fix(security): patch ws, hono, uuid, axios CVEs across examples by yosriady · Pull Request #37 · getformo/examples

yosriady · 2026-06-16T04:09:32Z

Summary

Resolves the Aikido dependency alerts for ws, hono, uuid, and axios across the example apps by forcing patched transitive versions through pnpm overrides and regenerating each lockfile.

Package	Advisory	Fixed to	Notes
ws	CVE-2026-45736	8.20.1	8.x line only; existing 7.x pins (e.g. 7.5.10) preserved
hono	GHSA-88fw-hqm2-52qc + related (17 advisories)	4.12.25	comprehensive fix for all flagged hono advisories
uuid	CVE-2026-41907	11.1.1	scoped to the flagged 8.x/9.x line
axios	multiple (SSRF / proto-pollution / info-leak)	1.16.1 / 0.32.0	1.x → 1.16.1; `with-thirdweb` 0.x → 0.32.0

How

The pnpm‑11 examples read overrides from pnpm-workspace.yaml (not package.json pnpm.overrides), so entries were added there — matching the repo's existing Aikido-remediation convention. with-openfort/backend is on pnpm 9 and uses package.json pnpm.overrides. Selectors target the vulnerable ranges (e.g. ws@>=8.0.0 <8.20.1: 8.20.1) so any affected version in the branch is patched, and each lockfile was regenerated with the example's pinned pnpm version.

uuid scoping (note for reviewer)

Commit #24 deliberately scoped the uuid override to 11.x to avoid bumping transitive uuid 8.3.2/9.0.1, which were then "outside the flagged CVE." CVE-2026-41907 now flags exactly those versions, so this PR widens the selector to uuid@>=8.0.0 <11.1.1 → 11.1.1. It still leaves the unflagged ancient (3.3.2, 7.0.3) and newer (14.0.0) transitive copies untouched to avoid unrelated cross-major churn.

Scope

with-angular excluded — not flagged for any of these, and re-resolving hono there conflicts with its Angular security-patch release-age pins.
getformo/formono (also listed in the alerts) is a separate repo, outside this PR's scope.

Verification

All 18 changed lockfiles: no vulnerable ws/hono/uuid/axios versions remain within the flagged ranges.
Build + pnpm audit --prod run locally for every changed example (CI matrix replicated); the Build Examples workflow validates the rest.

https://claude.ai/code/session_01CaVCXJd9wtcjwjXTizs6b1

Generated by Claude Code

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

Force patched transitive versions via pnpm overrides (pnpm-workspace.yaml for pnpm-11 examples; package.json pnpm.overrides for with-openfort/backend on pnpm 9). Lockfiles regenerated with each example's pinned pnpm version. - ws -> 8.20.1 (CVE-2026-45736). 8.x line only; existing 7.x pins such as 7.5.10 are preserved. - hono -> 4.12.25 (GHSA-88fw-hqm2-52qc and related advisories). - uuid -> 11.1.1 (CVE-2026-41907). Scoped to the flagged 8.x/9.x line (uuid@>=8.0.0 <11.1.1); unflagged 3.x/7.x and 14.x transitive copies are left untouched to avoid unrelated cross-major churn. - axios -> 1.16.1 (1.x line) and 0.32.0 (0.x line, with-thirdweb). Override selectors use vulnerable-range keys so any affected version in the branch is patched. with-angular is intentionally excluded: it is not flagged for any of these and re-resolving hono conflicts with its Angular security-patch release-age pins. https://claude.ai/code/session_01CaVCXJd9wtcjwjXTizs6b1

socket-security · 2026-06-16T04:11:07Z

Dependency limit exceeded — report not shown.

This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report.

Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard.

Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account.

gemini-code-assist

Code Review

This pull request applies security overrides across multiple workspace configurations and lockfiles to enforce patched transitive dependency versions (such as ws, uuid, hono, and axios) for Aikido CVE remediation. The review feedback recommends wrapping unquoted keys containing special characters (e.g., hono@<4.12.25 and axios@<0.32.0) in single quotes within the overrides block of several pnpm-workspace.yaml files. This change ensures formatting consistency and prevents potential YAML parsing issues.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

gemini-code-assist · 2026-06-16T04:11:44Z

  'ws@>=7.0.0 <7.5.10': 7.5.10
-  'ws@>=8.0.0 <8.17.1': 8.17.1
+  'ws@>=8.0.0 <8.20.1': 8.20.1
+  axios@<0.32.0: 0.32.0


For consistency with the other keys in the overrides block, please wrap the axios@<0.32.0 key in single quotes. This also prevents potential YAML parsing issues with special characters like @ and <.

'axios@<0.32.0': 0.32.0

gemini-code-assist · 2026-06-16T04:11:44Z

-  'uuid@>=11.0.0 <11.1.1': 11.1.1
  'axios@>=1.0.0 <1.16.1': 1.16.1
+  'ws@>=8.0.0 <8.20.1': 8.20.1
+  hono@<4.12.25: 4.12.25
