Skip to content

build(deps): bump ui dependencies to clear security advisories#2493

Merged
SamMorrowDrums merged 3 commits into
mainfrom
sammorrowdrums/bump-ui-deps-security
May 18, 2026
Merged

build(deps): bump ui dependencies to clear security advisories#2493
SamMorrowDrums merged 3 commits into
mainfrom
sammorrowdrums/bump-ui-deps-security

Conversation

@SamMorrowDrums

Copy link
Copy Markdown
Collaborator

What

Bumps @modelcontextprotocol/ext-apps from ^1.0.0^1.7.2 (which pulls in newer @modelcontextprotocol/sdk and hono), and runs npm audit fix to update the transitive vite/rollup/postcss/picomatch/lodash chain.

Why

Closes the security advisories surfaced on the Dependabot alerts page that are reachable only through /ui build deps:

  • hono: GHSA-xh87-mx6m-69f3 + the SSR/cookie/serveStatic family (≈15 alerts)
  • fast-uri: path-traversal / host-confusion
  • ip-address, express-rate-limit, path-to-regexp, picomatch, lodash
  • vite path-traversal + dev-server WebSocket file-read
  • rollup arbitrary file write
  • postcss XSS

After the bump, npm audit reports 0 vulnerabilities.

Code-change impact

None required. The @modelcontextprotocol/ext-apps React API we consume in ui/src/hooks/useMcpApp.ts (useApp, App, ontoolresult, ontoolinput) is unchanged between 1.0.x and 1.7.x.

Verification

  • npm auditfound 0 vulnerabilities
  • npm run typecheck → clean
  • script/build-ui → all three apps (get-me, issue-write, pr-write) build successfully with vite 6.4.2

Only the build-time UI dep tree changed; nothing in the runtime distroless image is affected.

Bumps @modelcontextprotocol/ext-apps from ^1.0.0 to ^1.7.2 (which pulls
in newer @modelcontextprotocol/sdk and hono), and runs npm audit fix to
update the transitive vite/rollup/postcss/picomatch/lodash chain.

Closes the following GHSAs (all reachable only through /ui build deps):
- hono: GHSA-xh87-mx6m-69f3, and the SSR/cookie/serveStatic family
- fast-uri: GHSA path-traversal/host-confusion
- ip-address, express-rate-limit, path-to-regexp, picomatch
- vite path-traversal + dev-server WebSocket file-read
- rollup arbitrary file write, postcss XSS, lodash prototype pollution

No source changes required: the ext-apps React API we consume
(useApp / App / ontoolresult / ontoolinput) is unchanged; typecheck
and the full vite build pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 18, 2026 14:21
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner May 18, 2026 14:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the /ui build-time dependency tree to clear Dependabot security advisories by bumping @modelcontextprotocol/ext-apps and applying the resulting transitive upgrades (vite/rollup/postcss/picomatch/lodash, etc.). The change is scoped to UI build dependencies and is intended to leave runtime server behavior unchanged.

Changes:

  • Bump @modelcontextprotocol/ext-apps from ^1.0.0 to ^1.7.2.
  • Update ui/package-lock.json to reflect the new resolved dependency graph and patched transitive versions.
Show a summary per file
File Description
ui/package.json Updates the UI dependency on @modelcontextprotocol/ext-apps to a newer version.
ui/package-lock.json Refreshes the lockfile with updated direct/transitive package versions pulled in by the bump/audit fix.

Copilot's findings

Files not reviewed (1)
  • ui/package-lock.json: Language not supported
  • Files reviewed: 1/2 changed files
  • Comments generated: 1
Comment thread ui/package.json
SamMorrowDrums and others added 2 commits May 18, 2026 17:58
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use the v1.7.0 useApp options to:
- autoResize iframes to content height (helps issue-write/pr-write/get-me
  surfaces which all render variable-height forms and result cards)
- enable strict handshake-ordering checks in development builds so any
  out-of-order handler registration surfaces immediately

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamMorrowDrums SamMorrowDrums merged commit 0ef8f97 into main May 18, 2026
17 checks passed
@SamMorrowDrums SamMorrowDrums deleted the sammorrowdrums/bump-ui-deps-security branch May 18, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants