Skip to content

feat: Fix msgscan Dependabot security alerts#89

Merged
fewensa merged 1 commit into
mainfrom
hbx-1100-fix-msgscan-dependabot-security-alerts
Jul 2, 2026
Merged

feat: Fix msgscan Dependabot security alerts#89
fewensa merged 1 commit into
mainfrom
hbx-1100-fix-msgscan-dependabot-security-alerts

Conversation

@fewensa

@fewensa fewensa commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Focused dependency security refresh for msgscan. Upgraded Next.js, Vitest, Fastify proxy dependencies, refreshed the pnpm lockfile, added narrow pnpm overrides for vulnerable transitive packages, and adjusted the message query hook for the updated TanStack lint rule. Local audit reports no known vulnerabilities and build, lint, tests, frozen install, and indexer build pass.

Source References

Related Dependabot security alerts:

Metadata

version: 1
issue: https://plane.kahub.in/endless/browse/HBX-1100/
work_kind: code_work
branch: hbx-1100-fix-msgscan-dependabot-security-alerts
base: main
commit: 46e4b4995c4faf4ed8bcd73f684c506d91899636
source_references:
  - kind: plane_issue
    canonical: https://plane.kahub.in/endless/browse/HBX-1100/
    url: https://plane.kahub.in/endless/browse/HBX-1100/
    close_policy: link_only
  - kind: github_dependabot_alert_dashboard
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot
    url: https://github.com/ringecosystem/msgscan/security/dependabot
    close_policy: link_only
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/87
    url: https://github.com/ringecosystem/msgscan/security/dependabot/87
    github_repository: ringecosystem/msgscan
    number: 87
    close_policy: reference_only
    note: Lockfile now resolves @fastify/express to 4.0.7, above the patched 4.0.3 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/159
    url: https://github.com/ringecosystem/msgscan/security/dependabot/159
    github_repository: ringecosystem/msgscan
    number: 159
    close_policy: reference_only
    note: Lockfile now resolves @fastify/express to 4.0.7, above the patched 4.0.5 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/160
    url: https://github.com/ringecosystem/msgscan/security/dependabot/160
    github_repository: ringecosystem/msgscan
    number: 160
    close_policy: reference_only
    note: Lockfile now resolves @fastify/express to 4.0.7, above the patched 4.0.5 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/162
    url: https://github.com/ringecosystem/msgscan/security/dependabot/162
    github_repository: ringecosystem/msgscan
    number: 162
    close_policy: reference_only
    note: Lockfile now resolves @fastify/http-proxy to 11.5.0, above the patched 11.4.4 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/161
    url: https://github.com/ringecosystem/msgscan/security/dependabot/161
    github_repository: ringecosystem/msgscan
    number: 161
    close_policy: reference_only
    note: Lockfile now resolves @fastify/reply-from to 12.6.2, satisfying the patched requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/111
    url: https://github.com/ringecosystem/msgscan/security/dependabot/111
    github_repository: ringecosystem/msgscan
    number: 111
    close_policy: reference_only
    note: Lockfile now resolves fastify to 5.9.0, above the patched 5.7.2 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/144
    url: https://github.com/ringecosystem/msgscan/security/dependabot/144
    github_repository: ringecosystem/msgscan
    number: 144
    close_policy: reference_only
    note: Lockfile now resolves fastify to 5.9.0, above the patched 5.8.3 requirement.
  - kind: github_dependabot_alert
    canonical: https://github.com/ringecosystem/msgscan/security/dependabot/196
    url: https://github.com/ringecosystem/msgscan/security/dependabot/196
    github_repository: ringecosystem/msgscan
    number: 196
    close_policy: reference_only
    note: Lockfile now resolves vitest to 4.1.9, above the patched 4.1.0 requirement.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

@fewensa fewensa merged commit 448fa98 into main Jul 2, 2026
1 check passed
@fewensa fewensa deleted the hbx-1100-fix-msgscan-dependabot-security-alerts branch July 2, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant