Dependabot alerts — resolution summary
Resolved 2026-03-06 for mdg-labs/inboxops. Alerts were fetched via gh api repos/mdg-labs/inboxops/dependabot/alerts.
Changes made
1. pnpm overrides (root package.json)
- tar →
7.5.10
Fixes all transitivetaralerts (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx, GHSA-qffp-2rhf-9h96): path traversal, hardlink/symlink issues, drive-relative linkpath. - glob →
10.5.0
Fixes GHSA-5j98-mcp5-4vw2 (CLI command injection in-c/--cmd). Only the CLI was affected; the override ensures the patched version is used transitively. - esbuild →
>=0.25.0
Fixes GHSA-67mh-4wv8-2f99 (CORS on dev server). Transitive esbuild versions < 0.25.0 are overridden.
2. Next.js upgrade (apps/web/package.json)
- next
^14.2.0→15.5.10
Fixes:- GHSA-h25m-26qc-wcjf (CVE-2026-23864): RSC HTTP deserialization DoS. No backport for Next 14; upgrade to 15.0.8+ required.
- GHSA-9g9p-9gw9-jx7f (CVE-2025-59471): Image Optimizer DoS when
remotePatternsis configured. Patched in 15.5.10.
- eslint-config-next →
15.5.10(aligned with Next).
3. Next.js 15 compatibility (apps/web)
- In Next 15,
params(andsearchParams) in pages and layouts are Promises. All app router pages and layouts that useparamswere updated to:- Type
paramsasPromise<{ ... }>. await paramsat the start of the handler and use the destructured values.
- Type
Alert → fix mapping
| Alert # | Package | Advisory / CVE | Resolution |
|---|---|---|---|
| 1, 7 | next | CVE-2025-59471 (Image DoS) | next@15.5.10 |
| 2, 8 | next | GHSA-h25m-26qc-wcjf (RSC DoS) | next@15.5.10 |
| 3 | esbuild | GHSA-67mh-4wv8-2f99 (CORS) | override ≥0.25.0 |
| 4 | glob | GHSA-5j98-mcp5-4vw2 (CLI) | override 10.5.0 |
| 5–6, 9–11 | tar | Multiple path/hardlink CVEs | override 7.5.10 |
Verification
After merging:
- Run
pnpm install(lockfile updated). - Run
pnpm run lintandpnpm run build. - Re-run Dependabot or wait for the next security scan; alerts should close when the lockfile reflects the patched versions.