From 65aa2c2a4c65123a4e0d87115d9f2a2fa406036c Mon Sep 17 00:00:00 2001 From: "kernel-internal[bot]" <260533166+kernel-internal[bot]@users.noreply.github.com> Date: Wed, 20 May 2026 04:32:36 +0000 Subject: [PATCH 1/3] security: vulnerability remediation (2026-05-20) Co-authored-by: Cursor --- fix-result.json | 22 ++++++++++++++++++++++ package-lock.json | 43 +++++++++++++++++++++---------------------- pnpm-lock.yaml | 45 ++++++++++++++++++++++----------------------- 3 files changed, 65 insertions(+), 45 deletions(-) create mode 100644 fix-result.json diff --git a/fix-result.json b/fix-result.json new file mode 100644 index 0000000..661eb87 --- /dev/null +++ b/fix-result.json @@ -0,0 +1,22 @@ +{ + "fixed": [ + { + "cve": "CVE-2026-41242", + "package": "protobufjs", + "ecosystem": "npm", + "old_version": "7.5.4", + "new_version": "7.6.0", + "manifest": "pnpm-lock.yaml" + }, + { + "cve": "CVE-2026-41242", + "package": "protobufjs", + "ecosystem": "npm", + "old_version": "7.5.4", + "new_version": "7.6.0", + "manifest": "package-lock.json" + } + ], + "reverted": [], + "summary": "2 fixed, 0 reverted" +} diff --git a/package-lock.json b/package-lock.json index 53ff0a3..859d673 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1803,9 +1803,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "license": "BSD-3-Clause" }, "node_modules/@protobufjs/eventemitter": { @@ -1815,13 +1815,12 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/fetch": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz", - "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.1.tgz", + "integrity": "sha512-GpptLrs57adMSuHi3VNj0mAF8dwh36LMaYF6XyJ6JMWlVsc+t42tm1HSEDmOs3A8fC9yyeisgLhsTVQokOZ0zw==", "license": "BSD-3-Clause", "dependencies": { - "@protobufjs/aspromise": "^1.1.1", - "@protobufjs/inquire": "^1.1.0" + "@protobufjs/aspromise": "^1.1.1" } }, "node_modules/@protobufjs/float": { @@ -1831,9 +1830,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.2.tgz", + "integrity": "sha512-pa0vFRuws4wkvaXKK1uXZMAwAX4/t8ANaJo45iw/oQHNQ9q5xUzwgFmVJGXiga2BeN+zpX7Vf9vmsiIa2J+MUw==", "license": "BSD-3-Clause" }, "node_modules/@protobufjs/path": { @@ -1849,9 +1848,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "license": "BSD-3-Clause" }, "node_modules/@sinclair/typebox": { @@ -6828,24 +6827,24 @@ } }, "node_modules/protobufjs": { - "version": "7.5.4", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz", - "integrity": "sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==", + "version": "7.6.0", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.0.tgz", + "integrity": "sha512-LtESOsMPTZgyYtwxhvdgdjGL0HmXEaRA/hVD6sol4zA60hVXXXP/SGmxnqDbgGE8gy7pYex7cym+5vYPcmaXBQ==", "hasInstallScript": true, "license": "BSD-3-Clause", "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", - "@protobufjs/fetch": "^1.1.0", + "@protobufjs/fetch": "^1.1.1", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.2", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", - "long": "^5.0.0" + "long": "^5.3.2" }, "engines": { "node": ">=12.0.0" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6c3c8d6..b6edd6c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -491,20 +491,20 @@ packages: '@protobufjs/base64@1.1.2': resolution: {integrity: sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==} - '@protobufjs/codegen@2.0.4': - resolution: {integrity: sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==} + '@protobufjs/codegen@2.0.5': + resolution: {integrity: sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==} '@protobufjs/eventemitter@1.1.0': resolution: {integrity: sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==} - '@protobufjs/fetch@1.1.0': - resolution: {integrity: sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==} + '@protobufjs/fetch@1.1.1': + resolution: {integrity: sha512-GpptLrs57adMSuHi3VNj0mAF8dwh36LMaYF6XyJ6JMWlVsc+t42tm1HSEDmOs3A8fC9yyeisgLhsTVQokOZ0zw==} '@protobufjs/float@1.0.2': resolution: {integrity: sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==} - '@protobufjs/inquire@1.1.0': - resolution: {integrity: sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==} + '@protobufjs/inquire@1.1.2': + resolution: {integrity: sha512-pa0vFRuws4wkvaXKK1uXZMAwAX4/t8ANaJo45iw/oQHNQ9q5xUzwgFmVJGXiga2BeN+zpX7Vf9vmsiIa2J+MUw==} '@protobufjs/path@1.1.2': resolution: {integrity: sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==} @@ -512,8 +512,8 @@ packages: '@protobufjs/pool@1.1.0': resolution: {integrity: sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==} - '@protobufjs/utf8@1.1.0': - resolution: {integrity: sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==} + '@protobufjs/utf8@1.1.1': + resolution: {integrity: sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==} '@sinclair/typebox@0.27.8': resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==} @@ -1845,8 +1845,8 @@ packages: resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==} engines: {node: '>= 6'} - protobufjs@7.5.4: - resolution: {integrity: sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==} + protobufjs@7.6.0: + resolution: {integrity: sha512-LtESOsMPTZgyYtwxhvdgdjGL0HmXEaRA/hVD6sol4zA60hVXXXP/SGmxnqDbgGE8gy7pYex7cym+5vYPcmaXBQ==} engines: {node: '>=12.0.0'} publint@0.2.12: @@ -2562,14 +2562,14 @@ snapshots: dependencies: lodash.camelcase: 4.3.0 long: 5.3.2 - protobufjs: 7.5.4 + protobufjs: 7.6.0 yargs: 17.7.2 '@grpc/proto-loader@0.8.0': dependencies: lodash.camelcase: 4.3.0 long: 5.3.2 - protobufjs: 7.5.4 + protobufjs: 7.6.0 yargs: 17.7.2 '@humanfs/core@0.19.1': {} @@ -2805,24 +2805,23 @@ snapshots: '@protobufjs/base64@1.1.2': {} - '@protobufjs/codegen@2.0.4': {} + '@protobufjs/codegen@2.0.5': {} '@protobufjs/eventemitter@1.1.0': {} - '@protobufjs/fetch@1.1.0': + '@protobufjs/fetch@1.1.1': dependencies: '@protobufjs/aspromise': 1.1.2 - '@protobufjs/inquire': 1.1.0 '@protobufjs/float@1.0.2': {} - '@protobufjs/inquire@1.1.0': {} + '@protobufjs/inquire@1.1.2': {} '@protobufjs/path@1.1.2': {} '@protobufjs/pool@1.1.0': {} - '@protobufjs/utf8@1.1.0': {} + '@protobufjs/utf8@1.1.1': {} '@sinclair/typebox@0.27.8': {} @@ -3391,7 +3390,7 @@ snapshots: '@grpc/grpc-js': 1.14.3 '@grpc/proto-loader': 0.7.15 docker-modem: 5.0.7 - protobufjs: 7.5.4 + protobufjs: 7.6.0 tar-fs: 2.1.4 uuid: 10.0.0 transitivePeerDependencies: @@ -4315,18 +4314,18 @@ snapshots: kleur: 3.0.3 sisteransi: 1.0.5 - protobufjs@7.5.4: + protobufjs@7.6.0: dependencies: '@protobufjs/aspromise': 1.1.2 '@protobufjs/base64': 1.1.2 - '@protobufjs/codegen': 2.0.4 + '@protobufjs/codegen': 2.0.5 '@protobufjs/eventemitter': 1.1.0 - '@protobufjs/fetch': 1.1.0 + '@protobufjs/fetch': 1.1.1 '@protobufjs/float': 1.0.2 - '@protobufjs/inquire': 1.1.0 + '@protobufjs/inquire': 1.1.2 '@protobufjs/path': 1.1.2 '@protobufjs/pool': 1.1.0 - '@protobufjs/utf8': 1.1.0 + '@protobufjs/utf8': 1.1.1 '@types/node': 20.19.11 long: 5.3.2 From 58cc996779cfaab800674ee218bc137ad6844a15 Mon Sep 17 00:00:00 2001 From: "kernel-internal[bot]" <260533166+kernel-internal[bot]@users.noreply.github.com> Date: Wed, 27 May 2026 04:34:07 +0000 Subject: [PATCH 2/3] security: vulnerability remediation (2026-05-27) Co-authored-by: Cursor --- fix-result.json | 2 +- package-lock.json | 14 +++++++------- src/internal/detect-platform.ts | 2 +- tests/index.test.ts | 4 ++-- tests/uploads.test.ts | 2 +- triage-result.json | 27 +++++++++++++++++++++++++++ 6 files changed, 39 insertions(+), 12 deletions(-) create mode 100644 triage-result.json diff --git a/fix-result.json b/fix-result.json index 661eb87..85f141e 100644 --- a/fix-result.json +++ b/fix-result.json @@ -13,7 +13,7 @@ "package": "protobufjs", "ecosystem": "npm", "old_version": "7.5.4", - "new_version": "7.6.0", + "new_version": "7.6.1", "manifest": "package-lock.json" } ], diff --git a/package-lock.json b/package-lock.json index 859d673..cb44b45 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1809,9 +1809,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/eventemitter": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz", - "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.1.tgz", + "integrity": "sha512-vW1GmwMZNnL+gMRaovlh9yZX74kc+TTU3FObkkurpMaRtBfLP3ldjS9KQWlwZgraRE0+dheEEoAxdzcJQ8eXZg==", "license": "BSD-3-Clause" }, "node_modules/@protobufjs/fetch": { @@ -6827,16 +6827,16 @@ } }, "node_modules/protobufjs": { - "version": "7.6.0", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.0.tgz", - "integrity": "sha512-LtESOsMPTZgyYtwxhvdgdjGL0HmXEaRA/hVD6sol4zA60hVXXXP/SGmxnqDbgGE8gy7pYex7cym+5vYPcmaXBQ==", + "version": "7.6.1", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.1.tgz", + "integrity": "sha512-4K0myLaWL5EteuSAro91EGFgcfVgxb64Jx+7oDAY6GOkXD4M69yuSEljNcInGVCA5sOPxmZ/EqDLj2x0Q0+Ygg==", "hasInstallScript": true, "license": "BSD-3-Clause", "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", "@protobufjs/codegen": "^2.0.5", - "@protobufjs/eventemitter": "^1.1.0", + "@protobufjs/eventemitter": "^1.1.1", "@protobufjs/fetch": "^1.1.1", "@protobufjs/float": "^1.0.2", "@protobufjs/inquire": "^1.1.2", diff --git a/src/internal/detect-platform.ts b/src/internal/detect-platform.ts index e82d95c..7dbe981 100644 --- a/src/internal/detect-platform.ts +++ b/src/internal/detect-platform.ts @@ -67,7 +67,7 @@ const getPlatformProperties = (): PlatformProperties => { 'X-Stainless-Arch': normalizeArch(Deno.build.arch), 'X-Stainless-Runtime': 'deno', 'X-Stainless-Runtime-Version': - typeof Deno.version === 'string' ? Deno.version : Deno.version?.deno ?? 'unknown', + typeof Deno.version === 'string' ? Deno.version : (Deno.version?.deno ?? 'unknown'), }; } if (typeof EdgeRuntime !== 'undefined') { diff --git a/tests/index.test.ts b/tests/index.test.ts index a61e005..22232e5 100644 --- a/tests/index.test.ts +++ b/tests/index.test.ts @@ -552,8 +552,8 @@ describe('retries', () => { { signal }: RequestInit = {}, ): Promise => { if (count++ === 0) { - return new Promise( - (resolve, reject) => signal?.addEventListener('abort', () => reject(new Error('timed out'))), + return new Promise((resolve, reject) => + signal?.addEventListener('abort', () => reject(new Error('timed out'))), ); } return new Response(JSON.stringify({ a: 1 }), { headers: { 'Content-Type': 'application/json' } }); diff --git a/tests/uploads.test.ts b/tests/uploads.test.ts index b403e02..c4bfe2d 100644 --- a/tests/uploads.test.ts +++ b/tests/uploads.test.ts @@ -69,7 +69,7 @@ describe('toFile', () => { const result = await toFile(input); const file: File = result; const blob: Blob = result; - void file, blob; + (void file, blob); }); }); diff --git a/triage-result.json b/triage-result.json new file mode 100644 index 0000000..5e78aaf --- /dev/null +++ b/triage-result.json @@ -0,0 +1,27 @@ +{ + "alerts": [ + { + "category": "fix", + "type": "criticalCVE", + "severity": "warn", + "package": "protobufjs", + "version": "7.5.4", + "ecosystem": "npm", + "cve": null, + "manifest": "package-lock.json", + "reason": "CVE alert in runtime dependency chain (via dockerode); newer 7.x versions exist, so remediation is likely available without a major bump" + }, + { + "category": "dismiss", + "type": "criticalCVE", + "severity": "warn", + "package": "handlebars", + "version": "4.7.8", + "ecosystem": "npm", + "cve": null, + "manifest": "pnpm-lock.yaml", + "reason": "Development-only dependency through ts-jest (dev dependency), not part of production runtime" + } + ], + "summary": "2 alerts triaged: 1 fix, 0 defer, 1 dismiss" +} From 0720595cf874a2272c3208cb05b614c0216abe45 Mon Sep 17 00:00:00 2001 From: "kernel-internal[bot]" <260533166+kernel-internal[bot]@users.noreply.github.com> Date: Wed, 27 May 2026 04:34:31 +0000 Subject: [PATCH 3/3] chore: align vulnerability fix result output Co-authored-by: Cursor --- fix-result.json | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/fix-result.json b/fix-result.json index 85f141e..feddda6 100644 --- a/fix-result.json +++ b/fix-result.json @@ -1,15 +1,7 @@ { "fixed": [ { - "cve": "CVE-2026-41242", - "package": "protobufjs", - "ecosystem": "npm", - "old_version": "7.5.4", - "new_version": "7.6.0", - "manifest": "pnpm-lock.yaml" - }, - { - "cve": "CVE-2026-41242", + "cve": "N/A", "package": "protobufjs", "ecosystem": "npm", "old_version": "7.5.4", @@ -18,5 +10,5 @@ } ], "reverted": [], - "summary": "2 fixed, 0 reverted" + "summary": "1 fixed, 0 reverted" }