Skip to content

security: vulnerability remediation#114

Open
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation
Open

security: vulnerability remediation#114
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Jun 3, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-25h7-pfq9-p65f eslint, flatted None 9.39.1 3.4.2 confirmed

Not Included

  • Deferred by batch limit: 4 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 2.
  • Unconfirmed attempted fixes: 0.
Deferred details
CVE/GHSA Package Reason
Unavailable from detector commander Non-CVE alert is not handled by dependency remediation.
Unavailable from detector highlight.js Non-CVE alert is not handled by dependency remediation.

Note

Low Risk
Lockfile-only transitive dependency patch with no app code changes; typical low blast radius aside from routine dependency behavior in ESLint/flat-cache paths.

Overview
Security remediation for GHSA-25h7-pfq9-p65f by bumping the transitive dependency flatted in yarn.lock from 3.3.2 to 3.4.0 (still satisfying flat-cache’s ^3.2.9 range). No application source or direct package.json manifest changes appear in the diff—only the lockfile resolution/integrity for flatted.

Reviewed by Cursor Bugbot for commit 006f144. Bugbot is set up for automated code reviews on this repo. Configure here.

@kernel-internal kernel-internal Bot requested a review from ulziibay-kernel June 3, 2026 04:34
@firetiger-agent

firetiger-agent Bot commented Jun 3, 2026

Copy link
Copy Markdown

Created a monitoring plan for this PR.

What this PR does: Upgrades the flatted devDependency (used by ESLint's internal cache) from 3.3.2 to 3.4.0 to remediate a security advisory — no change to the published SDK or its consumers.

Intended effect:

  • Security advisory clearance: baseline — advisory flagged on flatted < 3.4.0; confirmed if yarn audit / socket.yml scan reports it resolved after this merge.
  • CI pipeline: baseline — lint/build/test passing; confirmed if the pipeline continues passing with no new failures.

Risks:

  • CI lint breakage — if flatted 3.4.0 introduces a breaking change for flat-cache, ESLint could fail in CI; alert if the CI lint step fails post-merge.
  • No production service, API, or runtime risk — flatted is not included in the published npm package (@onkernel/sdk has zero runtime dependencies).

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor

@kernel-internal kernel-internal Bot force-pushed the security/vuln-remediation branch from f9545f1 to 006f144 Compare June 10, 2026 04:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel Awaiting requested review from ulziibay-kernel

At least 1 approving review is required to merge this pull request.

Assignees

@ulziibay-kernel ulziibay-kernel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel