fix(deps): resolve undici and yauzl security vulnerabilities #1768

greptile-apps · 2026-03-13T21:02:43Z

devalue CVE not documented in PR description

A devalue@<5.6.4: ^5.6.4 override was added (fixing GHSA-vh2x-4mhp-swfc — prototype pollution via __defineGetter__) but the PR description only lists the three undici and yauzl advisories. This makes the audit trail incomplete. Consider adding the devalue advisory to the summary so it is tracked alongside the others.

greptile-apps · 2026-03-13T21:02:42Z

yauzl major-version override may silently break extract-zip

The override yauzl@<3.2.1: ^3.2.1 forces extract-zip@2.0.1 — which declares "yauzl": "^2.10.0" in its own package.json — to run against yauzl@3.2.1. This is a major version boundary crossing, not a patch-level fix.

yauzl@3.x rewrote the public API from callback-style to async-iteration/Promise-based. extract-zip@2.0.1 calls the v2 callback API:

yauzl.open(zipPath, { lazyEntries: true }, (err, zipfile) => { … })

In yauzl@3.x the third argument is no longer a callback, so the callback is never invoked and no error is raised — extract-zip silently hangs or produces no output. The pnpm lock confirms extract-zip@2.0.1 is now linked to yauzl@3.2.1 (see snapshot at line 14751 of pnpm-lock.yaml).

extract-zip is a transitive runtime dep of @iconify/tools (used by astro-icon at build time). A broken extract-zip would cause icon-font/archive extraction to fail silently during the build.

The only safe remediation paths are:

Override extract-zip to a version that declares "yauzl": "^3.x" (none published yet as of extract-zip@2.0.1 being latest), or

Accept the CVE risk for yauzl as a build-time-only tool with no production network exposure, and document it.

CI is also unchecked in the PR description, which is worth confirming before merging.

coderabbitai · 2026-03-13T21:03:08Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail lockfile="$(fd -HI '^pnpm-lock\.yaml$' | head -n1)" if [ -z "${lockfile:-}" ]; then echo "pnpm-lock.yaml not found" exit 1 fi python - <<'PY' import re, sys from pathlib import Path from glob import glob locks = glob("**/pnpm-lock.yaml", recursive=True) if not locks: print("pnpm-lock.yaml not found") sys.exit(1) text = Path(locks[0]).read_text(encoding="utf-8", errors="ignore") bad = [] def tup(v): return tuple(int(x) for x in v.split(".")) for v in re.findall(r"/undici@(\d+\.\d+\.\d+)", text): t = tup(v) if (t[0] == 6 and t < (6, 24, 0)) or (t[0] == 7 and t < (7, 24, 0)): bad.append(("undici", v)) for v in re.findall(r"/yauzl@(\d+\.\d+\.\d+)", text): if tup(v) < (3, 2, 1): bad.append(("yauzl", v)) for v in re.findall(r"/devalue@(\d+\.\d+\.\d+)", text): if tup(v) < (5, 6, 4): bad.append(("devalue", v)) if bad: print("Found vulnerable resolved versions:", bad) sys.exit(2) print("No vulnerable resolved versions found for the checked packages.") PY

Repository: namehash/ensnode

Length of output: 138

Lockfile not regenerated after overrides—critical vulnerability remains unresolved.

The overrides in package.json are syntactically correct, but pnpm-lock.yaml still contains vulnerable versions: yauzl@2.10.3 (override requires ≥3.2.1). After adding these overrides, regenerate the lockfile with pnpm install to ensure all dependencies resolve to patched versions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` around lines 51 - 55, The package.json overrides (e.g., the "yauzl@<3.2.1": "^3.2.1" entry) were added but the pnpm lockfile wasn't regenerated, so vulnerable versions (like yauzl@2.10.3) remain; regenerate the lockfile by running pnpm install (or pnpm install --lockfile-only) locally or in CI so pnpm-lock.yaml reflects the override and resolves transitive deps to the patched versions, then commit the updated pnpm-lock.yaml.

-Original file line number
+Diff line change
@@ Expand Up / @@ -49,7 +49,10 @@ @@
           "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
           "svgo@>=3.0.0 <3.3.3": "^3.3.3",
           "ponder>@hono/node-server@<1.19.10": "^1.19.10",
-          "devalue@<5.6.4": "^5.6.4"
+          "devalue@<5.6.4": "^5.6.4",
+          "undici@>=7.0.0 <7.24.0": "^7.24.0",
+          "undici@>=6.0.0 <6.24.0": "^6.24.0",
+          "yauzl@<3.2.1": "^3.2.1"
         },
         "ignoredBuiltDependencies": [
           "bun"
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): resolve undici and yauzl security vulnerabilities #1768

Uh oh!

Diff view

Diff view

There are no files selected for viewing

greptile-apps bot Mar 13, 2026

Uh oh!

Uh oh!

greptile-apps bot Mar 13, 2026

Uh oh!

coderabbitai bot Mar 13, 2026

Uh oh!

Uh oh!

Uh oh!

fix(deps): resolve undici and yauzl security vulnerabilities #1768

Uh oh!

fix(deps): resolve undici and yauzl security vulnerabilities #1768

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 13, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!