Skip to content

fix(deps): bump h3/astro/wrangler + close 4 CVEs to unstick build#40

Merged
sydneyrenee merged 7 commits into
devfrom
fix/deps-h3-v2-and-cves
May 9, 2026
Merged

fix(deps): bump h3/astro/wrangler + close 4 CVEs to unstick build#40
sydneyrenee merged 7 commits into
devfrom
fix/deps-h3-v2-and-cves

Conversation

@sydneyrenee

Copy link
Copy Markdown
Member

Summary

Unblocks bun turbo build (was failing 2/6 packages on dev) and clears 4 outstanding CVEs that the in-tree security-scanner was flagging on install.

Root causes

  • overrides.h3 = 1.15.11 (added in c9626e3 to patch SSE-injection / middleware-bypass CVEs in 1.x) globally shadowed the h3@2.0.1-rc.5 that nitro@3.0.1-alpha.1 requires for toRequest. console-app and enterprise both failed loading their vite configs.
  • overrides.astro = 5.18.1 was leftover from initial repo setup; packages/web/package.json has since moved to astro: 6.1.6 + @astrojs/cloudflare: 13.1.10. The 5.x override prevented the new cloudflare adapter (which peer-deps astro: ^6.0.0) from resolving astro/app/manifest.
  • overrides.wrangler = 4.59.1 was below the ^4.90.0 peer of @cloudflare/vite-plugin@1.36.3.
  • No wrangler.jsonc in packages/web — astro 6 + cloudflare 13 prerender uses miniflare, which needs compatibility_flags: ["nodejs_compat"] to import node:path/node:url/etc. (5.x had this implicit.)

Changes

Override from to reason
h3 1.15.11 2.0.1-rc.22 unblock nitro@3-alpha; v2 is a rewrite, original v1 CVE codepaths don't apply
astro 5.18.1 6.3.1 match what web/package.json already requested (6.1.6); minimum for @astrojs/cloudflare@13
wrangler 4.59.1 4.90.0 peer of @cloudflare/vite-plugin@1.36.3
hono (catalog + override) 4.12.12 4.12.18 closes GHSA-458j-xx4x-4375, GHSA-69xw-7hcm-h432, GHSA-9vqf-7f2p-gf9v (all fixed in 4.12.16)
fast-xml-parser 5.5.11 5.7.3 closes GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 (fixed in 5.7.0)

Plus:

  • New packages/web/wrangler.jsonc with nodejs_compat and compatibility_date: 2026-05-08.
  • packages/security-scanner/src/index.ts: ignore CVE-2026-41305 / GHSA-qx2v-qp2m-jg93 — postcss XSS via </style>, fixed in 8.5.10. The lockfile resolves postcss@8.5.14 already; OSV's affected-range data is stale and still flags it. Documented in the ignore comment.
  • packages/web/.gitignore: ignore .wrangler/ runtime state.

Verification

$ bun install                # scanner active, no env bypass
… 0 advisories surfaced

$ bun turbo build
Tasks: 8 successful, 8 total

Pre-bump baseline (dev):

$ bun install
29 advisories (7 fatal, 22 warnings) — Installation aborted

$ BUN_SECURITY_SCAN=0 bun turbo build
Failed: @thesolaceproject/emberharmony-console-app#build
Failed: @thesolaceproject/emberharmony-enterprise#build  (same h3.toRequest error)

Caveats / follow-ups

  • Two harmless turbo warnings remain: console-app#build and enterprise#build produce no files matching outputs: ["dist/**"] because they emit to .output/. Pre-existing turbo.json mismatch, separate from this PR.
  • bun@1.3.8 segfaulted once during script/build.ts while testing; retried clean. Bun runtime flakiness, not config — but worth knowing if CI flakes.
  • bun-osv-scanner is at its latest (2.0.0); the postcss false positive is a stale OSV record on its end. If/when fixed upstream, remove the ignore entry.

Test plan

  • bun install clean (scanner enabled)
  • bun turbo build 8/8 green
  • bun turbo typecheck 12/12 green
  • CI pipeline passes
  • Manual smoke: web site loads with cloudflare adapter

…ld, close CVEs

- h3 1.15.11 -> 2.0.1-rc.22 (unblocks nitro@3-alpha which imports h3.toRequest)
- astro 5.18.1 -> 6.3.1 (matches packages/web declared 6.1.6, unblocks @astrojs/cloudflare 13)
- wrangler 4.59.1 -> 4.90.0 (peer dep for @cloudflare/vite-plugin 1.36.3)
- hono 4.12.12 -> 4.12.18 (closes GHSA-458j-xx4x-4375, GHSA-69xw-7hcm-h432, GHSA-9vqf-7f2p-gf9v)
- fast-xml-parser 5.5.11 -> 5.7.3 (closes GHSA-gh4j-gqv2-49f6 / CVE-2026-41650)
- packages/web: add wrangler.jsonc with nodejs_compat (required by astro 6 + cloudflare 13 prerender)
- security-scanner: ignore CVE-2026-41305/GHSA-qx2v-qp2m-jg93 (postcss XSS, fixed in 8.5.10, false positive on 8.5.14)
- gitignore .wrangler runtime state

bun turbo build now passes 8/8 packages. bun install passes the in-tree security scanner with no advisories surfaced.
@sydneyrenee sydneyrenee requested a review from Copilot May 9, 2026 00:17

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies, including Hono, Astro, and Wrangler, and introduces a new Wrangler configuration for the web package. Feedback identifies two critical typos: the compatibility_date in wrangler.jsonc is set to a future date which will cause deployment failures, and the security scanner ignore list uses an incorrect CVE ID for the postcss vulnerability.

Comment thread packages/web/wrangler.jsonc Outdated
@@ -0,0 +1,5 @@
{
"name": "emberharmony-docs",
"compatibility_date": "2026-05-08",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The compatibility_date is set to 2026-05-08. Cloudflare Workers do not support compatibility dates in the future and will return an error during deployment or local development. Given the other versioning in this PR (e.g., sst: 3.17.38 and @cloudflare/workers-types: 4.20251008.0), this appears to be a typo for 2025-05-08 or an earlier date.

  "compatibility_date": "2025-05-08",

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch on the runtime lag. Backed off to 2026-05-01 in f3589b2 — same effect as the suggestion, just keeping the year right (current commits are dated 2026).

Comment thread packages/security-scanner/src/index.ts Outdated
Comment on lines +16 to +18
// postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite,
// but OSV's affected-range data is incomplete and still flags current versions.
"CVE-2026-41305", "GHSA-qx2v-qp2m-jg93",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The CVE ID CVE-2026-41305 appears to be a typo for CVE-2025-25318, which is the correct identifier for the postcss vulnerability described in GHSA-qx2v-qp2m-jg93. If the security scanner reports the vulnerability using its correct CVE ID, this ignore entry will not match, and the build will still be flagged.

Suggested change
// postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite,
// but OSV's affected-range data is incomplete and still flags current versions.
"CVE-2026-41305", "GHSA-qx2v-qp2m-jg93",
// postcss CVE-2025-25318 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite,
// but OSV's affected-range data is incomplete and still flags current versions.
"CVE-2025-25318", "GHSA-qx2v-qp2m-jg93",

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the CVE id directly — the GHSA-qx2v-qp2m-jg93 advisory does map to CVE-2026-41305:

$ gh api repos/postcss/postcss/security-advisories/GHSA-qx2v-qp2m-jg93
ghsa_id: GHSA-qx2v-qp2m-jg93
cve_id:  CVE-2026-41305
published_at: 2026-04-20T19:34:55Z

$ curl -sL https://api.osv.dev/v1/vulns/GHSA-qx2v-qp2m-jg93
aliases: ['CVE-2026-41305']

CVE-2025-25318 is an unrelated CVE (different package/issue). Keeping the entry as written.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent catch — verified: bun.lock previously had two postcss resolutions, and tw-to-css/postcss@8.4.31 IS vulnerable (fix is in 8.5.10).

Tried the version-gating route first (option b) but the Bun scanner API only exposes { id, message, level, package, url, description } per advisory — no version field — so a per-version filter isn't possible without forking bun-osv-scanner.

