Skip to content

fix(security): close 8 Dependabot alerts (admin-ui npm overrides + Go OTel v1.43.0)#34

Merged
ciprianiacobescu merged 5 commits into
mainfrom
fix/dependabot-vulns-2026-05-16
May 16, 2026
Merged

fix(security): close 8 Dependabot alerts (admin-ui npm overrides + Go OTel v1.43.0)#34
ciprianiacobescu merged 5 commits into
mainfrom
fix/dependabot-vulns-2026-05-16

Conversation

@ciprianiacobescu
Copy link
Copy Markdown
Contributor

@ciprianiacobescu ciprianiacobescu commented May 16, 2026

Summary

Closes all 8 open Dependabot alerts on WeLikeCode/mintkey.

Alert Sev Package Fix
#1 M tinymce <7 → 7.9.2 (via pnpm override)
#2 M esbuild ≤0.24.2 → 0.25.12 (via pnpm override)
#3 H playwright <1.55.1 → 1.60.0 (@playwright/test direct bump)
#4 L @tiptap/extension-link <2.10.4 → 2.27.2 (via pnpm override)
#5 M vite ≤6.4.1 → 6.4.2 (via pnpm override)
#6 M i18next-http-backend <3.0.5 → 3.0.6 (via pnpm override)
#7 H go.opentelemetry.io/otel/sdk <1.40.0 → 1.43.0 (root go.mod)
#8 H go.opentelemetry.io/otel/sdk ≤1.42.0 → 1.43.0 (root go.mod)

5 of 6 admin-ui alerts are transitives (reached via adminjs ^7.8.x / vitest). Used pnpm overrides to force patched versions instead of bumping adminjs to a major (much larger blast radius). The 6 alerts close in a single batched commit per owner decision.

Discovery during implementation

pnpm v11 reads project overrides from pnpm-workspace.yaml, NOT package.json pnpm.overrides — the existing @tiptap/core@2.27.2 override was only working because .pnpmfile.cjs enforces it. All 7 overrides now live in pnpm-workspace.yaml; the package.json pnpm.overrides block is preserved for Dependabot dependency-graph visibility only.

Cascade

go mod tidy after the OTel bump promoted the go directive 1.22 → 1.25.0 (transitive Go-version requirement). .github/workflows/ci.yml GO_VERSION aligned 1.22 → 1.26 to match (and Dockerfile golang:1.26-alpine).

Cross-dependency on PR #33

PR #33 (fix/ci-pipeline-remediation) fixes the CI infrastructure (scorecard pin, setup-go cache, container-scan build context, Trivy CVE allow-list). On this PR, container-scan + scorecard will be red until #33 merges and this PR rebases. Merge order: #33 first, then this PR.

Local verification (REVIEWER fresh Opus, PASS_ALL):

  • pnpm install --frozen-lockfile exit 0
  • npx tsc --noEmit matches baseline (157 pre-existing AdminJS type errors; unchanged)
  • pnpm dev boots → HTTP 200
  • docker build admin-ui/ succeeds
  • pnpm audit --audit-level=high --prod clean
  • go build ./... / go vet ./... / go test ./internal/otelinit/... clean
  • All 4 Go services go build ./... clean
  • No otel/sdk v1.29.0..v1.42.0 instance remains in any go.sum

Change Type

  • Remediation session

Required Provenance

  • Session folder: team/remediation/2026-05-16-dependabot-vulns-remediation/
  • Issue intake: …/ISSUE_INTAKE.md (all 9 fields, 8 alerts itemized with CVE/GHSA + ranges + manifest)
  • Reviewer result: PASS_ALL

Issue Definition

  • Problem: 8 open Dependabot alerts (3 H, 4 M, 1 L) on WeLikeCode/mintkey; all have published patched versions.
  • Expected: 0 alerts after merge.
  • Evidence: Dependabot Alerts API response (per-alert CVE/GHSA in 99-report.md).
  • Scope: admin-ui/package.json, admin-ui/pnpm-lock.yaml, admin-ui/pnpm-workspace.yaml, go.mod, go.sum, go.work.sum, .github/workflows/ci.yml (cascade), .gitignore.
  • Out of scope: product code, Dockerfiles, accepted ADRs.

Verification

Agent/Automation Rules

  • No --no-verify used
  • No unverified "tests pass" claim
  • No unrelated refactor
  • No accepted ADR edited
  • No Co-Authored-By trailer

CiprianSpot added 5 commits May 16, 2026 19:30
session(dependabot-vulns): scaffold + intake + plan
e2abd98 
Session: 2026-05-16-dependabot-vulns-remediation
Branch: fix/dependabot-vulns-2026-05-16 (from main)

8 open Dependabot alerts (3 H, 4 M, 1 L); all have patched versions.
- 6 npm alerts in admin-ui/pnpm-lock.yaml (tinymce, esbuild, playwright,
  @tiptap/extension-link, vite, i18next-http-backend) — mostly
  transitives, resolved via pnpm.overrides except @playwright/test (direct).
- 2 Go alerts both on go.opentelemetry.io/otel/sdk; root go.mod at
  v1.29.0 (vulnerable). Fix: bump entire OTel suite to v1.43.0.

Owner decisions locked:
- Single batched commit for admin-ui (6 packages)
- Separate PR (not piggybacked on PR #33)
- Smoke test: local builds + pnpm dev boot probe
- Preserve existing @tiptap/core@2.27.2 + @tiptap/pm@2.27.2 overrides

Cross-dependency on PR #33 documented in intake; container-scan/scorecard
on this PR's CI will be red until #33 merges and this rebases.

Next: dispatch IMPLEMENTER-DV-1 (admin-ui) + IMPLEMENTER-DV-2 (Go OTel)
in parallel.
fix(security): close 6 admin-ui Dependabot alerts via pnpm overrides
127cdd4 
Chunk DV-1 of 2026-05-16-dependabot-vulns-remediation.

Closes 6 of 8 open Dependabot alerts on WeLikeCode/mintkey (manifest =
admin-ui/pnpm-lock.yaml):

  Alert #1 MEDIUM CVE-2024-29881 tinymce              <7.0.0   -> 7.9.2
  Alert #2 MEDIUM GHSA-67mh-4wv8 esbuild              <=0.24.2 -> 0.25.12
  Alert #3 HIGH   CVE-2025-59288 playwright           <1.55.1  -> 1.60.0
  Alert #4 LOW    CVE-2025-14284 @tiptap/extension-link <2.10.4 -> 2.27.2
  Alert #5 MEDIUM CVE-2026-39365 vite                 <=6.4.1  -> 6.4.2
  Alert #6 MEDIUM CVE-2026-41691 i18next-http-backend <3.0.5   -> 3.0.6

Mechanism: pnpm `overrides`. Only @playwright/test was a direct dep
(devDependencies; bumped to ^1.55.1, resolves to 1.60.0). The other 5
were transitives reached via adminjs / vitest; forcing patched versions
via overrides was the surgical fix that avoided bumping adminjs (which
would have been a much larger blast radius).

Discovery during implementation: pnpm v11 reads project settings from
`pnpm-workspace.yaml`, NOT from `package.json` `pnpm.overrides` — that
block was silently ignored on this codebase since the corepack upgrade
to v11. The existing @tiptap/core@2.27.2 + @tiptap/pm@2.27.2 overrides
only worked because `.pnpmfile.cjs` enforces them via readPackage.
Added pnpm-workspace.yaml with all 7 entries (the original 2 + 5 new).
The `pnpm.overrides` block in package.json is preserved for tool
visibility (Dependabot dependency-graph parsing) but is now dead-code
for pnpm itself.

Verification:
  $ pnpm install --frozen-lockfile  -> exit 0
  $ npx tsc --noEmit                -> 157 errors (matches baseline,
                                       pre-existing AdminJS types issue)
  $ pnpm dev + curl localhost:5173/ -> HTTP 200
  $ docker build admin-ui/          -> success
  $ pnpm audit --audit-level=high   -> No known vulnerabilities

Locked decisions:
- Single batched commit (owner-chosen granularity, not per-package)
- Preserved @tiptap/core@2.27.2 + @tiptap/pm@2.27.2 (do not change)
- Preserved adminjs 7.8.x line (avoided 7->8 major bump)

REVIEWER (fresh Opus) PASS_ALL.
fix(security): bump go.opentelemetry.io suite v1.29.0 -> v1.43.0
2ca95ec 
Chunk DV-2 of 2026-05-16-dependabot-vulns-remediation.

Closes remaining 2 of 8 open Dependabot alerts on WeLikeCode/mintkey
(manifest = go.mod, root module):

  Alert #7 HIGH CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq) PATH hijacking
  Alert #8 HIGH CVE-2026-39883 (GHSA-hfvc-g4fc-pqhx) BSD kenv abuse

Both apply to go.opentelemetry.io/otel/sdk in the root module's
require block (all marked // indirect, but pulled transitively by
internal/otelinit/init.go). Bumping to v1.43.0 (latest as of
2026-04-03) satisfies BOTH patched-version ranges (>=1.40.0 and
>=1.43.0). The entire OTel sibling suite (otel, otel/sdk, otel/trace,
otel/metric, otel/exporters/otlp/otlptrace, otlptracegrpc) is bumped
in lockstep to preserve ABI alignment.

go mod tidy effects (all expected, none unrelated):
- otel/sdk and otel/exporters/otlp/otlptrace/otlptracegrpc promoted
  from // indirect to direct require (correctly reflects direct
  imports in internal/otelinit/init.go).
- Added transitive: go.opentelemetry.io/auto/sdk v1.2.1,
  go.opentelemetry.io/proto/otlp v1.10.0,
  cenkalti/backoff v4 -> v5 (driven by OTel/grpc graph).
- `go 1.22` directive bumped to `go 1.25.0` — transitive dep in the
  v1.43.0 graph requires Go 1.25 features. Not deliberate; cascade
  of the security bump.

Cascade fix: ci.yml GO_VERSION "1.22" -> "1.26" — needed because root
go.mod now requires go 1.25.0; aligns with Dockerfile golang:1.26-alpine
(dev/CI/prod now consistent).

Verification:
  $ go build ./...                      -> exit 0
  $ go vet ./...                        -> exit 0
  $ go test ./internal/otelinit/...     -> ok
  $ (each of 4 services) go build ./... -> exit 0
  $ grep "otel/sdk v1.2[9-9]\|v1.3[0-9]\|v1.4[0-2]" go.sum services/*/go.sum
                                        -> empty (only v1.43.0 remains)
  $ git diff --name-only -- internal/ admin-api/src/ services/*/internal/
                                        -> empty (no product code touched)

Also: gitignore **/.pnpm-store/ — local pnpm content-addressable
cache that appeared during DV-1's pnpm install regen (same rule as
sister PR #33's .gitignore).

REVIEWER (fresh Opus) PASS_ALL with 2 NITs (one accepted: pnpm.overrides
in package.json kept for Dependabot tool visibility).
docs(dependabot-vulns): close session with 99-report
2075652 
REVIEWER PASS_ALL. 2 atomic commits close all 8 alerts.
Cross-dependency on PR #33 documented; merge order matters.
docs(dependabot-vulns): append DV-1+DV-2 verification matrix entries
95e4fff
ciprianiacobescu pushed a commit that referenced this pull request May 16, 2026
fix(ci): align GO_VERSION "1.22" -> "1.26" to satisfy module requirem…
59bba7e 
…ents

Late-discovered cascade from CI-B. Once the setup-go cache:false fix
let golangci-lint actually RUN end-to-end, type-check uncovered:

  package requires newer Go version go1.25 (application built with go1.24)

Several transitive deps in the existing go.mod graph require Go 1.25+.
CI was pinned to "1.22"; Dockerfiles already use golang:1.26-alpine.
Aligning ci.yml to 1.26 matches the production base image.

Same change as the cascade fix already on fix/dependabot-vulns-2026-05-16
(PR #34); landing it here keeps the two PRs consistent.

No other change in this commit.
@ciprianiacobescu ciprianiacobescu merged commit 2efa5e9 into main May 16, 2026
10 of 27 checks passed
@ciprianiacobescu ciprianiacobescu mentioned this pull request May 16, 2026
Merged
12 tasks
ciprianiacobescu pushed a commit that referenced this pull request May 16, 2026
fix(ci): amend round-2 — Python dev deps, pnpm workspace packages, de…
76a8c4e 
…p-review license config

PR #35 CI exposed 3 actionable defects after the initial Wave 1+2 landed:

1. Python jobs (Lint Python / Architecture / Python Unit / Schema Gates)
   uv sync now succeeds but tool spawn fails: `pytest`, `ruff`, `mypy`
   not in pyproject.toml deps. Added [dependency-groups] with dev tools
   to both admin-api/ and mcp-server/. [tool.uv] default-groups = ["dev"]
   ensures CI's `uv sync` (without --frozen) installs dev tools by
   default; the existing CI commands (uv run ruff/mypy/pytest) work
   unchanged. uv.lock regenerated for both.

2. Playwright (chromium)
   pnpm v9 in CI rejected admin-ui/pnpm-workspace.yaml with:
     ERROR  packages field missing or empty
   The file was created in PR #34 to hold pnpm v11 overrides; v11 is
   permissive about missing `packages:`, v9 is not. Added
   `packages: ["."]` so both versions accept the file. Local pnpm 11
   reverification: `pnpm install --frozen-lockfile` exits 0.

3. Dependency Review
     "message": "You cannot specify both allow-licenses and deny-licenses"
   actions/dependency-review-action rejects both keys at once. Kept
   `allow-licenses` (positive allowlist of 8 permissive licenses) and
   dropped the redundant `deny-licenses` block. Allow-list is strictly
   safer than deny-list (anything not on the list is rejected by
   default).

NOT addressed in this commit (deferred):
- container-scan Trivy failures on seed-job + jaeger-auth: new HIGH/
  CRITICAL CVEs published since PR #33's .trivyignore was generated.
  This is operational CVE-drift maintenance; allow-list refresh needs
  its own session (or, better, base-image upgrade to eliminate the
  CVEs at the source).
@ciprianiacobescu ciprianiacobescu deleted the fix/dependabot-vulns-2026-05-16 branch May 30, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ciprianiacobescu