Security Patching - HIGH - 24 CVEs across 8 dependencies

@zen-agentchecks n/achecks…zen/security-patching-high-cves-xwf5ll → master3 files · +818 −772updated 3w ago

▸Description· 1 comment · 8 noise

Description

Patches 24 HIGH-severity CVEs identified by Socket.dev security scanning. Uses socket fix CLI for automated, verified remediation.

Vulnerabilities Fixed

Package	Old Version	Fixed Version	CVEs
axios	1.15.0	1.15.2	CVE-2026-42033, CVE-2026-42035, CVE-2026-42043, CVE-2026-42264
protobufjs	7.5.5	7.5.6	CVE-2026-44289, CVE-2026-44290, CVE-2026-44291, CVE-2026-44293
kysely	0.28.14	0.28.17	CVE-2026-44635
@opentelemetry/auto-instrumentations-node	0.57.1	0.75.0	CVE-2026-44902
@opentelemetry/sdk-node	0.200.0	0.217.0	CVE-2026-44902
@opentelemetry/exporter-prometheus	0.200.0	0.217.0	CVE-2026-44902
fast-xml-builder	1.1.4	1.1.7	CVE-2026-44665
@better-auth/oauth-provider	1.5.5	1.6.5	CVE-2026-41427

Already Patched (by existing pnpm overrides)

Package	Override Version	CVEs
handlebars	4.7.9	CVE-2026-33938/33939/33940/33941
tar	7.5.11	CVE-2026-23745/23950/24842/26960/29786/31802
simple-git	^3.36.0	CVE-2026-6951, CVE-2026-28291

Vulnerability Details

axios (CVE-2026-42033/42035/42043/42264): Multiple request handling vulnerabilities
protobufjs (CVE-2026-44289/44290/44291/44293): Code injection via unsafe handling of bytes field defaults in generated toObject conversion
kysely (CVE-2026-44635): JSON path traversal via unescaped metacharacters in JSONPathBuilder
@opentelemetry (CVE-2026-44902): Vulnerability in auto-instrumentation and SDK packages
fast-xml-builder (CVE-2026-44665): XML builder vulnerability
@better-auth/oauth-provider (CVE-2026-41427): OAuth provider security issue

How did I test this PR

Socket CLI validation: Ran socket fix --id with all 24 CVE IDs — all patches applied successfully (fixedAll: true)
Socket re-scan: Ran socket fix --no-apply-fixes post-patch — confirms "selected-vulnerabilities-do-not-affect-the-current-project"
Individual package verification: Socket score check on patched versions shows vulnerability scores of 98-100 with 0 high/critical CVE alerts
Unit tests: vitest run src/lib/tool_execution/ — 39/39 passed; vitest run src/lib/connected_accounts/refresh_s2s_oauth2_access_token.test.ts — 4/4 passed
Lockfile integrity: pnpm install --lockfile-only confirms lockfile is consistent

@zen-agent3w ago

Post-PR Status Update

Codex Review

Pass — first round flagged P0 (better-auth peer dep mismatch), fixed in commit 87f0f5e. Second round: clean, no issues.

CI Status

23/28 checks passed, 0 failed, 5 remaining (E2E and integration tests still running). Background monitor active.

Tests / E2E

Unit tests: vitest run src/lib/tool_execution/ — 39/39 passed
Unit tests: vitest run src/lib/connected_accounts/refresh_s2s_oauth2_access_token.test.ts — 4/4 passed
Build checks: lint (oxlint) ✅, typecheck (tsgo) ✅, format (oxfmt) ✅
E2E: Apollo health check ✅, tools list endpoint ✅
Socket re-scan: All 24 CVEs confirmed resolved

Comments Addressed

Bugbot: better-auth peer dep mismatch → Fixed in commit 87f0f5e, replied with explanation
Codex GitHub: informational review, no action items

Remaining

Waiting on 5 E2E/integration CI checks to complete (background monitor will notify)

▸ 8 bot/status comments hidden

@vercel[bot]3w ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
apollo	Ready	Preview, Comment	May 21, 2026 5:57am

Project	Deployment	Actions	Updated (UTC)
debby	Skipped		May 21, 2026 5:57am

@github-actions[bot]3w ago

🔍 Suggested Reviewers

Based on git blame analysis of 3 file(s):

Contributor	Contribution	Files
Zen	49%	3
jkomyno	16%

loading diff…

Flag	Coverage Δ
e2e-tests	`6.04% <ø> (ø)`
self-hosted-tests	`5.58% <ø> (ø)`
unit-tests	`58.86% <ø> (-0.02%)`	:arrow_down:

Security Patching - HIGH - 24 CVEs across 8 dependencies

Description

Vulnerabilities Fixed

Already Patched (by existing pnpm overrides)

Vulnerability Details

How did I test this PR

Post-PR Status Update

Codex Review

CI Status

Tests / E2E

Comments Addressed

Remaining

🔍 Suggested Reviewers

Description

Vulnerabilities Fixed

Already Patched (by existing pnpm overrides)

Vulnerability Details

How did I test this PR

Post-PR Status Update

Codex Review

CI Status

Tests / E2E

Comments Addressed

Remaining

🔍 Suggested Reviewers

💡 Recommendation

🧪 Test Results Summary (Unit Tests)

🧪 Test Results Summary (Self-Hosted Tests)

Codecov Report

🧪 Test Results Summary (E2E Tests)