Went with option (a) instead in fbb37c8 / 94087af: pinned postcss: 8.5.14 in the workspace overrides. Verified post-install:

$ grep -oE 'postcss@\d+\.\d+\.\d+' bun.lock | sort -u
postcss@8.5.14

Single resolution; the vulnerable 8.4.31 is gone. Updated the ignore comment to make clear: the override is the actual mitigation, the ignore exists only because OSV's affected-range data still flags 8.5.14 (a known false positive on a known-fixed version). If the override is ever removed, the ignore should be removed too.

Cloudflare runtime updates lag behind the calendar by a few days; using
today's date risks a deploy-time error if the worker runtime hasn't
rolled forward yet. One week back is safely in the supported window
without forfeiting current behavior.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates root dependency overrides to unblock the Bun/Turbo build across packages and reduce install-time security scanner failures by addressing several reported CVEs. It also adds the Cloudflare/Wrangler configuration needed for Astro’s Cloudflare adapter/miniflare behavior in packages/web.

Changes:

  • Bump root overrides / workspace catalog versions for h3, astro, wrangler, hono, and fast-xml-parser.
  • Add packages/web/wrangler.jsonc enabling nodejs_compat, and ignore .wrangler/ runtime state in packages/web/.gitignore.
  • Add an ignore entry in the in-tree Bun OSV security scanner for a PostCSS advisory believed to be a false positive.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

File Description
packages/web/wrangler.jsonc Adds Wrangler config to enable nodejs_compat for Astro Cloudflare/miniflare.
packages/web/.gitignore Ignores Wrangler runtime state directory.
packages/security-scanner/src/index.ts Adds OSV ignore IDs for a PostCSS advisory.
package.json Updates workspace catalog + root overrides to bump several dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/security-scanner/src/index.ts Outdated
Comment on lines +16 to +18
// postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite,
// but OSV's affected-range data is incomplete and still flags current versions.
"CVE-2026-41305", "GHSA-qx2v-qp2m-jg93",

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot resolve the issue and retest

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 584d561. The postcss CVE-2026-41305/GHSA-qx2v-qp2m-jg93 ignore is now version-gated instead of unconditional:

  • Moved the two IDs into a separate postcssIgnoreIds set
  • In the filter, when an advisory matches those IDs and advisory.package === "postcss", it checks input.packages to see if any installed postcss is < 8.5.10
  • If a vulnerable copy is found it passes through; if all copies are ≥ 8.5.10 it's suppressed

The root override ("postcss": "8.5.14") keeps the gate from triggering in practice, but removing the override would automatically re-surface the advisory rather than silently hiding it.

github-actions Bot and others added 3 commits May 9, 2026 00:26
Reviewer caught that bun.lock previously contained two postcss resolutions:
- postcss@8.5.14 (the top-level resolution)
- postcss@8.4.31 (nested under tw-to-css)

postcss@8.4.31 IS vulnerable to CVE-2026-41305 (fix landed in 8.5.10), so
the unconditional ignore was masking real exposure on that path.

Bun's Security.Advisory shape only carries { id, message, level, package,
url, description } — no version — so a version-aware scanner filter isn't
possible. Instead, force ALL postcss resolutions to a fixed version via
the bun overrides. That removes the vulnerable 8.4.31 entirely (verified:
'postcss@' now appears in bun.lock exactly once, at 8.5.14).

The CVE-2026-41305 / GHSA-qx2v-qp2m-jg93 ignore in security-scanner stays
because OSV's affected-range data still flags 8.5.14 as affected even
though 8.5.10 fixed it; the comment now spells that out and notes the
override is the actual mitigation.
…n >= 8.5.10

Agent-Logs-Url: https://github.com/SolaceHarmony/emberharmony/sessions/6d17f3d1-b089-4d02-a86a-c3d79e408b7d

Co-authored-by: sydneyrenee <188732394+sydneyrenee@users.noreply.github.com>

Copilot AI commented May 9, 2026

Copy link
Copy Markdown
Contributor

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • www.npmjs.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@sydneyrenee sydneyrenee merged commit 79e5ca5 into dev May 9, 2026
4 checks passed
@sydneyrenee sydneyrenee deleted the fix/deps-h3-v2-and-cves branch May 9, 2026 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants