orcs-oss/orcs-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: pin all dependencies to exact versions

Browse Source 
Removes caret (^) ranges from all 74 dependencies in package.json,
locking each to the exact version resolved in bun.lock.

Motivation: the axios supply chain attack of March 31 2026 demonstrated
that caret ranges are a live attack vector. axios@^1.14.0 would have
resolved to the trojanized 1.14.1 (bundled plain-crypto-js RAT, C2
sfrclak.com). Both 1.14.1 and 0.30.4 were unpublished within 24h.

Key pins:
  axios      ^1.14.0  → 1.14.0   (trojanized 1.14.1 blocked)
  undici     ^7.3.0   → 7.24.6   (7 CVEs between 7.3 and 7.24)
  yaml       ^2.7.0   → 2.8.3    (CVE-2026-33532 fix)
  ajv        ^8.17.0  → 8.18.0   (ReDoS fix)
  lodash-es  ^4.17.21 → 4.17.23  (prototype pollution fix)
  zod        ^3.24.0  → 3.25.76  (large range locked)

All 74 deps verified: integrity hashes match npm registry, no known
supply chain incidents, no postinstall scripts in lockfile.
This commit is contained in:
Mikey
2026-04-01 21:29:42 -07:00
parent 1a60509fdc
commit 5f75f67a27
2 changed files with 148 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
bun.lock
View File

@@ -5,82 +5,82 @@
"": {
"name": "openclaude",
"dependencies": {
"@alcalzone/ansi-tokenize": "^0.3.0",
"@anthropic-ai/bedrock-sdk": "^0.26.0",
"@anthropic-ai/foundry-sdk": "^0.2.0",
"@anthropic-ai/sandbox-runtime": "^0.0.46",
"@anthropic-ai/sdk": "^0.81.0",
"@anthropic-ai/vertex-sdk": "^0.14.0",
"@commander-js/extra-typings": "^12.0.0",
"@growthbook/growthbook": "^1.3.0",
"@modelcontextprotocol/sdk": "^1.12.0",
"@opentelemetry/api": "^1.9.1",
"@opentelemetry/api-logs": "^0.214.0",
"@opentelemetry/core": "^2.6.1",
"@opentelemetry/exporter-logs-otlp-http": "^0.214.0",
"@opentelemetry/exporter-trace-otlp-grpc": "^0.57.0",
"@opentelemetry/resources": "^2.6.1",
"@opentelemetry/sdk-logs": "^0.214.0",
"@opentelemetry/sdk-metrics": "^2.6.1",
"@opentelemetry/sdk-trace-base": "^2.6.1",
"@opentelemetry/sdk-trace-node": "^2.6.1",
"@opentelemetry/semantic-conventions": "^1.40.0",
"ajv": "^8.17.0",
"auto-bind": "^5.0.1",
"axios": "^1.14.0",
"bidi-js": "^1.0.3",
"chalk": "^5.4.0",
"chokidar": "^4.0.0",
"cli-boxes": "^3.0.0",
"cli-highlight": "^2.1.0",
"code-excerpt": "^4.0.0",
"commander": "^12.0.0",
"diff": "^7.0.0",
"emoji-regex": "^10.4.0",
"env-paths": "^3.0.0",
"execa": "^9.5.0",
"fflate": "^0.8.2",
"figures": "^6.1.0",
"fuse.js": "^7.1.0",
"get-east-asian-width": "^1.3.0",
"google-auth-library": "^9.15.0",
"https-proxy-agent": "^7.0.6",
"ignore": "^7.0.0",
"indent-string": "^5.0.0",
"jsonc-parser": "^3.3.1",
"lodash-es": "^4.17.21",
"lru-cache": "^11.0.0",
"marked": "^15.0.0",
"p-map": "^7.0.3",
"picomatch": "^4.0.0",
"proper-lockfile": "^4.1.2",
"qrcode": "^1.5.4",
"react": "^19.2.4",
"react-compiler-runtime": "^1.0.0",
"react-reconciler": "^0.33.0",
"semver": "^7.6.3",
"shell-quote": "^1.8.2",
"signal-exit": "^4.1.0",
"stack-utils": "^2.0.6",
"strip-ansi": "^7.1.0",
"supports-hyperlinks": "^3.1.0",
"tree-kill": "^1.2.2",
"turndown": "^7.2.0",
"type-fest": "^4.30.0",
"undici": "^7.3.0",
"usehooks-ts": "^3.1.1",
"vscode-languageserver-protocol": "^3.17.5",
"wrap-ansi": "^9.0.0",
"ws": "^8.18.0",
"xss": "^1.0.15",
"yaml": "^2.7.0",
"zod": "^3.24.0",
"@alcalzone/ansi-tokenize": "0.3.0",
"@anthropic-ai/bedrock-sdk": "0.26.4",
"@anthropic-ai/foundry-sdk": "0.2.3",
"@anthropic-ai/sandbox-runtime": "0.0.46",
"@anthropic-ai/sdk": "0.81.0",
"@anthropic-ai/vertex-sdk": "0.14.4",
"@commander-js/extra-typings": "12.1.0",
"@growthbook/growthbook": "1.6.5",
"@modelcontextprotocol/sdk": "1.29.0",
"@opentelemetry/api": "1.9.1",
"@opentelemetry/api-logs": "0.214.0",
"@opentelemetry/core": "2.6.1",
"@opentelemetry/exporter-logs-otlp-http": "0.214.0",
"@opentelemetry/exporter-trace-otlp-grpc": "0.57.2",
"@opentelemetry/resources": "2.6.1",
"@opentelemetry/sdk-logs": "0.214.0",
"@opentelemetry/sdk-metrics": "2.6.1",
"@opentelemetry/sdk-trace-base": "2.6.1",
"@opentelemetry/sdk-trace-node": "2.6.1",
"@opentelemetry/semantic-conventions": "1.40.0",
"ajv": "8.18.0",
"auto-bind": "5.0.1",
"axios": "1.14.0",
"bidi-js": "1.0.3",
"chalk": "5.6.2",
"chokidar": "4.0.3",
"cli-boxes": "3.0.0",
"cli-highlight": "2.1.11",
"code-excerpt": "4.0.0",
"commander": "12.1.0",
"diff": "7.0.0",
"emoji-regex": "10.6.0",
"env-paths": "3.0.0",
"execa": "9.6.1",
"fflate": "0.8.2",
"figures": "6.1.0",
"fuse.js": "7.1.0",
"get-east-asian-width": "1.5.0",
"google-auth-library": "9.15.1",
"https-proxy-agent": "7.0.6",
"ignore": "7.0.5",
"indent-string": "5.0.0",
"jsonc-parser": "3.3.1",
"lodash-es": "4.17.23",
"lru-cache": "11.2.7",
"marked": "15.0.12",
"p-map": "7.0.4",
"picomatch": "4.0.4",
"proper-lockfile": "4.1.2",
"qrcode": "1.5.4",
"react": "19.2.4",
"react-compiler-runtime": "1.0.0",
"react-reconciler": "0.33.0",
"semver": "7.7.4",
"shell-quote": "1.8.3",
"signal-exit": "4.1.0",
"stack-utils": "2.0.6",
"strip-ansi": "7.2.0",
"supports-hyperlinks": "3.2.0",
"tree-kill": "1.2.2",
"turndown": "7.2.2",
"type-fest": "4.41.0",
"undici": "7.24.6",
"usehooks-ts": "3.1.1",
"vscode-languageserver-protocol": "3.17.5",
"wrap-ansi": "9.0.2",
"ws": "8.20.0",
"xss": "1.0.15",
"yaml": "2.8.3",
"zod": "3.25.76",
},
"devDependencies": {
"@types/bun": "^1.2.0",
"@types/node": "^25.5.0",
"@types/react": "^19.2.14",
"typescript": "^5.7.0",
"@types/bun": "1.3.11",
"@types/node": "25.5.0",
"@types/react": "19.2.14",
"typescript": "5.9.3",
},
},
},

148
package.json
View File

@@ -42,82 +42,82 @@
"prepack": "npm run build"
},
"dependencies": {
"@alcalzone/ansi-tokenize": "^0.3.0",
"@anthropic-ai/bedrock-sdk": "^0.26.0",
"@anthropic-ai/foundry-sdk": "^0.2.0",
"@anthropic-ai/sandbox-runtime": "^0.0.46",
"@anthropic-ai/sdk": "^0.81.0",
"@anthropic-ai/vertex-sdk": "^0.14.0",
"@commander-js/extra-typings": "^12.0.0",
"@growthbook/growthbook": "^1.3.0",
"@modelcontextprotocol/sdk": "^1.12.0",
"@opentelemetry/api": "^1.9.1",
"@opentelemetry/api-logs": "^0.214.0",
"@opentelemetry/core": "^2.6.1",
"@opentelemetry/exporter-logs-otlp-http": "^0.214.0",
"@opentelemetry/exporter-trace-otlp-grpc": "^0.57.0",
"@opentelemetry/resources": "^2.6.1",
"@opentelemetry/sdk-logs": "^0.214.0",
"@opentelemetry/sdk-metrics": "^2.6.1",
"@opentelemetry/sdk-trace-base": "^2.6.1",
"@opentelemetry/sdk-trace-node": "^2.6.1",
"@opentelemetry/semantic-conventions": "^1.40.0",
"ajv": "^8.17.0",
"auto-bind": "^5.0.1",
"axios": "^1.14.0",
"bidi-js": "^1.0.3",
"chalk": "^5.4.0",
"chokidar": "^4.0.0",
"cli-boxes": "^3.0.0",
"cli-highlight": "^2.1.0",
"code-excerpt": "^4.0.0",
"commander": "^12.0.0",
"diff": "^7.0.0",
"emoji-regex": "^10.4.0",
"env-paths": "^3.0.0",
"execa": "^9.5.0",
"fflate": "^0.8.2",
"figures": "^6.1.0",
"fuse.js": "^7.1.0",
"get-east-asian-width": "^1.3.0",
"google-auth-library": "^9.15.0",
"https-proxy-agent": "^7.0.6",
"ignore": "^7.0.0",
"indent-string": "^5.0.0",
"jsonc-parser": "^3.3.1",
"lodash-es": "^4.17.21",
"lru-cache": "^11.0.0",
"marked": "^15.0.0",
"p-map": "^7.0.3",
"picomatch": "^4.0.0",
"proper-lockfile": "^4.1.2",
"qrcode": "^1.5.4",
"react": "^19.2.4",
"react-compiler-runtime": "^1.0.0",
"react-reconciler": "^0.33.0",
"semver": "^7.6.3",
"shell-quote": "^1.8.2",
"signal-exit": "^4.1.0",
"stack-utils": "^2.0.6",
"strip-ansi": "^7.1.0",
"supports-hyperlinks": "^3.1.0",
"tree-kill": "^1.2.2",
"turndown": "^7.2.0",
"type-fest": "^4.30.0",
"undici": "^7.3.0",
"usehooks-ts": "^3.1.1",
"vscode-languageserver-protocol": "^3.17.5",
"wrap-ansi": "^9.0.0",
"ws": "^8.18.0",
"xss": "^1.0.15",
"yaml": "^2.7.0",
"zod": "^3.24.0"
"@alcalzone/ansi-tokenize": "0.3.0",
"@anthropic-ai/bedrock-sdk": "0.26.4",
"@anthropic-ai/foundry-sdk": "0.2.3",
"@anthropic-ai/sandbox-runtime": "0.0.46",
"@anthropic-ai/sdk": "0.81.0",
"@anthropic-ai/vertex-sdk": "0.14.4",
"@commander-js/extra-typings": "12.1.0",
"@growthbook/growthbook": "1.6.5",
"@modelcontextprotocol/sdk": "1.29.0",
"@opentelemetry/api": "1.9.1",
"@opentelemetry/api-logs": "0.214.0",
"@opentelemetry/core": "2.6.1",
"@opentelemetry/exporter-logs-otlp-http": "0.214.0",
"@opentelemetry/exporter-trace-otlp-grpc": "0.57.2",
"@opentelemetry/resources": "2.6.1",
"@opentelemetry/sdk-logs": "0.214.0",
"@opentelemetry/sdk-metrics": "2.6.1",
"@opentelemetry/sdk-trace-base": "2.6.1",
"@opentelemetry/sdk-trace-node": "2.6.1",
"@opentelemetry/semantic-conventions": "1.40.0",
"ajv": "8.18.0",
"auto-bind": "5.0.1",
"axios": "1.14.0",
"bidi-js": "1.0.3",
"chalk": "5.6.2",
"chokidar": "4.0.3",
"cli-boxes": "3.0.0",
"cli-highlight": "2.1.11",
"code-excerpt": "4.0.0",
"commander": "12.1.0",
"diff": "7.0.0",
"emoji-regex": "10.6.0",
"env-paths": "3.0.0",
"execa": "9.6.1",
"fflate": "0.8.2",
"figures": "6.1.0",
"fuse.js": "7.1.0",
"get-east-asian-width": "1.5.0",
"google-auth-library": "9.15.1",
"https-proxy-agent": "7.0.6",
"ignore": "7.0.5",
"indent-string": "5.0.0",
"jsonc-parser": "3.3.1",
"lodash-es": "4.17.23",
"lru-cache": "11.2.7",
"marked": "15.0.12",
"p-map": "7.0.4",
"picomatch": "4.0.4",
"proper-lockfile": "4.1.2",
"qrcode": "1.5.4",
"react": "19.2.4",
"react-compiler-runtime": "1.0.0",
"react-reconciler": "0.33.0",
"semver": "7.7.4",
"shell-quote": "1.8.3",
"signal-exit": "4.1.0",
"stack-utils": "2.0.6",
"strip-ansi": "7.2.0",
"supports-hyperlinks": "3.2.0",
"tree-kill": "1.2.2",
"turndown": "7.2.2",
"type-fest": "4.41.0",
"undici": "7.24.6",
"usehooks-ts": "3.1.1",
"vscode-languageserver-protocol": "3.17.5",
"wrap-ansi": "9.0.2",
"ws": "8.20.0",
"xss": "1.0.15",
"yaml": "2.8.3",
"zod": "3.25.76"
},
"devDependencies": {
"@types/bun": "^1.2.0",
"@types/node": "^25.5.0",
"@types/react": "^19.2.14",
"typescript": "^5.7.0"
"@types/bun": "1.3.11",
"@types/node": "25.5.0",
"@types/react": "19.2.14",
"typescript": "5.9.3"
},
"engines": {
"node": ">=20.0.0"