From 2d3300f865fa294888ff188b4279de7645233a3a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Jul 2026 07:30:56 +0800 Subject: [PATCH 1/4] Merge pull request #440 from ckb-devrel/dependabot/npm_and_yarn/npm_and_yarn-79a8496460 build(deps): bump tar from 7.5.11 to 7.5.16 in the npm_and_yarn group across 1 directory --- pnpm-lock.yaml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 13a5070..0436d6a 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -49,14 +49,10 @@ importers: version: 7.7.3 tar: specifier: ^7.5.3 - version: 7.5.11 + version: 7.5.16 winston: specifier: ^3.17.0 version: 3.17.0 - optionalDependencies: - cpu-features: - specifier: ^0.0.10 - version: 0.0.10 devDependencies: '@changesets/cli': specifier: ^2.29.8 @@ -115,6 +111,10 @@ importers: typescript: specifier: ^5.3.3 version: 5.8.2 + optionalDependencies: + cpu-features: + specifier: ^0.0.10 + version: 0.0.10 packages: @@ -956,41 +956,49 @@ packages: resolution: {integrity: sha512-34gw7PjDGB9JgePJEmhEqBhWvCiiWCuXsL9hYphDF7crW7UgI05gyBAi6MF58uGcMOiOqSJ2ybEeCvHcq0BCmQ==} cpu: [arm64] os: [linux] + libc: [glibc] '@unrs/resolver-binding-linux-arm64-musl@1.11.1': resolution: {integrity: sha512-RyMIx6Uf53hhOtJDIamSbTskA99sPHS96wxVE/bJtePJJtpdKGXO1wY90oRdXuYOGOTuqjT8ACccMc4K6QmT3w==} cpu: [arm64] os: [linux] + libc: [musl] '@unrs/resolver-binding-linux-ppc64-gnu@1.11.1': resolution: {integrity: sha512-D8Vae74A4/a+mZH0FbOkFJL9DSK2R6TFPC9M+jCWYia/q2einCubX10pecpDiTmkJVUH+y8K3BZClycD8nCShA==} cpu: [ppc64] os: [linux] + libc: [glibc] '@unrs/resolver-binding-linux-riscv64-gnu@1.11.1': resolution: {integrity: sha512-frxL4OrzOWVVsOc96+V3aqTIQl1O2TjgExV4EKgRY09AJ9leZpEg8Ak9phadbuX0BA4k8U5qtvMSQQGGmaJqcQ==} cpu: [riscv64] os: [linux] + libc: [glibc] '@unrs/resolver-binding-linux-riscv64-musl@1.11.1': resolution: {integrity: sha512-mJ5vuDaIZ+l/acv01sHoXfpnyrNKOk/3aDoEdLO/Xtn9HuZlDD6jKxHlkN8ZhWyLJsRBxfv9GYM2utQ1SChKew==} cpu: [riscv64] os: [linux] + libc: [musl] '@unrs/resolver-binding-linux-s390x-gnu@1.11.1': resolution: {integrity: sha512-kELo8ebBVtb9sA7rMe1Cph4QHreByhaZ2QEADd9NzIQsYNQpt9UkM9iqr2lhGr5afh885d/cB5QeTXSbZHTYPg==} cpu: [s390x] os: [linux] + libc: [glibc] '@unrs/resolver-binding-linux-x64-gnu@1.11.1': resolution: {integrity: sha512-C3ZAHugKgovV5YvAMsxhq0gtXuwESUKc5MhEtjBpLoHPLYM+iuwSj3lflFwK3DPm68660rZ7G8BMcwSro7hD5w==} cpu: [x64] os: [linux] + libc: [glibc] '@unrs/resolver-binding-linux-x64-musl@1.11.1': resolution: {integrity: sha512-rV0YSoyhK2nZ4vEswT/QwqzqQXw5I6CjoaYMOX0TqBlWhojUf8P94mvI7nuJTeaCkkds3QE4+zS8Ko+GdXuZtA==} cpu: [x64] os: [linux] + libc: [musl] '@unrs/resolver-binding-wasm32-wasi@1.11.1': resolution: {integrity: sha512-5u4RkfxJm+Ng7IWgkzi3qrFOvLvQYnPBmjmZQ8+szTK/b31fQCnleNl1GgEt7nIsZRIf5PLhPwT0WM+q45x/UQ==} @@ -2809,8 +2817,8 @@ packages: resolution: {integrity: sha512-Bh7QjT8/SuKUIfObSXNHNSK6WHo6J1tHCqJsuaFDP7gP0fkzSfTxI8y85JrppZ0h8l0maIgc2tfuZQ6/t3GtnQ==} engines: {node: ^14.18.0 || >=16.0.0} - tar@7.5.11: - resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + tar@7.5.16: + resolution: {integrity: sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==} engines: {node: '>=18'} term-size@2.2.1: @@ -6194,7 +6202,7 @@ snapshots: dependencies: '@pkgr/core': 0.2.9 - tar@7.5.11: + tar@7.5.16: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0 From 0fd5d8df7eb6b11979e45ab0a70ee053509905a8 Mon Sep 17 00:00:00 2001 From: humble-little-bear Date: Thu, 2 Jul 2026 12:02:34 +0800 