[Aikido] Fix security issue in fast-uri via minor version upgrade from 3.1.0 to 3.1.3 in apps#5
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 27268f3. Configure here.
|
|
||
| "when-exit": ["when-exit@2.1.5", "", {}, "sha512-VGkKJ564kzt6Ms1dbgPP/yuIoQCrsFAnRbptpC5wOEsDaNsbCB2bnfnaA8i/vRs5tjUSEOtIuvl9/MyVsvQZCg=="], | ||
|
|
||
| "ajv/fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="], |
There was a problem hiding this comment.
Nested ajv fast-uri stays vulnerable
Medium Severity
The bun.lock file includes fast-uri@3.1.3, but apps/cli/package.json is missing this dependency. As package.json is the source of truth, bun install could revert the lockfile entry or cause frozen lockfile checks to fail.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 27268f3. Configure here.
|
|
||
| "when-exit": ["when-exit@2.1.5", "", {}, "sha512-VGkKJ564kzt6Ms1dbgPP/yuIoQCrsFAnRbptpC5wOEsDaNsbCB2bnfnaA8i/vRs5tjUSEOtIuvl9/MyVsvQZCg=="], | ||
|
|
||
| "ajv/fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="], |
There was a problem hiding this comment.
Ajv still uses vulnerable fast-uri
High Severity
This change pins fast-uri@3.1.3 at the workspace root while the lockfile still resolves ajv’s dependency as nested fast-uri@3.1.0. The CLI never imports fast-uri directly; conf pulls it in through ajv, so URI normalization for schema handling can still run the pre-patch library the CVEs target.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 27268f3. Configure here.


Upgrade fast-uri to fix path traversal, authority spoofing, and host canonicalization vulnerabilities in normalize() and equal() functions.
✅ 4 CVEs resolved by this upgrade
This PR will resolve the following CVEs:
Note
Low Risk
Dependency-only security patch with no application code changes; residual risk is limited to whether nested
ajvstill resolves vulnerable 3.1.0 unless hoisted/overridden.Overview
Pins
fast-uri@3.1.3as a direct dependency of@sharehtml/cliand updates the lockfile so the resolved top-level package moves from 3.1.0 to 3.1.3, addressing high-severity issues innormalize()/equal()(path traversal, encoded authority bypass, and host canonicalization).The lockfile also records a separate
ajv/fast-uri@3.1.0entry for AJV’s transitive dependency; the workspace now explicitly depends on the patched version for the CLI install graph.Reviewed by Cursor Bugbot for commit 27268f3. Bugbot is set up for automated code reviews on this repo. Configure here.