/sunos-x64@0.19.12': optional: true - '@esbuild/sunos-x64@0.27.7': - optional: true - - '@esbuild/sunos-x64@0.28.0': + '@esbuild/sunos-x64@0.28.1': optional: true '@esbuild/win32-arm64@0.18.20': @@ -4853,10 +4630,7 @@ snapshots: '@esbuild/win32-arm64@0.19.12': optional: true - '@esbuild/win32-arm64@0.27.7': - optional: true - - '@esbuild/win32-arm64@0.28.0': + '@esbuild/win32-arm64@0.28.1': optional: true '@esbuild/win32-ia32@0.18.20': @@ -4865,10 +4639,7 @@ snapshots: '@esbuild/win32-ia32@0.19.12': optional: true - '@esbuild/win32-ia32@0.27.7': - optional: true - - '@esbuild/win32-ia32@0.28.0': + '@esbuild/win32-ia32@0.28.1': optional: true '@esbuild/win32-x64@0.18.20': @@ -4877,10 +4648,7 @@ snapshots: '@esbuild/win32-x64@0.19.12': optional: true - '@esbuild/win32-x64@0.27.7': - optional: true - - '@esbuild/win32-x64@0.28.0': + '@esbuild/win32-x64@0.28.1': optional: true '@hono/node-server@1.19.14(hono@4.12.27)': @@ -5015,7 +4783,7 @@ snapshots: '@manypkg/find-root@1.1.0': dependencies: - '@babel/runtime': 7.29.2 + '@babel/runtime': 7.29.7 '@types/node': 12.20.55 find-up: 4.1.0 fs-extra: 8.1.0 @@ -5053,30 +4821,30 @@ snapshots: '@neon-rs/load@0.1.82': {} - '@next/env@15.5.10': {} + '@next/env@15.5.18': {} - '@next/swc-darwin-arm64@15.5.7': + '@next/swc-darwin-arm64@15.5.18': optional: true - '@next/swc-darwin-x64@15.5.7': + '@next/swc-darwin-x64@15.5.18': optional: true - '@next/swc-linux-arm64-gnu@15.5.7': + '@next/swc-linux-arm64-gnu@15.5.18': optional: true - '@next/swc-linux-arm64-musl@15.5.7': + '@next/swc-linux-arm64-musl@15.5.18': optional: true - '@next/swc-linux-x64-gnu@15.5.7': + '@next/swc-linux-x64-gnu@15.5.18': optional: true - '@next/swc-linux-x64-musl@15.5.7': + '@next/swc-linux-x64-musl@15.5.18': optional: true - '@next/swc-win32-arm64-msvc@15.5.7': + '@next/swc-win32-arm64-msvc@15.5.18': optional: true - '@next/swc-win32-x64-msvc@15.5.7': + '@next/swc-win32-x64-msvc@15.5.18': optional: true '@noble/hashes@2.2.0': {} @@ -5140,7 +4908,7 @@ snapshots: closest-match: 1.3.3 colorette: 2.0.20 commander: 14.0.3 - esbuild: 0.28.0 + esbuild: 0.28.1 jsonc-parser: 3.3.1 package-manager-detector: 1.6.0 pathe: 2.0.3 @@ -5654,21 +5422,21 @@ snapshots: chai: 5.3.3 tinyrainbow: 2.0.0 - '@vitest/mocker@3.2.6(vite@7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0))': + '@vitest/mocker@3.2.6(vite@7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0))': dependencies: '@vitest/spy': 3.2.6 estree-walker: 3.0.3 magic-string: 0.30.21 optionalDependencies: - vite: 7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) - '@vitest/mocker@3.2.6(vite@7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0))': + '@vitest/mocker@3.2.6(vite@7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0))': dependencies: '@vitest/spy': 3.2.6 estree-walker: 3.0.3 magic-string: 0.30.21 optionalDependencies: - vite: 7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) '@vitest/pretty-format@3.2.6': dependencies: @@ -5713,7 +5481,7 @@ snapshots: ajv@8.20.0: dependencies: fast-deep-equal: 3.1.3 - fast-uri: 3.1.3 + fast-uri: 3.1.2 json-schema-traverse: 1.0.0 require-from-string: 2.0.2 @@ -5780,9 +5548,9 @@ snapshots: buffer-from@1.1.2: {} - bundle-require@5.1.0(esbuild@0.27.7): + bundle-require@5.1.0(esbuild@0.28.1): dependencies: - esbuild: 0.27.7 + esbuild: 0.28.1 load-tsconfig: 0.2.5 bytes@3.1.2: {} @@ -6019,63 +5787,34 @@ snapshots: '@esbuild/win32-ia32': 0.19.12 '@esbuild/win32-x64': 0.19.12 - esbuild@0.27.7: - optionalDependencies: - '@esbuild/aix-ppc64': 0.27.7 - '@esbuild/android-arm': 0.27.7 - '@esbuild/android-arm64': 0.27.7 - '@esbuild/android-x64': 0.27.7 - '@esbuild/darwin-arm64': 0.27.7 - '@esbuild/darwin-x64': 0.27.7 - '@esbuild/freebsd-arm64': 0.27.7 - '@esbuild/freebsd-x64': 0.27.7 - '@esbuild/linux-arm': 0.27.7 - '@esbuild/linux-arm64': 0.27.7 - '@esbuild/linux-ia32': 0.27.7 - '@esbuild/linux-loong64': 0.27.7 - '@esbuild/linux-mips64el': 0.27.7 - '@esbuild/linux-ppc64': 0.27.7 - '@esbuild/linux-riscv64': 0.27.7 - '@esbuild/linux-s390x': 0.27.7 - '@esbuild/linux-x64': 0.27.7 - '@esbuild/netbsd-arm64': 0.27.7 - '@esbuild/netbsd-x64': 0.27.7 - '@esbuild/openbsd-arm64': 0.27.7 - '@esbuild/openbsd-x64': 0.27.7 - '@esbuild/openharmony-arm64': 0.27.7 - '@esbuild/sunos-x64': 0.27.7 - '@esbuild/win32-arm64': 0.27.7 - '@esbuild/win32-ia32': 0.27.7 - '@esbuild/win32-x64': 0.27.7 - - esbuild@0.28.0: + esbuild@0.28.1: optionalDependencies: - '@esbuild/aix-ppc64': 0.28.0 - '@esbuild/android-arm': 0.28.0 - '@esbuild/android-arm64': 0.28.0 - '@esbuild/android-x64': 0.28.0 - '@esbuild/darwin-arm64': 0.28.0 - '@esbuild/darwin-x64': 0.28.0 - '@esbuild/freebsd-arm64': 0.28.0 - '@esbuild/freebsd-x64': 0.28.0 - '@esbuild/linux-arm': 0.28.0 - '@esbuild/linux-arm64': 0.28.0 - '@esbuild/linux-ia32': 0.28.0 - '@esbuild/linux-loong64': 0.28.0 - '@esbuild/linux-mips64el': 0.28.0 - '@esbuild/linux-ppc64': 0.28.0 - '@esbuild/linux-riscv64': 0.28.0 - '@esbuild/linux-s390x': 0.28.0 - '@esbuild/linux-x64': 0.28.0 - '@esbuild/netbsd-arm64': 0.28.0 - '@esbuild/netbsd-x64': 0.28.0 - '@esbuild/openbsd-arm64': 0.28.0 - '@esbuild/openbsd-x64': 0.28.0 - '@esbuild/openharmony-arm64': 0.28.0 - '@esbuild/sunos-x64': 0.28.0 - '@esbuild/win32-arm64': 0.28.0 - '@esbuild/win32-ia32': 0.28.0 - '@esbuild/win32-x64': 0.28.0 + '@esbuild/aix-ppc64': 0.28.1 + '@esbuild/android-arm': 0.28.1 + '@esbuild/android-arm64': 0.28.1 + '@esbuild/android-x64': 0.28.1 + '@esbuild/darwin-arm64': 0.28.1 + '@esbuild/darwin-x64': 0.28.1 + '@esbuild/freebsd-arm64': 0.28.1 + '@esbuild/freebsd-x64': 0.28.1 + '@esbuild/linux-arm': 0.28.1 + '@esbuild/linux-arm64': 0.28.1 + '@esbuild/linux-ia32': 0.28.1 + '@esbuild/linux-loong64': 0.28.1 + '@esbuild/linux-mips64el': 0.28.1 + '@esbuild/linux-ppc64': 0.28.1 + '@esbuild/linux-riscv64': 0.28.1 + '@esbuild/linux-s390x': 0.28.1 + '@esbuild/linux-x64': 0.28.1 + '@esbuild/netbsd-arm64': 0.28.1 + '@esbuild/netbsd-x64': 0.28.1 + '@esbuild/openbsd-arm64': 0.28.1 + '@esbuild/openbsd-x64': 0.28.1 + '@esbuild/openharmony-arm64': 0.28.1 + '@esbuild/sunos-x64': 0.28.1 + '@esbuild/win32-arm64': 0.28.1 + '@esbuild/win32-ia32': 0.28.1 + '@esbuild/win32-x64': 0.28.1 escape-html@1.0.3: {} @@ -6093,9 +5832,9 @@ snapshots: dependencies: eventsource-parser: 3.1.0 - evlog@1.11.0(next@15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react@19.2.3): + evlog@1.11.0(next@15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3))(react@19.2.3): optionalDependencies: - next: 15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3) + next: 15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3) react: 19.2.3 execa@9.6.1: @@ -6179,7 +5918,7 @@ snapshots: dependencies: fast-string-truncated-width: 3.0.3 - fast-uri@3.1.3: {} + fast-uri@3.1.2: {} fast-wrap-ansi@0.2.0: dependencies: @@ -6385,16 +6124,16 @@ snapshots: joycon@3.1.1: {} - js-cookie@3.0.5: {} + js-cookie@3.0.8: {} js-tokens@9.0.1: {} - js-yaml@3.14.2: + js-yaml@3.15.0: dependencies: argparse: 1.0.10 esprima: 4.0.1 - js-yaml@4.1.1: + js-yaml@4.3.0: dependencies: argparse: 2.0.1 @@ -6409,8 +6148,8 @@ snapshots: '@types/json-schema': 7.0.15 '@types/lodash': 4.17.21 is-glob: 4.0.3 - js-yaml: 4.1.1 - lodash: 4.17.23 + js-yaml: 4.3.0 + lodash: 4.18.1 minimist: 1.2.8 prettier: 3.7.4 tinyglobby: 0.2.15 @@ -6487,7 +6226,7 @@ snapshots: lodash.startcase@4.4.0: {} - lodash@4.17.23: {} + lodash@4.18.1: {} long@5.3.2: optional: true @@ -6565,30 +6304,28 @@ snapshots: lru.min: 1.1.4 optional: true - nanoid@3.3.11: {} - nanoid@3.3.12: {} negotiator@1.0.0: {} - next@15.5.10(react-dom@19.2.3(react@19.2.3))(react@19.2.3): + next@15.5.18(react-dom@19.2.3(react@19.2.3))(react@19.2.3): dependencies: - '@next/env': 15.5.10 + '@next/env': 15.5.18 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001760 - postcss: 8.4.31 + postcss: 8.5.14 react: 19.2.3 react-dom: 19.2.3(react@19.2.3) styled-jsx: 5.1.6(react@19.2.3) optionalDependencies: - '@next/swc-darwin-arm64': 15.5.7 - '@next/swc-darwin-x64': 15.5.7 - '@next/swc-linux-arm64-gnu': 15.5.7 - '@next/swc-linux-arm64-musl': 15.5.7 - '@next/swc-linux-x64-gnu': 15.5.7 - '@next/swc-linux-x64-musl': 