fix(root): resolve critical vitest vulnerability#11416
Merged
Merged
Conversation
Resolves GHSA-5xrq-8626-4rwp (CRITICAL): When the Vitest UI server is listening, an arbitrary file can be read and executed. - Vulnerable: vitest <4.1.0 - Patched: >=4.1.0 - Advisory: GHSA-5xrq-8626-4rwp Fix strategy: pnpm override. Adds 'vitest@<4.1.0: ^4.1.0' override to pnpm-workspace.yaml so every direct and transitive consumer in the monorepo resolves to a patched vitest 4.x release (currently 4.1.7). Adjustments required by the bump: - enterprise/workers/scheduler: bumped @cloudflare/vitest-pool-workers from ^0.12.7 to ^0.16.10 (the earliest 0.13+ release whose peer dependency on vitest is ^4.1.0) and updated its own vitest devDep to ^4.1.0 so peer resolution stays clean. - packages/novu/src/commands/wizard/pipeline/steps/run-agent.spec.ts: vitest 4 changes vi.fn type generics from vi.fn<[Args], Return>() to vi.fn<(args) => Return>(); updated the three impacted call sites so the build's tsc step continues to pass. Co-authored-by: Dima Grossman <dima@grossman.io>
|
PR author is not in the allowed authors list. |
✅ Deploy Preview for dashboard-v2-novu-staging canceled.
|
Contributor
|
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow specific formatting rules and it looks like your proposed title needs to be adjusted. Your PR title is: Requirements:
Expected format: Details: PR title must end with 'fixes TICKET-ID' (e.g., 'fixes NOV-123') or include ticket ID in branch name |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
scopsy
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades
vitestacross the entire monorepo to>=4.1.0(currently resolving to 4.1.7) to addressGHSA-5xrq-8626-4rwp— When Vitest UI server is listening, arbitrary file can be read and executed (critical).< 4.1.0>= 4.1.04.1.7(latest withinminimumReleaseAge)Fix strategy
Strategy B — pnpm override. A single override entry in
pnpm-workspace.yamlforces every direct and transitive consumer to resolve to a patched release:Before the fix, vitest was installed at
1.6.1,2.1.9, and3.2.xacross direct dev-deps in 10 workspaces (and as a transitive dev-peer ofbetter-authfor the dashboard /enterprise/packages/auth). The override cascades through all of them.Build adjustments
The override surfaced two pre-existing rough edges that prevented
pnpm build:v2from passing on a clean rebuild. Both are addressed in-place:enterprise/workers/scheduler/package.json— bump@cloudflare/vitest-pool-workersfrom^0.12.7→^0.16.10andvitestdevDep from~3.2.0→^4.1.0. The0.12.xline pins its peer tovitest 2.0.x - 3.2.x, so leaving it in place would force pnpm to keep an old vitest in the tree purely to satisfy that peer.0.13.x+already requires^4.1.0, matching the override.packages/novu/src/commands/wizard/pipeline/steps/run-agent.spec.ts— vitest 4 changesvi.fntype generics from the oldvi.fn<[Args], Return>()shape (2 type args) tovi.fn<(args) => Return>()(1 type arg). The package's build step runstsc -p tsconfig.jsonwhich type-checks*.spec.tsfiles, so three call sites needed the syntactic update.Validation
pnpm audit --jsonno longer reports advisoryGHSA-5xrq-8626-4rwp(vitest). Remaining advisories are unrelated:aws-sdk(low) — requires v2→v3 SDK rewrite of consuming code; skipped per the bot's "no breaking direct-dep bumps" rule.mailparser(low) — requires0.6 → 3.9API rewrite (MailParserclass →simpleParser); skipped for the same reason.better-auth(moderate) — already in flight in fix(root): resolve moderate better-auth vulnerability fixes NV-7915 #11365.pnpm build:v2succeeds for@novu/api-service,@novu/worker,@novu/ws,@novu/dashboard, and alltag:type:packageprojects.Notes
pnpm test— but those are local test-only changes and won't affect production builds, services, or published artifacts.NV-XXXXticket when merging.