Subject: [PATCH 2/4] chore(deps): override form-data to 4.0.6 (#441) * chore(deps): override form-data to 4.0.6 Resolves GHSA-7m2j-8qp9-m8jw (CRLF injection) by forcing transitive form-data to 4.0.6 via pnpm override. * chore(deps): move pnpm config to pnpm-workspace.yaml pnpm 10 reads overrides and onlyBuiltDependencies from pnpm-workspace.yaml instead of package.json. --- package.json | 5 ----- pnpm-lock.yaml | 25 ++++++++++++++++++------- pnpm-workspace.yaml | 5 +++++ 3 files changed, 23 insertions(+), 12 deletions(-) create mode 100644 pnpm-workspace.yaml diff --git a/package.json b/package.json index 3e8603f..eb00728 100644 --- a/package.json +++ b/package.json @@ -25,11 +25,6 @@ "publishConfig": { "access": "public" }, - "pnpm": { - "onlyBuiltDependencies": [ - "secp256k1" - ] - }, "scripts": { "build": "node scripts/build.js", "start": "ts-node-dev --transpile-only src/cli.ts", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0436d6a..9eb9c1c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + form-data@>=4.0.0 <4.0.6: 4.0.6 + importers: .: @@ -1702,8 +1705,8 @@ packages: resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==} engines: {node: '>=14'} - form-data@4.0.4: - resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==} + form-data@4.0.6: + resolution: {integrity: sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==} engines: {node: '>= 6'} forwarded@0.2.0: @@ -1824,6 +1827,10 @@ packages: resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} engines: {node: '>= 0.4'} + hasown@2.0.4: + resolution: {integrity: sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==} + engines: {node: '>= 0.4'} + hmac-drbg@1.0.1: resolution: {integrity: sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==} @@ -4090,7 +4097,7 @@ snapshots: '@types/node-fetch@2.6.12': dependencies: '@types/node': 20.17.24 - form-data: 4.0.4 + form-data: 4.0.6 '@types/node@12.20.55': {} @@ -4727,7 +4734,7 @@ snapshots: es-errors: 1.3.0 get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 - hasown: 2.0.2 + hasown: 2.0.4 escalade@3.2.0: {} @@ -4980,12 +4987,12 @@ snapshots: cross-spawn: 7.0.6 signal-exit: 4.1.0 - form-data@4.0.4: + form-data@4.0.6: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 - hasown: 2.0.2 + hasown: 2.0.4 mime-types: 2.1.35 forwarded@0.2.0: {} @@ -5027,7 +5034,7 @@ snapshots: get-proto: 1.0.1 gopd: 1.2.0 has-symbols: 1.1.0 - hasown: 2.0.2 + hasown: 2.0.4 math-intrinsics: 1.1.0 get-package-type@0.1.0: {} @@ -5110,6 +5117,10 @@ snapshots: dependencies: function-bind: 1.1.2 + hasown@2.0.4: + dependencies: + function-bind: 1.1.2 + hmac-drbg@1.0.1: dependencies: hash.js: 1.1.7 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml new file mode 100644 index 0000000..f6ec30a --- /dev/null +++ b/pnpm-workspace.yaml @@ -0,0 +1,5 @@ +overrides: + "form-data@>=4.0.0 <4.0.6": "4.0.6" + +onlyBuiltDependencies: + - secp256k1 From ee72293cfa61cd00a0136f5dbf90f669344cf762 Mon Sep 17 00:00:00 2001 From: humble-little-bear Date: Thu, 2 Jul 2026 12:15:44 +0800 Subject: [PATCH 3/4] chore(deps): override hono to patched version 4.12.25 (#442) --- pnpm-lock.yaml | 26 ++++++++++---------------- pnpm-workspace.yaml | 1 + 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 9eb9c1c..c03a731 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: form-data@>=4.0.0 <4.0.6: 4.0.6 + hono@<4.12.25: 4.12.25 importers: @@ -413,7 +414,7 @@ packages: resolution: {integrity: sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ==} engines: {node: '>=18.14.1'} peerDependencies: - hono: ^4 + hono: 4.12.25 '@humanfs/core@0.19.1': resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==} @@ -1049,11 +1050,6 @@ packages: resolution: {integrity: sha512-ueEepnujpqee2o5aIYnvHU6C0A42MNdsIDeqy5BydrkuC5R1ZuUFnm27EeFJGoEHJQgn3uleRvmTXaJgfXbt4g==} engines: {node: '>=0.4.0'} - acorn@8.14.1: - resolution: {integrity: sha512-OvQ/2pUDKmgfCg++xsTX1wGxfTaszcHVcTctW4UJB4hibJx2HXxxO5UmVgyjMa+ZDsiaf5wWLXYpRWMmBI0QHg==} - engines: {node: '>=0.4.0'} - hasBin: true - acorn@8.15.0: resolution: {integrity: sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==} engines: {node: '>=0.4.0'} @@ -1834,8 +1830,8 @@ packages: hmac-drbg@1.0.1: resolution: {integrity: sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==} - hono@4.12.18: - resolution: {integrity: sha512-RWzP96k/yv0PQfyXnWjs6zot20TqfpfsNXhOnev8d1InAxubW93L11/oNUc3tQqn2G0bSdAOBpX+2uDFHV7kdQ==} + hono@4.12.25: + resolution: {integrity: sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==} engines: {node: '>=16.9.0'} html-escaper@2.0.2: @@ -3544,9 +3540,9 @@ snapshots: '@eslint/core': 0.13.0 levn: 0.4.1 - '@hono/node-server@1.19.13(hono@4.12.18)': + '@hono/node-server@1.19.13(hono@4.12.25)': dependencies: - hono: 4.12.18 + hono: 4.12.25 '@humanfs/core@0.19.1': {} @@ -3949,7 +3945,7 @@ snapshots: '@modelcontextprotocol/sdk@1.27.1(zod@3.25.76)': dependencies: - '@hono/node-server': 1.19.13(hono@4.12.18) + '@hono/node-server': 1.19.13(hono@4.12.25) ajv: 8.18.0 ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 @@ -3959,7 +3955,7 @@ snapshots: eventsource-parser: 3.0.6 express: 5.2.1 express-rate-limit: 8.3.1(express@5.2.1) - hono: 4.12.18 + hono: 4.12.25 jose: 6.1.3 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -4293,8 +4289,6 @@ snapshots: dependencies: acorn: 8.15.0 - acorn@8.14.1: {} - acorn@8.15.0: {} adm-zip@0.5.16: {} @@ -5127,7 +5121,7 @@ snapshots: minimalistic-assert: 1.0.1 minimalistic-crypto-utils: 1.0.1 - hono@4.12.18: {} + hono@4.12.25: {} html-escaper@2.0.2: {} @@ -6295,7 +6289,7 @@ snapshots: '@tsconfig/node14': 1.0.3 '@tsconfig/node16': 1.0.4 '@types/node': 20.17.24 - acorn: 8.14.1 + acorn: 8.15.0 acorn-walk: 8.3.4 arg: 4.1.3 create-require: 1.1.1 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index f6ec30a..0f90e9a 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,5 +1,6 @@ overrides: "form-data@>=4.0.0 <4.0.6": "4.0.6" + "hono@<4.12.25": "4.12.25" onlyBuiltDependencies: - secp256k1 From b5b41e7bc153e29808a037ac76a75e13b1d37a2f Mon Sep 17 00:00:00 2001 From: humble-little-bear Date: Thu, 2 Jul 2026 12:45:49 +0800 Subject: [PATCH 4/4] chore(release): bump version to 0.4.8 (#443) --- CHANGELOG.md | 7 +++++++ package.json | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a41f75..b528831 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # @offckb/cli +## 0.4.8 + +### Patch Changes + +- Override `form-data@>=4.0.0 <4.0.6` to `4.0.6` to fix CRLF injection (GHSA). +- Override `hono@<4.12.25` to `4.12.25` to fix CORS origin reflection with credentials. + ## 0.4.7 ### Patch Changes diff --git a/package.json b/package.json index eb00728..d54f616 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@offckb/cli", - "version": "0.4.7", + "version": "0.4.8", "description": "ckb development network for your first try", "author": "CKB EcoFund", "license": "MIT",