15.5.7 - '@next/swc-win32-arm64-msvc': 15.5.7 - '@next/swc-win32-x64-msvc': 15.5.7 + '@next/swc-darwin-arm64': 15.5.18 + '@next/swc-darwin-x64': 15.5.18 + '@next/swc-linux-arm64-gnu': 15.5.18 + '@next/swc-linux-arm64-musl': 15.5.18 + '@next/swc-linux-x64-gnu': 15.5.18 + '@next/swc-linux-x64-musl': 15.5.18 + '@next/swc-win32-arm64-msvc': 15.5.18 + '@next/swc-win32-x64-msvc': 15.5.18 sharp: 0.34.5 transitivePeerDependencies: - '@babel/core' @@ -6756,12 +6493,6 @@ snapshots: tsx: 4.22.1 yaml: 2.9.0 - postcss@8.4.31: - dependencies: - nanoid: 3.3.11 - picocolors: 1.1.1 - source-map-js: 1.2.1 - postcss@8.5.14: dependencies: nanoid: 3.3.12 @@ -6834,7 +6565,7 @@ snapshots: read-yaml-file@1.1.0: dependencies: graceful-fs: 4.2.11 - js-yaml: 3.14.2 + js-yaml: 3.15.0 pify: 4.0.1 strip-bom: 3.0.0 @@ -6975,7 +6706,7 @@ snapshots: dependencies: '@img/colour': 1.0.0 detect-libc: 2.1.2 - semver: 7.8.0 + semver: 7.8.5 optionalDependencies: '@img/sharp-darwin-arm64': 0.34.5 '@img/sharp-darwin-x64': 0.34.5 @@ -7173,12 +6904,12 @@ snapshots: tsup@8.5.1(jiti@2.7.0)(postcss@8.5.14)(tsx@4.22.1)(typescript@5.9.3)(yaml@2.9.0): dependencies: - bundle-require: 5.1.0(esbuild@0.27.7) + bundle-require: 5.1.0(esbuild@0.28.1) cac: 6.7.14 chokidar: 4.0.3 consola: 3.4.2 debug: 4.4.3 - esbuild: 0.27.7 + esbuild: 0.28.1 fix-dts-default-cjs-exports: 1.0.1 joycon: 3.1.1 picocolors: 1.1.1 @@ -7201,7 +6932,7 @@ snapshots: tsx@4.22.1: dependencies: - esbuild: 0.28.0 + esbuild: 0.28.1 optionalDependencies: fsevents: 2.3.3 @@ -7251,7 +6982,7 @@ snapshots: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 2.0.3 - vite: 7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) transitivePeerDependencies: - '@types/node' - jiti @@ -7272,7 +7003,7 @@ snapshots: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 2.0.3 - vite: 7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) transitivePeerDependencies: - '@types/node' - jiti @@ -7287,9 +7018,9 @@ snapshots: - tsx - yaml - vite@7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0): + vite@7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0): dependencies: - esbuild: 0.27.7 + esbuild: 0.28.1 fdir: 6.5.0(picomatch@4.0.4) picomatch: 4.0.4 postcss: 8.5.14 @@ -7304,9 +7035,9 @@ snapshots: tsx: 4.22.1 yaml: 2.9.0 - vite@7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0): + vite@7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0): dependencies: - esbuild: 0.27.7 + esbuild: 0.28.1 fdir: 6.5.0(picomatch@4.0.4) picomatch: 4.0.4 postcss: 8.5.14 @@ -7325,7 +7056,7 @@ snapshots: dependencies: '@types/chai': 5.2.3 '@vitest/expect': 3.2.6 - '@vitest/mocker': 3.2.6(vite@7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0)) + '@vitest/mocker': 3.2.6(vite@7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0)) '@vitest/pretty-format': 3.2.6 '@vitest/runner': 3.2.6 '@vitest/snapshot': 3.2.6 @@ -7343,7 +7074,7 @@ snapshots: tinyglobby: 0.2.16 tinypool: 1.1.1 tinyrainbow: 2.0.0 - vite: 7.3.3(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) vite-node: 3.2.4(@types/node@22.19.19)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) why-is-node-running: 2.3.0 optionalDependencies: @@ -7366,7 +7097,7 @@ snapshots: dependencies: '@types/chai': 5.2.3 '@vitest/expect': 3.2.6 - '@vitest/mocker': 3.2.6(vite@7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0)) + '@vitest/mocker': 3.2.6(vite@7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0)) '@vitest/pretty-format': 3.2.6 '@vitest/runner': 3.2.6 '@vitest/snapshot': 3.2.6 @@ -7384,7 +7115,7 @@ snapshots: tinyglobby: 0.2.16 tinypool: 1.1.1 tinyrainbow: 2.0.0 - vite: 7.3.3(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) + vite: 7.3.6(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) vite-node: 3.2.4(@types/node@25.8.0)(jiti@2.7.0)(lightningcss@1.30.2)(terser@5.44.1)(tsx@4.22.1)(yaml@2.9.0) why-is-node-running: 2.3.0 optionalDependencies: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 25aa10de..89740b4e 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -27,6 +27,21 @@ catalogs: next: 15.5.18 vite: 8.0.13 +# Security overrides for open Dependabot alerts on transitive deps that +# Dependabot cannot PR against. Each selector is scoped to the vulnerable +# range so nothing outside it moves. NOTE: the top-level `overrides` block +# in the root package.json is npm-format and IGNORED by pnpm — overrides +# must live here (or under `pnpm.overrides`) to take effect. +overrides: + 'next@<15.5.18': '~15.5.18' + 'lodash@<4.18.0': '^4.18.0' + 'js-cookie@<3.0.7': '^3.0.7' + 'postcss@<8.5.10': '^8.5.10' + 'vite@>=7.0.0 <7.3.5': '~7.3.5' + 'esbuild@>=0.27.3 <0.28.1': '^0.28.1' + 'js-yaml@<3.15.0': '>=3.15.0 <4' + 'js-yaml@>=4.0.0 <4.2.0': '^4.2.0' + # Supply-chain hardening — see skills/stash-supply-chain-security/ # 7 days in minutes; mirrors the Dependabot cooldown so manual + automated # updates have the same community-discovery window. @@ -44,6 +59,10 @@ blockExoticSubdeps: true # WASM-inline variant); also tracked in lockstep # with protect-ffi for the WASM path. minimumReleaseAgeExclude: + # TEMPORARY (added 2026-07-03): js-yaml 3.15.0 is the security release for + # GHSA merge-key DoS and was published 6 days ago — one day short of the + # cooldown. Remove this entry once it has matured (after 2026-07-04). + - js-yaml - '@prisma-next/*' - '@cipherstash/protect-ffi' - '@cipherstash/protect-ffi-*' From d2322980e66b26f12bdf13d4e4244a2cdcc91ddc Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 18:22:09 +1000 Subject: [PATCH 2/4] fix(deps): address code-review findings on the alert-cleanup branch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Restore fast-uri 3.1.3: the lockfile regen let the 7-day cooldown demote ajv's fast-uri to 3.1.2, un-fixing GHSA-4c8g-83qw-93j6 / CVE-2026-13676; pin the patched release until it matures - Replace the js-yaml minimumReleaseAgeExclude entry (name-scoped, first-party-only list) with exact pins (3.15.0 / matured 4.2.0, evicting immature 4.3.0) installed via a one-off --config.minimumReleaseAge=0 run per SKILL.md; locked versions are not re-age-checked so normal installs need no bypass - Delete the inert npm-format overrides block and stale workspaces.catalogs duplicate from root package.json (dead config that contradicted the live pins; the overrides copy still pinned vulnerable js-yaml 4.1.1) - Annotate every override with its Dependabot alert + GHSA ID, note the esbuild-outside-tsup-range tradeoff, and document the wizard's @anthropic-ai/sdk dep as a peer-resolution pin (not unused) - Gate both escape hatches in the supply-chain e2e test: overrides must stay range-scoped and ≤12 entries; minimumReleaseAgeExclude must stay first-party-only - Fix SKILL.md's cooldown-bypass recipe: the documented --ignore-workspace-min-release-age flag does not exist in pnpm 10; the one-off equivalent is --config.minimumReleaseAge=0 with an exact pin Verified: full turbo build (10 pkgs), wizard tests (139), script tests (20), supply-chain e2e (14, incl. 2 new gates) all pass; frozen-lockfile install passes with no bypass. --- e2e/tests/supply-chain.e2e.test.ts | 38 +++++++++++ package.json | 73 --------------------- pnpm-lock.yaml | 29 ++++---- pnpm-workspace.yaml | 50 ++++++++++---- skills/stash-supply-chain-security/SKILL.md | 16 ++++- 5 files changed, 106 insertions(+), 100 deletions(-) diff --git a/e2e/tests/supply-chain.e2e.test.ts b/e2e/tests/supply-chain.e2e.test.ts index 4b5da4b3..92704f70 100644 --- a/e2e/tests/supply-chain.e2e.test.ts +++ b/e2e/tests/supply-chain.e2e.test.ts @@ -46,6 +46,44 @@ describe('supply chain — pnpm configuration', () => { expect(Array.isArray(allow)).toBe(true) expect(allow.length).toBeLessThanOrEqual(3) }) + + it('minimumReleaseAgeExclude contains only first-party packages', () => { + // The cooldown exclusion list exists for first-party packages that ship + // on their own release cadence. Third-party security fixes must use the + // one-off bypass (`pnpm install --config.minimumReleaseAge=0` with an + // exact pin) instead — a name-scoped exclusion exempts every future + // release of the