fix(deps): bump h3/astro/wrangler + close 4 CVEs to unstick build#40
Conversation
…ld, close CVEs - h3 1.15.11 -> 2.0.1-rc.22 (unblocks nitro@3-alpha which imports h3.toRequest) - astro 5.18.1 -> 6.3.1 (matches packages/web declared 6.1.6, unblocks @astrojs/cloudflare 13) - wrangler 4.59.1 -> 4.90.0 (peer dep for @cloudflare/vite-plugin 1.36.3) - hono 4.12.12 -> 4.12.18 (closes GHSA-458j-xx4x-4375, GHSA-69xw-7hcm-h432, GHSA-9vqf-7f2p-gf9v) - fast-xml-parser 5.5.11 -> 5.7.3 (closes GHSA-gh4j-gqv2-49f6 / CVE-2026-41650) - packages/web: add wrangler.jsonc with nodejs_compat (required by astro 6 + cloudflare 13 prerender) - security-scanner: ignore CVE-2026-41305/GHSA-qx2v-qp2m-jg93 (postcss XSS, fixed in 8.5.10, false positive on 8.5.14) - gitignore .wrangler runtime state bun turbo build now passes 8/8 packages. bun install passes the in-tree security scanner with no advisories surfaced.
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including Hono, Astro, and Wrangler, and introduces a new Wrangler configuration for the web package. Feedback identifies two critical typos: the compatibility_date in wrangler.jsonc is set to a future date which will cause deployment failures, and the security scanner ignore list uses an incorrect CVE ID for the postcss vulnerability.
| @@ -0,0 +1,5 @@ | |||
| { | |||
| "name": "emberharmony-docs", | |||
| "compatibility_date": "2026-05-08", | |||
There was a problem hiding this comment.
The compatibility_date is set to 2026-05-08. Cloudflare Workers do not support compatibility dates in the future and will return an error during deployment or local development. Given the other versioning in this PR (e.g., sst: 3.17.38 and @cloudflare/workers-types: 4.20251008.0), this appears to be a typo for 2025-05-08 or an earlier date.
"compatibility_date": "2025-05-08",
There was a problem hiding this comment.
Good catch on the runtime lag. Backed off to 2026-05-01 in f3589b2 — same effect as the suggestion, just keeping the year right (current commits are dated 2026).
| // postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite, | ||
| // but OSV's affected-range data is incomplete and still flags current versions. | ||
| "CVE-2026-41305", "GHSA-qx2v-qp2m-jg93", |
There was a problem hiding this comment.
The CVE ID CVE-2026-41305 appears to be a typo for CVE-2025-25318, which is the correct identifier for the postcss vulnerability described in GHSA-qx2v-qp2m-jg93. If the security scanner reports the vulnerability using its correct CVE ID, this ignore entry will not match, and the build will still be flagged.
| // postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite, | |
| // but OSV's affected-range data is incomplete and still flags current versions. | |
| "CVE-2026-41305", "GHSA-qx2v-qp2m-jg93", | |
| // postcss CVE-2025-25318 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite, | |
| // but OSV's affected-range data is incomplete and still flags current versions. | |
| "CVE-2025-25318", "GHSA-qx2v-qp2m-jg93", |
There was a problem hiding this comment.
Verified the CVE id directly — the GHSA-qx2v-qp2m-jg93 advisory does map to CVE-2026-41305:
$ gh api repos/postcss/postcss/security-advisories/GHSA-qx2v-qp2m-jg93
ghsa_id: GHSA-qx2v-qp2m-jg93
cve_id: CVE-2026-41305
published_at: 2026-04-20T19:34:55Z
$ curl -sL https://api.osv.dev/v1/vulns/GHSA-qx2v-qp2m-jg93
aliases: ['CVE-2026-41305']
CVE-2025-25318 is an unrelated CVE (different package/issue). Keeping the entry as written.
There was a problem hiding this comment.
Excellent catch — verified: bun.lock previously had two postcss resolutions, and tw-to-css/postcss@8.4.31 IS vulnerable (fix is in 8.5.10).
Tried the version-gating route first (option b) but the Bun scanner API only exposes { id, message, level, package, url, description } per advisory — no version field — so a per-version filter isn't possible without forking bun-osv-scanner.
Went with option (a) instead in fbb37c8 / 94087af: pinned postcss: 8.5.14 in the workspace overrides. Verified post-install:
$ grep -oE 'postcss@\d+\.\d+\.\d+' bun.lock | sort -u
postcss@8.5.14
Single resolution; the vulnerable 8.4.31 is gone. Updated the ignore comment to make clear: the override is the actual mitigation, the ignore exists only because OSV's affected-range data still flags 8.5.14 (a known false positive on a known-fixed version). If the override is ever removed, the ignore should be removed too.
Cloudflare runtime updates lag behind the calendar by a few days; using today's date risks a deploy-time error if the worker runtime hasn't rolled forward yet. One week back is safely in the supported window without forfeiting current behavior.
There was a problem hiding this comment.
Pull request overview
This PR updates root dependency overrides to unblock the Bun/Turbo build across packages and reduce install-time security scanner failures by addressing several reported CVEs. It also adds the Cloudflare/Wrangler configuration needed for Astro’s Cloudflare adapter/miniflare behavior in packages/web.
Changes:
- Bump root
overrides/ workspace catalog versions forh3,astro,wrangler,hono, andfast-xml-parser. - Add
packages/web/wrangler.jsoncenablingnodejs_compat, and ignore.wrangler/runtime state inpackages/web/.gitignore. - Add an ignore entry in the in-tree Bun OSV security scanner for a PostCSS advisory believed to be a false positive.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
packages/web/wrangler.jsonc |
Adds Wrangler config to enable nodejs_compat for Astro Cloudflare/miniflare. |
packages/web/.gitignore |
Ignores Wrangler runtime state directory. |
packages/security-scanner/src/index.ts |
Adds OSV ignore IDs for a PostCSS advisory. |
package.json |
Updates workspace catalog + root overrides to bump several dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // postcss CVE-2026-41305 — fixed in 8.5.10. We resolve postcss@8.5.14 via vite, | ||
| // but OSV's affected-range data is incomplete and still flags current versions. | ||
| "CVE-2026-41305", "GHSA-qx2v-qp2m-jg93", |
There was a problem hiding this comment.
@copilot resolve the issue and retest
There was a problem hiding this comment.
Done in 584d561. The postcss CVE-2026-41305/GHSA-qx2v-qp2m-jg93 ignore is now version-gated instead of unconditional:
- Moved the two IDs into a separate
postcssIgnoreIdsset - In the filter, when an advisory matches those IDs and
advisory.package === "postcss", it checksinput.packagesto see if any installed postcss is < 8.5.10 - If a vulnerable copy is found it passes through; if all copies are ≥ 8.5.10 it's suppressed
The root override ("postcss": "8.5.14") keeps the gate from triggering in practice, but removing the override would automatically re-surface the advisory rather than silently hiding it.
Reviewer caught that bun.lock previously contained two postcss resolutions: - postcss@8.5.14 (the top-level resolution) - postcss@8.4.31 (nested under tw-to-css) postcss@8.4.31 IS vulnerable to CVE-2026-41305 (fix landed in 8.5.10), so the unconditional ignore was masking real exposure on that path. Bun's Security.Advisory shape only carries { id, message, level, package, url, description } — no version — so a version-aware scanner filter isn't possible. Instead, force ALL postcss resolutions to a fixed version via the bun overrides. That removes the vulnerable 8.4.31 entirely (verified: 'postcss@' now appears in bun.lock exactly once, at 8.5.14). The CVE-2026-41305 / GHSA-qx2v-qp2m-jg93 ignore in security-scanner stays because OSV's affected-range data still flags 8.5.14 as affected even though 8.5.10 fixed it; the comment now spells that out and notes the override is the actual mitigation.
…n >= 8.5.10 Agent-Logs-Url: https://github.com/SolaceHarmony/emberharmony/sessions/6d17f3d1-b089-4d02-a86a-c3d79e408b7d Co-authored-by: sydneyrenee <188732394+sydneyrenee@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Summary
Unblocks
bun turbo build(was failing 2/6 packages ondev) and clears 4 outstanding CVEs that the in-tree security-scanner was flagging on install.Root causes
overrides.h3 = 1.15.11(added in c9626e3 to patch SSE-injection / middleware-bypass CVEs in 1.x) globally shadowed theh3@2.0.1-rc.5thatnitro@3.0.1-alpha.1requires fortoRequest.console-appandenterpriseboth failed loading their vite configs.overrides.astro = 5.18.1was leftover from initial repo setup;packages/web/package.jsonhas since moved toastro: 6.1.6+@astrojs/cloudflare: 13.1.10. The 5.x override prevented the new cloudflare adapter (which peer-depsastro: ^6.0.0) from resolvingastro/app/manifest.overrides.wrangler = 4.59.1was below the^4.90.0peer of@cloudflare/vite-plugin@1.36.3.wrangler.jsoncinpackages/web— astro 6 + cloudflare 13 prerender uses miniflare, which needscompatibility_flags: ["nodejs_compat"]to importnode:path/node:url/etc. (5.x had this implicit.)Changes
h3astroweb/package.jsonalready requested (6.1.6); minimum for@astrojs/cloudflare@13wrangler@cloudflare/vite-plugin@1.36.3hono(catalog + override)fast-xml-parserPlus:
packages/web/wrangler.jsoncwithnodejs_compatandcompatibility_date: 2026-05-08.packages/security-scanner/src/index.ts: ignoreCVE-2026-41305 / GHSA-qx2v-qp2m-jg93— postcss XSS via</style>, fixed in 8.5.10. The lockfile resolves postcss@8.5.14 already; OSV's affected-range data is stale and still flags it. Documented in the ignore comment.packages/web/.gitignore: ignore.wrangler/runtime state.Verification
Pre-bump baseline (
dev):Caveats / follow-ups
turbowarnings remain:console-app#buildandenterprise#buildproduce no files matchingoutputs: ["dist/**"]because they emit to.output/. Pre-existingturbo.jsonmismatch, separate from this PR.script/build.tswhile testing; retried clean. Bun runtime flakiness, not config — but worth knowing if CI flakes.bun-osv-scanneris at its latest (2.0.0); the postcss false positive is a stale OSV record on its end. If/when fixed upstream, remove the ignore entry.Test plan
bun installclean (scanner enabled)bun turbo build8/8 greenbun turbo typecheck12/12 greenwebsite loads with cloudflare adapter