Dependabot HIGH triage — 2026-06-21
Source: gh api repos/ever-works/ever-works/dependabot/alerts?state=open&severity=high (4 HIGH open).
Lockfile inspected: pnpm-lock.yaml on branch agent/inngest-real-infra.
Working tree NOT modified — research only. Existing pnpm.overrides block at package.json:66-110 is the template for the proposed entries below.
#398 — undici < 6.27.0 (GHSA-vxpw-j846-p89q)
- CWE: CWE-400, CWE-770 — WebSocket DoS via fragment-count bypass.
- Vulnerable range:
< 6.27.0. Patched:6.27.0. - Type: transitive. Lockfile has
[email protected]pulled by three parents:@qdrant/[email protected],[email protected],[email protected]. - Existing override gap:
package.json:79only coversundici@>=7.0.0 <7.24.0. The 6.x branch is uncovered. - Proposed override:
"undici@>=6.0.0 <6.27.0": ">=6.27.0 <7.0.0" - undici cap rule: SAFE. Fix stays on the 6.x line; does not push anyone past the existing
<7.28.0cap. Does not affect the jsdom→[email protected] path (already accepted by the tree, separate concern out of scope here). - Risk: very low — 6.26 → 6.27 is a patch bump, three callers (qdrant client, cheerio, node-gyp) all happy on 6.x latest.
#388 — piscina 5.0.0-alpha.0 .. 5.1.4 (GHSA-x9g3-xrwr-cwfg)
- CWE: CWE-94, CWE-1321 — prototype-pollution gadget → RCE via inherited
options.filename. - Vulnerable range:
>=5.0.0-alpha.0, <=5.1.4. Patched:5.2.0. - Type: transitive. Lockfile has only
[email protected](two@swc/[email protected]install variants). No 5.x resolution exists anywhere. - Verdict: FALSE POSITIVE / stale alert. 4.9.2 sits below the vulnerable range. Dependabot is flagging the declared
^4 || ^5range on@swc/cli, not the resolved version. - Recommended action: dismiss with reason "not-used / resolution outside vulnerable range" once verified with
pnpm why piscina. No override needed. If we want belt-and-braces, add"piscina@>=5.0.0-alpha.0 <5.2.0": ">=5.2.0"to prevent any future hoist into the vulnerable range. - undici cap rule: N/A.
- Risk: none from the proposed dismissal — if
@swc/cliever resolves piscina 5.x, the optional belt-and-braces override would catch it.
#387 — nodemailer <= 9.0.0 (GHSA-p6gq-j5cr-w38f)
- CWE: CWE-73, CWE-918 — message-level
rawoption bypassesdisableFileAccess/disableUrlAccess, enabling arbitrary file read + SSRF in delivered messages. - Vulnerable range:
<= 9.0.0. Patched:9.0.1. - Type: direct (manifest spec).
apps/api/package.json:73declares"nodemailer": "^8.0.9". The existing transitive overridenodemailer@<=9.0.0: >=9.0.1(package.json:81) already forces lockfile resolution to9.0.1, so runtime is patched, but Dependabot keeps flagging the manifest range. - Proposed fix: bump
apps/api/package.jsondirect dep to"nodemailer": "^9.0.1". Lockfile entry is already at 9.0.1 so the install is a no-op; this just silences the manifest-spec alert and aligns intent with reality. - undici cap rule: N/A.
- Risk: very low — nodemailer 8 → 9 is a major bump on paper, but we already run 9.0.1 in lock; only the spec needs to catch up.
@nestjs-modules/[email protected],mailparser, andpreview-emailalready consume nodemailer 9.
#148 — effect < 3.20.0 (GHSA-38f7-945m-qr2g)
- CWE: CWE-362 — race condition;
AsyncLocalStoragecontext lost/contaminated inside Effect fibers under concurrent RPC load. - Vulnerable range:
< 3.20.0. Patched:3.20.0. - Type: transitive. Lockfile has
[email protected], single parent:@prisma/[email protected]. No directeffectdep anywhere. - Proposed override:
"effect@<3.20.0": ">=3.20.0"(broad, simple). Alternative scoped:"@prisma/config>effect": ">=3.20.0"if a broad bump is risky elsewhere (it isn't — only one consumer). - undici cap rule: N/A.
- Risk: low.
@prisma/[email protected]peer-range for effect is wide; 3.18 → 3.20 is a minor bump. Our usage path is RPC-free build-time config loading, so the race isn't directly exposed, but a clean overlay is cheap.
Out-of-scope notes
[email protected]resolves[email protected]despite the project's<7.28.0cap rule. The cap on line 79 only matches>=7.0.0 <7.24.0and silently allows 7.28+ from any direct consumer (jsdom's package.json must already require>=7.28.0). None of the four HIGH fixes above interact with this path, so it stays as-is for this triage. Worth a separate look — if Vitest workers are currently green on jsdom 29 + undici 7.28, the cap-rule incident may be resolved upstream (jsdom 29 may no longer importwrap-handler.js).@brightdata/[email protected]→[email protected]is correctly carved out by"@brightdata/sdk>undici": ">=8.5.0"(line 80) and is unaffected.
Suggested pnpm.overrides delta
Insertions only — no removals, no edits to existing entries:
"undici@>=6.0.0 <6.27.0": ">=6.27.0 <7.0.0",
"effect@<3.20.0": ">=3.20.0",
// optional belt-and-braces for piscina (lockfile is currently 4.9.2 so this is dormant):
"piscina@>=5.0.0-alpha.0 <5.2.0": ">=5.2.0"
Plus a manifest edit in apps/api/package.json:
-"nodemailer": "^8.0.9",
+"nodemailer": "^9.0.1",
Total surface: 3 override insertions + 1 manifest version bump. No interaction with the undici <7.28.0 cap rule. Apply, run pnpm install, verify Vitest still green (especially the jsdom-using suites), commit.