Skip to content

[security](deps): Bump the npm_and_yarn group across 1 directory with 5 updates#101

Merged
jscraik merged 2 commits intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-094fc48aad
Feb 24, 2026
Merged

[security](deps): Bump the npm_and_yarn group across 1 directory with 5 updates#101
jscraik merged 2 commits intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-094fc48aad

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 24, 2026
edited by cubic-dev-ai bot
Loading

Bumps the npm_and_yarn group with 4 updates in the / directory: ajv, hono, @modelcontextprotocol/sdk and agents.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

New Contributors

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits
  • 142ce84 8.18.0
  • 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
  • 82735a1 fix: typos in schema-language.md (#2507)
  • b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
  • 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
  • f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
  • See full diff in compare view

Updates hono from 4.11.7 to 4.11.10

Release notes

Sourced from hono's releases.

v4.11.10

What's Changed

  • fix: fixed to be more properly timing safe (Merge commit from fork 91def7ca)

Full Changelog: honojs/hono@v4.11.9...v4.11.10

v4.11.9

What's Changed

Full Changelog: honojs/hono@v4.11.8...v4.11.9

v4.11.8

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.11.7...v4.11.8

Commits
  • a40d210 4.11.10
  • 91def7c Merge commit from fork
  • 8b17935 test(types): add regression tests for #4388 (routes before .use() with explic...
  • 4a03f4f doc(jwt): mark options.secret as required in JSDoc (#4718)
  • 7300551 chore(ci): bump typescript-go to the latest (#4716)
  • 4b29780 chore: update Zod import examples to use namespace imports (#4715)
  • 69ad885 4.11.9
  • 3d536ff fix: determine if rendered or not by node.vC[0] instead of referring to `no...
  • 0c1d4c7 fix(url): ignore fragment identifiers in getPath() (#4627)
  • 5ca5c3e 4.11.8
  • Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits
  • fe9c07b chore: bump version to 1.26.0 (#1479)
  • 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
  • a05be17 Merge commit from fork
  • 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
  • aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
  • 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
  • 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
  • 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
  • See full diff in compare view

Updates agents from 0.3.8 to 0.3.10

Release notes

Sourced from agents's releases.

agents@0.3.10

Patch Changes

  • #839 68916bf Thanks @​whoiskatrin! - Invalidate query cache on disconnect to fix stale auth tokens

  • #841 3f490d0 Thanks @​mattzcarey! - Escape authError to prevent XSS attacks and store it in the connection state to avoid needing script tags to display error.

  • Updated dependencies [83f137f]:

    • @​cloudflare/ai-chat@​0.0.6

agents@0.3.9

Patch Changes

  • #837 b11b9dd Thanks @​threepointone! - Fix AgentWorkflow run() method not being called in production

    The run() method wrapper was being set as an instance property in the constructor, but Cloudflare's RPC system invokes methods from the prototype chain. This caused the initialization wrapper to be bypassed in production, resulting in _initAgent never being called.

    Changed to wrap the subclass prototype's run method directly with proper safeguards:

    • Uses Object.hasOwn() to only wrap prototypes that define their own run method (prevents double-wrapping inherited methods)
    • Uses a WeakSet to track wrapped prototypes (prevents re-wrapping on subsequent instantiations)
    • Uses an instance-level __agentInitCalled flag to prevent double initialization if super.run() is called from a subclass
Changelog

Sourced from agents's changelog.

0.3.10

Patch Changes

  • #839 68916bf Thanks @​whoiskatrin! - Invalidate query cache on disconnect to fix stale auth tokens

  • #841 3f490d0 Thanks @​mattzcarey! - Escape authError to prevent XSS attacks and store it in the connection state to avoid needing script tags to display error.

  • Updated dependencies [83f137f]:

    • @​cloudflare/ai-chat@​0.0.6

0.3.9

Patch Changes

  • #837 b11b9dd Thanks @​threepointone! - Fix AgentWorkflow run() method not being called in production

    The run() method wrapper was being set as an instance property in the constructor, but Cloudflare's RPC system invokes methods from the prototype chain. This caused the initialization wrapper to be bypassed in production, resulting in _initAgent never being called.

    Changed to wrap the subclass prototype's run method directly with proper safeguards:

    • Uses Object.hasOwn() to only wrap prototypes that define their own run method (prevents double-wrapping inherited methods)
    • Uses a WeakSet to track wrapped prototypes (prevents re-wrapping on subsequent instantiations)
    • Uses an instance-level __agentInitCalled flag to prevent double initialization if super.run() is called from a subclass
Commits

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions
Commits
  • d9b4c66 v6.15.0
  • cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
  • 88e1563 [Fix] duplicates option should not apply to bracket notation keys
  • 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
  • 85cc8ca v6.12.5
  • ffc12aa v6.11.4
  • 0506b11 [actions] update reusable workflows
  • 6a37faf [actions] update reusable workflows
  • 8e8df5a [Fix] fix regressions from robustness refactor
  • d60bab3 v6.10.7
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade ajv, hono, @modelcontextprotocol/sdk, agents, and qs to apply security patches across MCP and Cloudflare templates, and enforce minimum versions via pnpm overrides. Fixes a ReDoS risk in schema validation, prevents cross-client response leaks, and hardens auth flows.

  • Dependencies
    • ajv → 8.18.0: Mitigates ReDoS in pattern validation; fixes NaN/Infinity serialization.
    • @modelcontextprotocol/sdk → 1.26.0: Fixes cross-client response data leak (security advisory) and updates auth scopes.
    • agents → 0.3.10: Invalidates stale auth tokens on disconnect; escapes auth errors to prevent XSS.
    • hono → 4.11.10: Timing-safe comparison fix and minor URL/auth handling improvements.
    • qs → 6.15.0: Safer query parsing with strictMerge and better arrayLimit enforcement.

Written for commit 6c63401. Summary will update on new commits.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 24, 2026

Labels

The following labels could not be found: security. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added the dependencies Dependency updates label Feb 24, 2026
@socket-security
Copy link

socket-security bot commented Feb 24, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedyargs@​17.7.29910010087100
Addedtypescript@​5.9.31001009010090
Addedzod@​3.25.769810010095100
Addedzod@​4.3.510010010095100
Updated@​modelcontextprotocol/​sdk@​1.25.2 ⏵ 1.26.099100 +1610098 -1100

View full report

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:112">
P2: The `pnpm.overrides` entry for hono (`"hono@<4.11.7": ">=4.11.7"`) should be updated to `"hono@<4.11.10": ">=4.11.10"` to ensure transitive dependencies also pick up the timing-safe security fix shipped in 4.11.10.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@argos-ci
Copy link

argos-ci bot commented Feb 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build Status Details Updated (UTC)
default (Inspect) ✅ No changes detected 50 failures Feb 24, 2026, 6:16 PM

dependabot bot and others added 2 commits February 24, 2026 17:49
@dependabot @jscraik
[security](deps): Bump the npm_and_yarn group across 1 directory with…
3d19be6 
… 5 updates

Bumps the npm_and_yarn group with 4 updates in the / directory: [ajv](https://github.com/ajv-validator/ajv), [hono](https://github.com/honojs/hono), [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) and [agents](https://github.com/cloudflare/agents/tree/HEAD/packages/agents).


Updates `ajv` from 8.17.1 to 8.18.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v8.17.1...v8.18.0)

Updates `hono` from 4.11.7 to 4.11.10
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.7...v4.11.10)

Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.26.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.26.0)

Updates `agents` from 0.3.8 to 0.3.10
- [Release notes](https://github.com/cloudflare/agents/releases)
- [Changelog](https://github.com/cloudflare/agents/blob/main/packages/agents/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/agents/commits/agents@0.3.10/packages/agents)

Updates `qs` from 6.14.1 to 6.15.0
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.15.0)

---
updated-dependencies:
- dependency-name: ajv
  dependency-version: 8.18.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.11.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.26.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: agents
  dependency-version: 0.3.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@jscraik
fix(deps): tighten security overrides for transitive updates
6c63401
@jscraik jscraik force-pushed the dependabot/npm_and_yarn/npm_and_yarn-094fc48aad branch from a425b75 to 6c63401 Compare February 24, 2026 17:53
@jscraik jscraik merged commit 548d119 into main Feb 24, 2026
8 of 9 checks passed
@jscraik jscraik deleted the dependabot/npm_and_yarn/npm_and_yarn-094fc48aad branch February 24, 2026 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Dependency updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jscraik