Skip to content

security: vulnerability remediation#114

Open
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation
Open

security: vulnerability remediation#114
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal
Copy link
Copy Markdown

@kernel-internal kernel-internal Bot commented Jun 3, 2026
edited by cursor Bot
Loading

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-25h7-pfq9-p65f eslint, flatted None 9.39.1 3.4.2 confirmed

Not Included

  • Deferred by batch limit: 5 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 0.
  • Unconfirmed attempted fixes: 0.

Note

Low Risk
Lockfile-only transitive dependency patch with no runtime or auth logic changes.

Overview
Bumps the transitive dependency flatted from 3.3.2 to 3.4.0 in yarn.lock to address GHSA-25h7-pfq9-p65f. No application source files change—only the resolved version used under flat-cache (ESLint-related tooling).

This is a Socket-driven vulnerability remediation PR; merge after confirming the advisory is cleared for your environment.

Reviewed by Cursor Bugbot for commit f9545f1. Bugbot is set up for automated code reviews on this repo. Configure here.

@kernel-internal kernel-internal Bot requested a review from ulziibay-kernel June 3, 2026 04:34
@firetiger-agent
Copy link
Copy Markdown

firetiger-agent Bot commented Jun 3, 2026

Created a monitoring plan for this PR.

What this PR does: Upgrades the flatted devDependency (used by ESLint's internal cache) from 3.3.2 to 3.4.0 to remediate a security advisory — no change to the published SDK or its consumers.

Intended effect:

  • Security advisory clearance: baseline — advisory flagged on flatted < 3.4.0; confirmed if yarn audit / socket.yml scan reports it resolved after this merge.
  • CI pipeline: baseline — lint/build/test passing; confirmed if the pipeline continues passing with no new failures.

Risks:

  • CI lint breakage — if flatted 3.4.0 introduces a breaking change for flat-cache, ESLint could fail in CI; alert if the CI lint step fails post-merge.
  • No production service, API, or runtime risk — flatted is not included in the published npm package (@onkernel/sdk has zero runtime dependencies).

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel Awaiting requested review from ulziibay-kernel

At least 1 approving review is required to merge this pull request.

Assignees

@ulziibay-kernel ulziibay-kernel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel