[PR #5400] [MERGED] chore: security patch for the dependency chain #5187

New issue

Closed

opened 2026-03-17 02:39:34 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:39:34 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5400
Author: @mirarifhasan
Created: 9/24/2025
Status: ✅ Merged
Merged: 9/24/2025
Merged by: @jamesgeorge007

Base: next ← Head: chore/vuln-bump

📝 Commits (3)

28608bf chore: backend dependencies to latest versions
ccf9db6 chore: resolve vuln
175228f chore: address security vulnerabilities and bump non major dependencies

📊 Changes

12 files changed (+2358 additions, -1568 deletions)

View changed files

📝 package.json (+5 -3)
📝 packages/hoppscotch-agent/package.json (+2 -2)
📝 packages/hoppscotch-backend/package.json (+13 -13)
📝 packages/hoppscotch-cli/package.json (+1 -1)
📝 packages/hoppscotch-common/package.json (+2 -2)
📝 packages/hoppscotch-data/package.json (+1 -1)
📝 packages/hoppscotch-js-sandbox/package.json (+1 -1)
📝 packages/hoppscotch-kernel/package.json (+1 -1)
📝 packages/hoppscotch-selfhost-web/package.json (+1 -1)
📝 packages/hoppscotch-sh-admin/package.json (+1 -1)
📝 pnpm-lock.yaml (+2324 -1532)
📝 prod.Dockerfile (+6 -10)

📄 Description

Closes BE-650

This pull request addresses security vulnerabilities across both backend and frontend packages and updates dependencies to maintain compatibility with the latest versions.

What's changed

Security and Dependency Updates

Updated several critical dependencies to address security vulnerabilities:

Updated axios from 1.11.0 to 1.12.2 across 6 frontend packages (agent, cli, common, kernel, selfhost-web, sh-admin) to fix CVE-2025-58754 DoS vulnerability
Updated vite from 6.3.5 to 6.3.6 across 4 packages (agent, common, data, js-sandbox) to address filesystem bypass vulnerabilities including CVE-2024-23331
Added pnpm overrides for form-data 4.0.4 and ws 8.17.1 to resolve critical and high severity issues in transitive dependencies

Updated @prisma/client and prisma to version 6.16.2, and posthog-node to 5.8.8 for improved features and bug fixes. [1] [2]

Upgraded @nestjs/schedule to 6.0.1 and nodemailer to 7.0.6 for better reliability and security. [1] [2]

Updated several devDependencies including @eslint/js, eslint, jest, ts-jest, and TypeScript-related packages for improved linting and testing support.

Dockerfile Improvements

Upgraded Caddy server from version 2.10.0 to 2.10.2 and updated the checksum for enhanced security.

Updated Go from 1.25.0 to 1.25.1 to address CVE-2025-47907.

Upgraded global npm to 11.6.0 and pnpm to 10.17.1 to mitigate vulnerabilities and improve package management.

Minor updates

Updated @types/node from 24.3.0 to 24.5.2 across multiple packages
Updated lint-staged from 16.1.5 to 16.2.0

Maintenance

Removed explicit patching steps for chi and circl libraries in the Docker build, likely because the updated Caddy or Go versions already address the relevant vulnerabilities.

Notes to reviewers

The security fixes have been verified through pnpm audit. Changes use both direct dependency updates and pnpm overrides to handle transitive dependencies that can't be updated directly.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5400 **Author:** [@mirarifhasan](https://github.com/mirarifhasan) **Created:** 9/24/2025 **Status:** ✅ Merged **Merged:** 9/24/2025 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `chore/vuln-bump` --- ### 📝 Commits (3) - [`28608bf`](https://github.com/hoppscotch/hoppscotch/commit/28608bf34c6ece1effde1255b79f9a2ec6dd1cad) chore: backend dependencies to latest versions - [`ccf9db6`](https://github.com/hoppscotch/hoppscotch/commit/ccf9db6cb723e1cca1cdb648b0145e84115d9c1b) chore: resolve vuln - [`175228f`](https://github.com/hoppscotch/hoppscotch/commit/175228f5305970d3f22708d0c1ba71b5c5c51ac0) chore: address security vulnerabilities and bump non major dependencies ### 📊 Changes **12 files changed** (+2358 additions, -1568 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+5 -3) 📝 `packages/hoppscotch-agent/package.json` (+2 -2) 📝 `packages/hoppscotch-backend/package.json` (+13 -13) 📝 `packages/hoppscotch-cli/package.json` (+1 -1) 📝 `packages/hoppscotch-common/package.json` (+2 -2) 📝 `packages/hoppscotch-data/package.json` (+1 -1) 📝 `packages/hoppscotch-js-sandbox/package.json` (+1 -1) 📝 `packages/hoppscotch-kernel/package.json` (+1 -1) 📝 `packages/hoppscotch-selfhost-web/package.json` (+1 -1) 📝 `packages/hoppscotch-sh-admin/package.json` (+1 -1) 📝 `pnpm-lock.yaml` (+2324 -1532) 📝 `prod.Dockerfile` (+6 -10) </details> ### 📄 Description    Closes BE-650  This pull request addresses security vulnerabilities across both backend and frontend packages and updates dependencies to maintain compatibility with the latest versions. ### What's changed  **Security and Dependency Updates** Updated several critical dependencies to address security vulnerabilities: * Updated `axios` from `1.11.0` to `1.12.2` across 6 frontend packages (`agent`, `cli`, `common`, `kernel`, `selfhost-web`, `sh-admin`) to fix [CVE-2025-58754](https://nvd.nist.gov/vuln/detail/CVE-2025-58754) DoS vulnerability * Updated `vite` from `6.3.5` to `6.3.6` across 4 packages (`agent`, `common`, `data`, `js-sandbox`) to address filesystem bypass vulnerabilities including [CVE-2024-23331](https://nvd.nist.gov/vuln/detail/CVE-2024-23331) * Added pnpm overrides for `form-data` `4.0.4` and `ws` `8.17.1` to resolve critical and high severity issues in transitive dependencies Updated `@prisma/client` and `prisma` to version `6.16.2`, and `posthog-node` to `5.8.8` for improved features and bug fixes. [[1]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L43-R47) [[2]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L64-R79) Upgraded `@nestjs/schedule` to `6.0.1` and `nodemailer` to `7.0.6` for better reliability and security. [[1]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L43-R47) [[2]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L64-R79) Updated several devDependencies including `@eslint/js`, `eslint`, `jest`, `ts-jest`, and TypeScript-related packages for improved linting and testing support. **Dockerfile Improvements** Upgraded Caddy server from version `2.10.0` to `2.10.2` and updated the checksum for enhanced security. Updated Go from `1.25.0` to `1.25.1` to address [CVE-2025-47907](https://nvd.nist.gov/vuln/detail/CVE-2025-47907). Upgraded global npm to `11.6.0` and pnpm to `10.17.1` to mitigate vulnerabilities and improve package management. **Minor updates** * Updated `@types/node` from `24.3.0` to `24.5.2` across multiple packages * Updated `lint-staged` from `16.1.5` to `16.2.0` **Maintenance** Removed explicit patching steps for `chi` and `circl` libraries in the Docker build, likely because the updated Caddy or Go versions already address the relevant vulnerabilities.  ### Notes to reviewers  The security fixes have been verified through `pnpm audit`. Changes use both direct dependency updates and pnpm overrides to handle transitive dependencies that can't be updated directly. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>