Skip to content

security: vulnerability remediation#114

Merged
ulziibay-kernel merged 2 commits into
mainfrom
security/vuln-remediation
Jun 11, 2026
Merged

security: vulnerability remediation#114
ulziibay-kernel merged 2 commits into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Jun 3, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-25h7-pfq9-p65f eslint, flatted None 9.39.1 3.4.2 confirmed

Not Included

  • Deferred by batch limit: 4 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 2.
  • Unconfirmed attempted fixes: 0.
Deferred details
CVE/GHSA Package Reason
Unavailable from detector commander Non-CVE alert is not handled by dependency remediation.
Unavailable from detector highlight.js Non-CVE alert is not handled by dependency remediation.

Note

Low Risk
Lockfile-only transitive dev dependency update with no runtime or auth/data path changes.

Overview
Addresses GHSA-25h7-pfq9-p65f by bumping the transitive flatted dependency in yarn.lock from 3.3.2 to 3.4.0 (pulled in via flat-cache / the ESLint toolchain). There are no application or manifest changes in this diff—only the resolved lockfile entry.

Reviewed by Cursor Bugbot for commit 1518369. Bugbot is set up for automated code reviews on this repo. Configure here.

@kernel-internal kernel-internal Bot requested a review from ulziibay-kernel June 3, 2026 04:34
@firetiger-agent

firetiger-agent Bot commented Jun 3, 2026

Copy link
Copy Markdown

Created a monitoring plan for this PR.

What this PR does: Upgrades the flatted devDependency (used by ESLint's internal cache) from 3.3.2 to 3.4.0 to remediate a security advisory — no change to the published SDK or its consumers.

Intended effect:

  • Security advisory clearance: baseline — advisory flagged on flatted < 3.4.0; confirmed if yarn audit / socket.yml scan reports it resolved after this merge.
  • CI pipeline: baseline — lint/build/test passing; confirmed if the pipeline continues passing with no new failures.

Risks:

  • CI lint breakage — if flatted 3.4.0 introduces a breaking change for flat-cache, ESLint could fail in CI; alert if the CI lint step fails post-merge.
  • No production service, API, or runtime risk — flatted is not included in the published npm package (@onkernel/sdk has zero runtime dependencies).

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor

@kernel-internal kernel-internal Bot force-pushed the security/vuln-remediation branch from f9545f1 to 006f144 Compare June 10, 2026 04:35
ulziibay-kernel
ulziibay-kernel approved these changes Jun 11, 2026
View reviewed changes

@ulziibay-kernel ulziibay-kernel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ulziibay-kernel ulziibay-kernel merged commit 4fc6029 into main Jun 11, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel ulziibay-kernel approved these changes

Assignees

@ulziibay-kernel ulziibay-kernel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel