Skip to content

deps: resolve vulnerabilities in 11.0.0#3519

Draft
eablack wants to merge 6 commits intov11.0.0from
eb/resolve-vulnerabilities-in-11.0.0
Draft

deps: resolve vulnerabilities in 11.0.0#3519
eablack wants to merge 6 commits intov11.0.0from
eb/resolve-vulnerabilities-in-11.0.0

Conversation

@eablack
Copy link
Contributor

@eablack eablack commented Feb 6, 2026

Summary

this targets specific updates to address vulnerabilities in the v11.0.0 found in npm audit

Type of Change

Breaking Changes (major semver update)

  • Add a ! after your change type to denote a change that breaks current behavior

Feature Additions (minor semver update)

  • feat: Introduces a new feature to the codebase

Patch Updates (patch semver update)

  • fix: Bug fix
  • deps: Dependency upgrade
  • revert: Revert a previous commit
  • chore: Change that does not affect production code
  • refactor: Refactoring existing code without changing behavior
  • test: Add/update/remove tests

Testing

Notes:

Steps:

  1. Replace this text with a list of steps used to validate changes or type 'Passing CI suffices'.
  2. ...

Screenshots (if applicable)

Related Issues

GitHub issue: #[GitHub issue number]
GUS work item: [WI number](WI link)

@eablack
fix: update @modelcontextprotocol/sdk to resolve cross-client data le…
e5f3348 
…ak vulnerability

Updates @modelcontextprotocol/sdk to version >=1.26.0 to address GHSA-345p-7cg4-v4c7,
which prevented cross-client data leaks via shared server/transport instance reuse.
@eablack
fix: update brace-expansion to resolve ReDoS vulnerability
0b7f860 
Updates brace-expansion to version >=2.0.2 to address GHSA-v6h2-p8h4-qcjw,
which fixes a Regular Expression Denial of Service vulnerability.
@eablack
fix: update dependencies to resolve fast-xml-parser and js-yaml vulne…
6db5d33 
…rabilities

Runs npm audit fix to automatically update fast-xml-parser (>=5.3.4) to address
GHSA-37qj-frw5-hhjh (RangeError DoS) and js-yaml (>=4.1.1) to address
GHSA-mh29-5h37-fv8m (prototype pollution in merge).
@eablack
fix: update sinon to v21 to resolve diff DoS vulnerability
c73eb2c 
Updates sinon from v19 to v21 which includes diff v9, addressing GHSA-73rr-hh4g-fpgx
(Denial of Service vulnerability in parsePatch and applyPatch).
@eablack
fix issue with pathing
4b9b8ad
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack
fix: update mcp:start to work with @modelcontextprotocol/sdk v1.26+
3420c6d 
The @heroku/mcp-server package's exports field doesn't define a main entry,
causing import.meta.resolve to fail. Updated to use a direct path to the
bin file instead. Also updated the corresponding test to match.
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack changed the title Eb/resolve vulnerabilities in 11.0.0 deps: resolve vulnerabilities in 11.0.0 Feb 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eablack