From 63478976bf8e95b1d9d5f5b04b2ad6db5785ffc4 Mon Sep 17 00:00:00 2001 From: AviPeltz Date: Wed, 13 May 2026 02:35:39 -0700 Subject: [PATCH 1/2] chore(deps): bump simple-git to 3.36.0 to patch GHSA-hffm-xvc3-vprc Closes Dependabot alerts #65 and #139 (RCE via --config option injection). Current call sites pass static option arrays, so exposure was theoretical, but bumping is defense-in-depth. --- apps/desktop/package.json | 2 +- bun.lock | 10 +++++++--- packages/host-service/package.json | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/apps/desktop/package.json b/apps/desktop/package.json index 3dbb9b71f61..3baf2512298 100644 --- a/apps/desktop/package.json +++ b/apps/desktop/package.json @@ -225,7 +225,7 @@ "shell-env": "4.0.3", "shell-quote": "1.8.3", "shiki": "3.23.0", - "simple-git": "3.33.0", + "simple-git": "3.36.0", "streamdown": "2.5.0", "strip-ansi": "7.2.0", "superjson": "2.2.6", diff --git a/bun.lock b/bun.lock index 2249ed0cb80..fc710030c65 100644 --- a/bun.lock +++ b/bun.lock @@ -301,7 +301,7 @@ "shell-env": "4.0.3", "shell-quote": "1.8.3", "shiki": "3.23.0", - "simple-git": "3.33.0", + "simple-git": "3.36.0", "streamdown": "2.5.0", "strip-ansi": "7.2.0", "superjson": "2.2.6", @@ -790,7 +790,7 @@ "mime-types": "3.0.2", "node-pty": "1.1.0", "semver": "7.7.4", - "simple-git": "3.33.0", + "simple-git": "3.36.0", "superjson": "2.2.6", "tree-kill": "1.2.2", "zod": "4.3.6", @@ -2560,6 +2560,10 @@ "@shikijs/vscode-textmate": ["@shikijs/vscode-textmate@10.0.2", "", {}, "sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg=="], + "@simple-git/args-pathspec": ["@simple-git/args-pathspec@1.0.3", "", {}, "sha512-ngJMaHlsWDTfjyq9F3VIQ8b7NXbBLq5j9i5bJ6XLYtD6qlDXT7fdKY2KscWWUF8t18xx052Y/PUO1K1TRc9yKA=="], + + "@simple-git/argv-parser": ["@simple-git/argv-parser@1.1.1", "", { "dependencies": { "@simple-git/args-pathspec": "^1.0.3" } }, "sha512-Q9lBcfQ+VQCpQqGJFHe5yooOS5hGdLFFbJ5R+R5aDsnkPCahtn1hSkMcORX65J2Z5lxSkD0lQorMsncuBQxYUw=="], + "@sinclair/typebox": ["@sinclair/typebox@0.27.10", "", {}, "sha512-MTBk/3jGLNB2tVxv6uLlFh1iu64iYOQ2PbdOSK3NW8JZsmlaOh2q6sdtKowBhfw8QFLmYNzTW4/oK4uATIi6ZA=="], "@sindresorhus/is": ["@sindresorhus/is@4.6.0", "", {}, "sha512-t09vSN3MdfsyCHoFcTRCH/iUtG7OJ0CsjzB8cjAmKc/va/kIgeDI/TxsigdncE/4be734m0cvIYwNaV4i2XqAw=="], @@ -5652,7 +5656,7 @@ "simple-get": ["simple-get@4.0.1", "", { "dependencies": { "decompress-response": "^6.0.0", "once": "^1.3.1", "simple-concat": "^1.0.0" } }, "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA=="], - "simple-git": ["simple-git@3.33.0", "", { "dependencies": { "@kwsites/file-exists": "^1.1.1", "@kwsites/promise-deferred": "^1.1.1", "debug": "^4.4.0" } }, "sha512-D4V/tGC2sjsoNhoMybKyGoE+v8A60hRawKQ1iFRA1zwuDgGZCBJ4ByOzZ5J8joBbi4Oam0qiPH+GhzmSBwbJng=="], + "simple-git": ["simple-git@3.36.0", "", { "dependencies": { "@kwsites/file-exists": "^1.1.1", "@kwsites/promise-deferred": "^1.1.1", "@simple-git/args-pathspec": "^1.0.3", "@simple-git/argv-parser": "^1.1.0", "debug": "^4.4.0" } }, "sha512-cGQjLjK8bxJw4QuYT7gxHw3/IouVESbhahSsHrX97MzCL1gu2u7oy38W6L2ZIGECEfIBG4BabsWDPjBxJENv9Q=="], "simple-plist": ["simple-plist@1.3.1", "", { "dependencies": { "bplist-creator": "0.1.0", "bplist-parser": "0.3.1", "plist": "^3.0.5" } }, "sha512-iMSw5i0XseMnrhtIzRb7XpQEXepa9xhWxGUojHBL43SIpQuDQkh3Wpy67ZbDzZVr6EKxvwVChnVpdl8hEVLDiw=="], diff --git a/packages/host-service/package.json b/packages/host-service/package.json index 871210f4c45..1af652e0a51 100644 --- a/packages/host-service/package.json +++ b/packages/host-service/package.json @@ -77,7 +77,7 @@ "mime-types": "3.0.2", "node-pty": "1.1.0", "semver": "7.7.4", - "simple-git": "3.33.0", + "simple-git": "3.36.0", "superjson": "2.2.6", "tree-kill": "1.2.2", "zod": "4.3.6" From 2271b7658fc72db6fd7663f4b49d3f5e6c9a0d9f Mon Sep 17 00:00:00 2001 From: AviPeltz Date: Wed, 13 May 2026 02:38:53 -0700 Subject: [PATCH 2/2] chore(deps): bump next 16.2.1 -> 16.2.6 across all apps 16.2.6 patches every flagged Next.js Dependabot CVE, including the proxy/middleware bypass advisories (GHSA-26hh-7cqf-hhc6, etc.) that matter most given web/admin/api enforce auth via proxy.ts. Patch-level bump, no breaking changes in the 16.2.x range. --- apps/admin/package.json | 2 +- apps/api/package.json | 2 +- apps/docs/package.json | 2 +- apps/marketing/package.json | 2 +- apps/web/package.json | 2 +- bun.lock | 30 +++++++++++++++--------------- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/apps/admin/package.json b/apps/admin/package.json index 78a51f46710..1dbf6257eed 100644 --- a/apps/admin/package.json +++ b/apps/admin/package.json @@ -27,7 +27,7 @@ "date-fns": "4.1.0", "drizzle-orm": "0.45.2", "import-in-the-middle": "2.0.1", - "next": "16.2.1", + "next": "16.2.6", "next-themes": "0.4.6", "posthog-js": "1.310.1", "react": "19.2.0", diff --git a/apps/api/package.json b/apps/api/package.json index 43e278d973a..2fb057d5453 100644 --- a/apps/api/package.json +++ b/apps/api/package.json @@ -41,7 +41,7 @@ "import-in-the-middle": "2.0.1", "jose": "6.2.2", "lodash.chunk": "4.2.0", - "next": "16.2.1", + "next": "16.2.6", "posthog-node": "5.28.8", "react": "19.2.0", "react-dom": "19.2.0", diff --git a/apps/docs/package.json b/apps/docs/package.json index 97b8f6da96b..1a87c86e434 100644 --- a/apps/docs/package.json +++ b/apps/docs/package.json @@ -23,7 +23,7 @@ "fumadocs-mdx": "14.2.5", "fumadocs-ui": "16.4.7", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "posthog-js": "1.310.1", "react": "19.2.0", "react-dom": "19.2.0", diff --git a/apps/marketing/package.json b/apps/marketing/package.json index f45e3cfa415..b7910745211 100644 --- a/apps/marketing/package.json +++ b/apps/marketing/package.json @@ -25,7 +25,7 @@ "gray-matter": "4.0.3", "import-in-the-middle": "2.0.1", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "next-mdx-remote": "6.0.0", "next-themes": "0.4.6", "posthog-js": "1.310.1", diff --git a/apps/web/package.json b/apps/web/package.json index c66d71ea73d..76d059b6b00 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -32,7 +32,7 @@ "import-in-the-middle": "2.0.1", "jose": "6.2.2", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "next-themes": "0.4.6", "posthog-js": "1.310.1", "posthog-node": "5.28.8", diff --git a/bun.lock b/bun.lock index fc710030c65..b6e9dc6c0d2 100644 --- a/bun.lock +++ b/bun.lock @@ -31,7 +31,7 @@ "date-fns": "4.1.0", "drizzle-orm": "0.45.2", "import-in-the-middle": "2.0.1", - "next": "16.2.1", + "next": "16.2.6", "next-themes": "0.4.6", "posthog-js": "1.310.1", "react": "19.2.0", @@ -89,7 +89,7 @@ "import-in-the-middle": "2.0.1", "jose": "6.2.2", "lodash.chunk": "4.2.0", - "next": "16.2.1", + "next": "16.2.6", "posthog-node": "5.28.8", "react": "19.2.0", "react-dom": "19.2.0", @@ -367,7 +367,7 @@ "fumadocs-mdx": "14.2.5", "fumadocs-ui": "16.4.7", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "posthog-js": "1.310.1", "react": "19.2.0", "react-dom": "19.2.0", @@ -420,7 +420,7 @@ "gray-matter": "4.0.3", "import-in-the-middle": "2.0.1", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "next-mdx-remote": "6.0.0", "next-themes": "0.4.6", "posthog-js": "1.310.1", @@ -598,7 +598,7 @@ "import-in-the-middle": "2.0.1", "jose": "6.2.2", "lucide-react": "0.563.0", - "next": "16.2.1", + "next": "16.2.6", "next-themes": "0.4.6", "posthog-js": "1.310.1", "posthog-node": "5.28.8", @@ -1934,23 +1934,23 @@ "@neondatabase/serverless": ["@neondatabase/serverless@1.0.2", "", { "dependencies": { "@types/node": "^22.15.30", "@types/pg": "^8.8.0" } }, "sha512-I5sbpSIAHiB+b6UttofhrN/UJXII+4tZPAq1qugzwCwLIL8EZLV7F/JyHUrEIiGgQpEXzpnjlJ+zwcEhheGvCw=="], - "@next/env": ["@next/env@16.2.1", "", {}, "sha512-n8P/HCkIWW+gVal2Z8XqXJ6aB3J0tuM29OcHpCsobWlChH/SITBs1DFBk/HajgrwDkqqBXPbuUuzgDvUekREPg=="], + "@next/env": ["@next/env@16.2.6", "", {}, "sha512-gd8HoHN4ufj73WmR3JmVolrpJR47ILK6LouP5xElPglaVxir6e1a7VzvTvDWkOoPXT9rkkTzyCxBu4yeZfZwcw=="], - "@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@16.2.1", "", { "os": "darwin", "cpu": "arm64" }, "sha512-BwZ8w8YTaSEr2HIuXLMLxIdElNMPvY9fLqb20LX9A9OMGtJilhHLbCL3ggyd0TwjmMcTxi0XXt+ur1vWUoxj2Q=="], + "@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@16.2.6", "", { "os": "darwin", "cpu": "arm64" }, "sha512-ZJGkkcNfYgrrMkqOdZ7zoLa1TOy0qpcMfk/z4Mh/FKUz40gVO+HNQWqmLxf67Z5WB64DRp0dhEbyHfel+6sJUg=="], - "@next/swc-darwin-x64": ["@next/swc-darwin-x64@16.2.1", "", { "os": "darwin", "cpu": "x64" }, "sha512-/vrcE6iQSJq3uL3VGVHiXeaKbn8Es10DGTGRJnRZlkNQQk3kaNtAJg8Y6xuAlrx/6INKVjkfi5rY0iEXorZ6uA=="], + "@next/swc-darwin-x64": ["@next/swc-darwin-x64@16.2.6", "", { "os": "darwin", "cpu": "x64" }, "sha512-v/YLBHIY132Ced3puBJ7YJKw1lqsCrgcNo2aRJlCEyQrrCeRJlvGlnmxhPxNQI3KE3N1DN5r9TPNPvka3nq5RQ=="], - "@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@16.2.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-uLn+0BK+C31LTVbQ/QU+UaVrV0rRSJQ8RfniQAHPghDdgE+SlroYqcmFnO5iNjNfVWCyKZHYrs3Nl0mUzWxbBw=="], + "@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@16.2.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-RPOvqlYBbcQjkz9VQQDZ2T2bARIjXZV1KFlt+V2Mr6SW/e4I9fcKsaA0hdyf2FHoTlsV2xnBd5Y912rP/1Ce6w=="], - "@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@16.2.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-ssKq6iMRnHdnycGp9hCuGnXJZ0YPr4/wNwrfE5DbmvEcgl9+yv97/Kq3TPVDfYome1SW5geciLB9aiEqKXQjlQ=="], + "@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@16.2.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-URUTu1+dMkxJsPFgm+OeEvq9wf5sujw0EvgYy80TDGHTSLTnIHeqb0Eu8A3sC95IRgjejQL+kC4mw+4yPxiAXA=="], - "@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@16.2.1", "", { "os": "linux", "cpu": "x64" }, "sha512-HQm7SrHRELJ30T1TSmT706IWovFFSRGxfgUkyWJZF/RKBMdbdRWJuFrcpDdE5vy9UXjFOx6L3mRdqH04Mmx0hg=="], + "@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@16.2.6", "", { "os": "linux", "cpu": "x64" }, "sha512-DOj182mPV8G3UkrayLoREM5YEYI+Dk5wv7Ox9xl1fFibAELEsFD0lDPfHIeILlutMMfdyhlzYPELG3peuKaurw=="], - "@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@16.2.1", "", { "os": "linux", "cpu": "x64" }, "sha512-aV2iUaC/5HGEpbBkE+4B8aHIudoOy5DYekAKOMSHoIYQ66y/wIVeaRx8MS2ZMdxe/HIXlMho4ubdZs/J8441Tg=="], + "@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@16.2.6", "", { "os": "linux", "cpu": "x64" }, "sha512-HKQ5SP/V/ub73UvF7n/zeJlxk2kLmtL7Wzrg4WfmkjmNos5onJ2tKu7yZOPdL18A6Svfn3max29ym+ry7NkK4g=="], - "@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@16.2.1", "", { "os": "win32", "cpu": "arm64" }, "sha512-IXdNgiDHaSk0ZUJ+xp0OQTdTgnpx1RCfRTalhn3cjOP+IddTMINwA7DXZrwTmGDO8SUr5q2hdP/du4DcrB1GxA=="], + "@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@16.2.6", "", { "os": "win32", "cpu": "arm64" }, "sha512-LZXpTlPyS5v7HhSmnvsLGP3iIYgYOBnc8r8ArlT55sGHV89bR2HlDdBjWQ+PY6SJMmk8TuVGFuxalnP3k/0Dwg=="], - "@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.2.1", "", { "os": "win32", "cpu": "x64" }, "sha512-qvU+3a39Hay+ieIztkGSbF7+mccbbg1Tk25hc4JDylf8IHjYmY/Zm64Qq1602yPyQqvie+vf5T/uPwNxDNIoeg=="], + "@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.2.6", "", { "os": "win32", "cpu": "x64" }, "sha512-F0+4i0h9J6C4eE3EAPWsoCk7UW/dbzOjyzxY0qnDUOYFu6FFmdZ6l97/XdV3/Nz3VYyO7UWjyEJUXkGqcoXfMA=="], "@noble/ciphers": ["@noble/ciphers@2.1.1", "", {}, "sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw=="], @@ -4946,7 +4946,7 @@ "neverthrow": ["neverthrow@7.2.0", "", {}, "sha512-iGBUfFB7yPczHHtA8dksKTJ9E8TESNTAx1UQWW6TzMF280vo9jdPYpLUXrMN1BCkPdHFdNG3fxOt2CUad8KhAw=="], - "next": ["next@16.2.1", "", { "dependencies": { "@next/env": "16.2.1", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.9.19", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.2.1", "@next/swc-darwin-x64": "16.2.1", "@next/swc-linux-arm64-gnu": "16.2.1", "@next/swc-linux-arm64-musl": "16.2.1", "@next/swc-linux-x64-gnu": "16.2.1", "@next/swc-linux-x64-musl": "16.2.1", "@next/swc-win32-arm64-msvc": "16.2.1", "@next/swc-win32-x64-msvc": "16.2.1", "sharp": "^0.34.5" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-VaChzNL7o9rbfdt60HUj8tev4m6d7iC1igAy157526+cJlXOQu5LzsBXNT+xaJnTP/k+utSX5vMv7m0G+zKH+Q=="], + "next": ["next@16.2.6", "", { "dependencies": { "@next/env": "16.2.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.9.19", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.2.6", "@next/swc-darwin-x64": "16.2.6", "@next/swc-linux-arm64-gnu": "16.2.6", "@next/swc-linux-arm64-musl": "16.2.6", "@next/swc-linux-x64-gnu": "16.2.6", "@next/swc-linux-x64-musl": "16.2.6", "@next/swc-win32-arm64-msvc": "16.2.6", "@next/swc-win32-x64-msvc": "16.2.6", "sharp": "^0.34.5" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-qOVgKJg1+At15NpeUP+eJgCHvTCgXsogweq87Ri/Ix7PkqQHg4sdaXmSFqKlgaIXE4kW0g25LE68W87UANlHtw=="], "next-mdx-remote": ["next-mdx-remote@6.0.0", "", { "dependencies": { "@babel/code-frame": "^7.23.5", "@mdx-js/mdx": "^3.0.1", "@mdx-js/react": "^3.0.1", "unist-util-remove": "^4.0.0", "unist-util-visit": "^5.1.0", "vfile": "^6.0.1", "vfile-matter": "^5.0.0" }, "peerDependencies": { "react": ">=16" } }, "sha512-cJEpEZlgD6xGjB4jL8BnI8FaYdN9BzZM4NwadPe1YQr7pqoWjg9EBCMv3nXBkuHqMRfv2y33SzUsuyNh9LFAQQ=="],