package. See SKILL.md "Bypass the install cooldown". + const ws = readYaml('pnpm-workspace.yaml') as { + minimumReleaseAgeExclude?: string[] + } + const FIRST_PARTY = [/^@prisma-next\//, /^@cipherstash\//] + for (const entry of ws.minimumReleaseAgeExclude ?? []) { + expect( + FIRST_PARTY.some((re) => re.test(entry)), + `"${entry}" is not a first-party cooldown exclusion`, + ).toBe(true) + } + }) + + it('security overrides stay range-scoped and remain a small allowlist (≤12 entries)', () => { + // Every override must be scoped to the advisory's vulnerable range + // (`pkg@`), never a blanket `pkg` pin — a blanket pin silently + // rewrites versions outside the vulnerable range forever. The count cap + // mirrors onlyBuiltDependencies: growth forces a conscious review. + const ws = readYaml('pnpm-workspace.yaml') as { + overrides?: Record + } + const selectors = Object.keys(ws.overrides ?? {}) + expect(selectors.length).toBeLessThanOrEqual(12) + for (const selector of selectors) { + // A version-scoped selector has an `@` after the package name + // (position > 0 handles `@scope/pkg@range`). + expect( + selector.lastIndexOf('@') > 0, + `override "${selector}" is not scoped to a version range`, + ).toBe(true) + } + }) }) describe('supply chain — registry pinning (.npmrc)', () => { diff --git a/package.json b/package.json index 82f6944c..7de8e3a5 100644 --- a/package.json +++ b/package.json @@ -18,26 +18,6 @@ "url": "git+https://github.com/cipherstash/protectjs.git" }, "license": "MIT", - "workspaces": { - "packages": [ - "packages/*", - "examples/*" - ], - "catalogs": { - "repo": { - "@cipherstash/auth": "0.40.0", - "tsup": "8.4.0", - "tsx": "4.19.3", - "typescript": "5.6.3", - "vitest": "3.1.3" - }, - "security": { - "@clerk/nextjs": "6.39.2", - "next": "15.5.10", - "vite": "6.4.1" - } - } - }, "scripts": { "build": "turbo build --filter './packages/*'", "build:js": "turbo build --filter './packages/protect' --filter './packages/nextjs'", @@ -82,58 +62,5 @@ "onlyBuiltDependencies": [ "node-pty" ] - }, - "overrides": { - "@babel/runtime": "7.26.10", - "brace-expansion@^5": ">=5.0.5", - "body-parser": "2.2.1", - "vite": "catalog:security", - "pg": "^8.16.3", - "postgres": "^3.4.7", - "js-yaml": "4.1.1", - "test-exclude": "^7.0.1", - "glob": ">=11.1.0", - "qs": ">=6.14.1", - "lodash": ">=4.18.0", - "minimatch": ">=10.2.3", - "@isaacs/brace-expansion": ">=5.0.1", - "fast-xml-parser": ">=5.3.4", - "next": ">=15.5.15", - "ajv": ">=8.18.0", - "esbuild@<=0.24.2": ">=0.25.0", - "picomatch@^4": ">=4.0.4", - "picomatch@^2": ">=2.3.2", - "rollup@>=4.0.0 <4.59.0": ">=4.59.0", - "drizzle-orm": ">=0.45.2", - "postcss": ">=8.5.10", - "hono": ">=4.12.14", - "@hono/node-server": ">=1.19.13", - "@prisma-next/adapter-postgres": "0.6.0-dev.8", - "@prisma-next/cli": "0.6.0-dev.8", - "@prisma-next/config": "0.6.0-dev.8", - "@prisma-next/contract": "0.6.0-dev.8", - "@prisma-next/contract-authoring": "0.6.0-dev.8", - "@prisma-next/driver-postgres": "0.6.0-dev.8", - "@prisma-next/emitter": "0.6.0-dev.8", - "@prisma-next/errors": "0.6.0-dev.8", - "@prisma-next/family-sql": "0.6.0-dev.8", - "@prisma-next/framework-components": "0.6.0-dev.8", - "@prisma-next/ids": "0.6.0-dev.8", - "@prisma-next/migration-tools": "0.6.0-dev.8", - "@prisma-next/operations": "0.6.0-dev.8", - "@prisma-next/psl-parser": "0.6.0-dev.8", - "@prisma-next/psl-printer": "0.6.0-dev.8", - "@prisma-next/sql-contract": "0.6.0-dev.8", - "@prisma-next/sql-contract-emitter": "0.6.0-dev.8", - "@prisma-next/sql-contract-psl": "0.6.0-dev.8", - "@prisma-next/sql-contract-ts": "0.6.0-dev.8", - "@prisma-next/sql-errors": "0.6.0-dev.8", - "@prisma-next/sql-operations": "0.6.0-dev.8", - "@prisma-next/sql-relational-core": "0.6.0-dev.8", - "@prisma-next/sql-runtime": "0.6.0-dev.8", - "@prisma-next/sql-schema-ir": "0.6.0-dev.8", - "@prisma-next/target-postgres": "0.6.0-dev.8", - "@prisma-next/ts-render": "0.6.0-dev.8", - "@prisma-next/utils": "0.6.0-dev.8" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7ce7bad6..5f4dbc21 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -54,8 +54,9 @@ overrides: postcss@<8.5.10: ^8.5.10 vite@>=7.0.0 <7.3.5: ~7.3.5 esbuild@>=0.27.3 <0.28.1: ^0.28.1 - js-yaml@<3.15.0: '>=3.15.0 <4' - js-yaml@>=4.0.0 <4.2.0: ^4.2.0 + js-yaml@<3.15.0: 3.15.0 + js-yaml@>=4.0.0 <5: 4.2.0 + fast-uri@<3.1.3: 3.1.3 importers: @@ -71,8 +72,8 @@ importers: specifier: ^22.19.19 version: 22.19.19 js-yaml: - specifier: ^4.2.0 - version: 4.3.0 + specifier: 4.2.0 + version: 4.2.0 rimraf: specifier: ^6.1.3 version: 6.1.3 @@ -2819,8 +2820,8 @@ packages: fast-string-width@3.0.2: resolution: {integrity: sha512-gX8LrtNEI5hq8DVUfRQMbr5lpaS4nMIWV+7XEbXk2b8kiQIizgnlr12B4dA3ZEx3308ze0O4Q1R+cHts8kyUJg==} - fast-uri@3.1.2: - resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==} + fast-uri@3.1.3: + resolution: {integrity: sha512-i70LwGWUduXqzicKXWshooq+sWL1K3WUU5rKZNG/0i3a1OSoX3HqhH5WbWwTmqWfor4urUakGPiRQcleRZTwOg==} fast-wrap-ansi@0.2.0: resolution: {integrity: sha512-rLV8JHxTyhVmFYhBJuMujcrHqOT2cnO5Zxj37qROj23CP39GXubJRBUFF0z8KFK77Uc0SukZUf7JZhsVEQ6n8w==} @@ -3046,8 +3047,8 @@ packages: resolution: {integrity: sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==} hasBin: true - js-yaml@4.3.0: - resolution: {integrity: sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==} + js-yaml@4.2.0: + resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==} hasBin: true json-schema-to-ts@3.1.1: @@ -4076,7 +4077,7 @@ snapshots: dependencies: '@jsdevtools/ono': 7.1.3 '@types/json-schema': 7.0.15 - js-yaml: 4.3.0 + js-yaml: 4.2.0 '@ark/schema@0.56.0': dependencies: @@ -4233,7 +4234,7 @@ snapshots: '@changesets/parse@0.4.3': dependencies: '@changesets/types': 6.1.0 - js-yaml: 4.3.0 + js-yaml: 4.2.0 '@changesets/pre@2.0.2': dependencies: @@ -5481,7 +5482,7 @@ snapshots: ajv@8.20.0: dependencies: fast-deep-equal: 3.1.3 - fast-uri: 3.1.2 + fast-uri: 3.1.3 json-schema-traverse: 1.0.0 require-from-string: 2.0.2 @@ -5918,7 +5919,7 @@ snapshots: dependencies: fast-string-truncated-width: 3.0.3 - fast-uri@3.1.2: {} + fast-uri@3.1.3: {} fast-wrap-ansi@0.2.0: dependencies: @@ -6133,7 +6134,7 @@ snapshots: argparse: 1.0.10 esprima: 4.0.1 - js-yaml@4.3.0: + js-yaml@4.2.0: dependencies: argparse: 2.0.1 @@ -6148,7 +6149,7 @@ snapshots: '@types/json-schema': 7.0.15 '@types/lodash': 4.17.21 is-glob: 4.0.3 - js-yaml: 4.3.0 + js-yaml: 4.2.0 lodash: 4.18.1 minimist: 1.2.8 prettier: 3.7.4 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 89740b4e..28f6c490 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -27,20 +27,52 @@ catalogs: next: 15.5.18 vite: 8.0.13 -# Security overrides for open Dependabot alerts on transitive deps that -# Dependabot cannot PR against. Each selector is scoped to the vulnerable -# range so nothing outside it moves. NOTE: the top-level `overrides` block -# in the root package.json is npm-format and IGNORED by pnpm — overrides -# must live here (or under `pnpm.overrides`) to take effect. +# Security overrides for Dependabot alerts on transitive deps that Dependabot +# cannot PR against (it only PRs direct dependencies). Each selector is scoped +# to the advisory's vulnerable range, and each entry names its alert + advisory +# so it can be retired once the parent dependency moves past the range. +# NOTE: pnpm only reads overrides from here (or package.json `pnpm.overrides`); +# a top-level npm-format `overrides` block is silently ignored. +# +# Related, but NOT fixable as an override: @anthropic-ai/sdk (alert #128, +# GHSA-p7fg-763f-g4gf) is an auto-installed *peer* of claude-agent-sdk, and +# pnpm overrides rewrite peer ranges, not peer resolutions. It is fixed by an +# explicit dependency in packages/wizard — that dep is a peer-resolution pin +# (wizard never imports the sdk directly); do not remove it as "unused". overrides: + # #96, #115-#127 — Next.js middleware bypass / SSRF / DoS / XSS batch + # (GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, GHSA-36qx-fr4f-26g5, et al.) 'next@<15.5.18': '~15.5.18' + # #87 GHSA-f23m-r3pf-42rh, #88 GHSA-r5fr-rjxr-66jc — lodash _.unset / _.template 'lodash@<4.18.0': '^4.18.0' + # #133 GHSA-qjx8-664m-686j — js-cookie attribute injection 'js-cookie@<3.0.7': '^3.0.7' + # #102 GHSA-qx2v-qp2m-jg93 — postcss XSS via unescaped 'postcss@<8.5.10': '^8.5.10' + # #145 GHSA-fx2h-pf6j-xcff, #146 GHSA-v6wh-96g9-6wx3 — vite dev server (Windows) 'vite@>=7.0.0 <7.3.5': '~7.3.5' + # #142 GHSA-g7r4-m6w7-qqqr — esbuild dev server. 0.28.1 is the FIRST patched + # release and sits outside tsup@8.5.1's declared ^0.27.0 (esbuild 0.x minors + # are breaking). Exercised builds pass; retire by bumping tsup once a release + # declares ^0.28. 'esbuild@>=0.27.3 <0.28.1': '^0.28.1' - 'js-yaml@<3.15.0': '>=3.15.0 <4' - 'js-yaml@>=4.0.0 <4.2.0': '^4.2.0' + # #153 GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line. + # Exact pin: 3.15.0 is the only patched 3.x release. Installed with the + # one-off --ignore-workspace-min-release-age bypass (published 2026-06-26, + # matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude + # entry. + 'js-yaml@<3.15.0': '3.15.0' + # #152 GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 4.x line. + # Exact-pinned to the MATURED 4.2.0 (4.3.0 is still inside the cooldown), and + # kept exact because a past js-yaml upgrade broke changesets — bump this + # deliberately and re-verify `changeset status`/`version` when you do. + 'js-yaml@>=4.0.0 <5': '4.2.0' + # Not a Dependabot alert — cooldown-regression guard. Re-resolving the + # lockfile let minimumReleaseAge demote ajv's fast-uri to 3.1.2, un-fixing + # GHSA-4c8g-83qw-93j6 / CVE-2026-13676 (host confusion via failed IDN + # canonicalization). Pin the patched release (published 2026-06-29, matures + # 2026-07-06); safe to relax to ^3.1.3 after that date. + 'fast-uri@<3.1.3': '3.1.3' # Supply-chain hardening — see skills/stash-supply-chain-security/ # 7 days in minutes; mirrors the Dependabot cooldown so manual + automated @@ -59,10 +91,6 @@ blockExoticSubdeps: true # WASM-inline variant); also tracked in lockstep # with protect-ffi for the WASM path. minimumReleaseAgeExclude: - # TEMPORARY (added 2026-07-03): js-yaml 3.15.0 is the security release for - # GHSA merge-key DoS and was published 6 days ago — one day short of the - # cooldown. Remove this entry once it has matured (after 2026-07-04). - - js-yaml - '@prisma-next/*' - '@cipherstash/protect-ffi' - '@cipherstash/protect-ffi-*' diff --git a/skills/stash-supply-chain-security/SKILL.md b/skills/stash-supply-chain-security/SKILL.md index d53fea90..31b14ada 100644 --- a/skills/stash-supply-chain-security/SKILL.md +++ b/skills/stash-supply-chain-security/SKILL.md @@ -135,11 +135,23 @@ Both require the npm org admin to register each `@cipherstash/*` package as a Tr When CVE response needs a patch faster than 7 days: +1. Pin the exact patched version (a pnpm override scoped to the vulnerable + range for transitive deps, or the manifest for direct deps) so the bypass + run can only admit that one release. +2. Run a one-off install with the cooldown disabled for that single run + (pnpm ≥ 10 has no dedicated flag; the CLI config override is the one-off + equivalent and does not persist): + ```bash -# pnpm flag for a one-off install: -pnpm install @ --ignore-workspace-min-release-age +pnpm install --config.minimumReleaseAge=0 ``` +Once the patched version is in `pnpm-lock.yaml`, normal and +`--frozen-lockfile` installs succeed without any bypass — locked versions are +not re-age-checked. Do NOT add third-party packages to +`minimumReleaseAgeExclude`: that list is for first-party packages only and a +name-scoped entry exempts every future release of the package until removed. + Document the bypass in the PR description (CVE ID, why the cooldown was the bottleneck) so the next reviewer can follow the reasoning. ### Add a new dev dependency From 674f75d35d6613b9510f7843b09a9eb8e4396c0f Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 22:54:16 +1000 Subject: [PATCH 3/4] docs: align cooldown-bypass flag references with pnpm's canonical kebab-case form CodeRabbit flagged two doc issues on #545: - pnpm-workspace.yaml's js-yaml 3.x comment still cited the nonexistent --ignore-workspace-min-release-age flag - SKILL.md used --config.minimumReleaseAge=0 Empirically both --config.minimum-release-age and --config.minimumReleaseAge are applied by pnpm 10.33.2 (verified with a huge value forcing NO_MATURE_MATCHING_VERSION in a scratch project), but kebab-case is the docs-canonical form, so standardize on it everywhere. --- e2e/tests/supply-chain.e2e.test.ts | 2 +- pnpm-workspace.yaml | 2 +- skills/stash-supply-chain-security/SKILL.md | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/e2e/tests/supply-chain.e2e.test.ts b/e2e/tests/supply-chain.e2e.test.ts index 92704f70..1c884318 100644 --- a/e2e/tests/supply-chain.e2e.test.ts +++ b/e2e/tests/supply-chain.e2e.test.ts @@ -50,7 +50,7 @@ describe('supply chain — pnpm configuration', () => { it('minimumReleaseAgeExclude contains only first-party packages', () => { // The cooldown exclusion list exists for first-party packages that ship // on their own release cadence. Third-party security fixes must use the - // one-off bypass (`pnpm install --config.minimumReleaseAge=0` with an + // one-off bypass (`pnpm install --config.minimum-release-age=0` with an // exact pin) instead — a name-scoped exclusion exempts every future // release of the package. See SKILL.md "Bypass the install cooldown". const ws = readYaml('pnpm-workspace.yaml') as { diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 28f6c490..f4ab662c 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -58,7 +58,7 @@ overrides: 'esbuild@>=0.27.3 <0.28.1': '^0.28.1' # #153 GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line. # Exact pin: 3.15.0 is the only patched 3.x release. Installed with the - # one-off --ignore-workspace-min-release-age bypass (published 2026-06-26, + # one-off `--config.minimum-release-age=0` bypass (published 2026-06-26, # matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude # entry. 'js-yaml@<3.15.0': '3.15.0' diff --git a/skills/stash-supply-chain-security/SKILL.md b/skills/stash-supply-chain-security/SKILL.md index 31b14ada..10f9c96f 100644 --- a/skills/stash-supply-chain-security/SKILL.md +++ b/skills/stash-supply-chain-security/SKILL.md @@ -140,10 +140,11 @@ When CVE response needs a patch faster than 7 days: run can only admit that one release. 2. Run a one-off install with the cooldown disabled for that single run (pnpm ≥ 10 has no dedicated flag; the CLI config override is the one-off - equivalent and does not persist): + equivalent and does not persist — kebab-case is the canonical form, + though pnpm 10.x accepts the camelCase spelling too): ```bash -pnpm install --config.minimumReleaseAge=0 +pnpm install --config.minimum-release-age=0 ``` Once the patched version is in `pnpm-lock.yaml`, normal and From 17f474556c38e7e04e22ad90eaa6529f64f8f245 Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 22:55:29 +1000 Subject: [PATCH 4/4] chore: add changeset for wizard's @anthropic-ai/sdk security pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Copilot review on #545 correctly noted the new direct dependency changes @cipherstash/wizard's published manifest, which per AGENTS.md needs a changeset. Patch bump — peer-resolution pin only, no behaviour change. --- .changeset/wizard-anthropic-sdk-security-pin.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .changeset/wizard-anthropic-sdk-security-pin.md diff --git a/.changeset/wizard-anthropic-sdk-security-pin.md b/.changeset/wizard-anthropic-sdk-security-pin.md new file mode 100644 index 00000000..f6b9985f --- /dev/null +++ b/.changeset/wizard-anthropic-sdk-security-pin.md @@ -0,0 +1,9 @@ +--- +"@cipherstash/wizard": patch +--- + +Add `@anthropic-ai/sdk` `^0.106.0` as a direct dependency so the +auto-installed peer of `@anthropic-ai/claude-agent-sdk` resolves to a release +patched against GHSA-p7fg-763f-g4gf, instead of the vulnerable 0.81.0 the +peer range alone would select. The wizard never imports the SDK directly — +this is a peer-resolution pin only; no behaviour change.