Skip to content

security: bump 15 package(s) in npm#168

Open
vtiwari-story wants to merge 1 commit into
mainfrom
depagent/sec-npm-20260519-232315
Open

security: bump 15 package(s) in npm#168
vtiwari-story wants to merge 1 commit into
mainfrom
depagent/sec-npm-20260519-232315

Conversation

@vtiwari-story
Copy link
Copy Markdown

@vtiwari-story vtiwari-story commented May 19, 2026

Security dependency upgrade

This PR was opened by depagent to address 15 security alert(s) in the npm ecosystem.

Each package is pinned to exactly the patched version reported by Dependabot's first_patched_version — not a range. To restore a range constraint (e.g. ^x.y.z), edit the manifest after merge.

Alerts addressed

Sev Package Vulnerable range Patched CVE GHSA EPSS KEV
high next >= 12.2.0, < 15.5.16 15.5.16 CVE-2026-44573 GHSA-36qx-fr4f-26g5 0.00 no
high next >= 12.2.0, < 15.5.16 15.5.16 CVE-2026-44573 GHSA-36qx-fr4f-26g5 0.00 no
high next >= 12.2.0, < 15.5.16 15.5.16 CVE-2026-44573 GHSA-36qx-fr4f-26g5 0.00 no
high next >= 13.0.0, < 15.5.16 15.5.16 - GHSA-8h8q-6873-q5fj - no
high next >= 13.0.0, < 15.5.16 15.5.16 - GHSA-8h8q-6873-q5fj - no
high next >= 13.0.0, < 15.5.16 15.5.16 - GHSA-8h8q-6873-q5fj - no
high next >= 13.4.13, < 15.5.16 15.5.16 CVE-2026-44578 GHSA-c4j6-fc7j-m34r 0.04 no
high next >= 13.4.13, < 15.5.16 15.5.16 CVE-2026-44578 GHSA-c4j6-fc7j-m34r 0.04 no
high next >= 13.4.13, < 15.5.16 15.5.16 CVE-2026-44578 GHSA-c4j6-fc7j-m34r 0.04 no
high next >= 13.0.0, < 15.5.15 15.5.15 - GHSA-q4gf-8mx6-v5v3 - no
high next >= 13.0.0, < 15.5.15 15.5.15 - GHSA-q4gf-8mx6-v5v3 - no
high next >= 13.0.0, < 15.5.15 15.5.15 - GHSA-q4gf-8mx6-v5v3 - no
high next >= 13.0.0, < 15.0.8 15.0.8 - GHSA-h25m-26qc-wcjf - no
high next >= 13.0.0, < 15.0.8 15.0.8 - GHSA-h25m-26qc-wcjf - no
high next >= 13.0.0, < 15.0.8 15.0.8 - GHSA-h25m-26qc-wcjf - no

Notes

  • Some changes are package overrides for transitive vulnerable deps (pnpm.overrides / overrides / resolutions). The vulnerable package isn't declared directly in the manifest — the override pins it to the patched version across the entire dependency graph for that workspace.
  • regenerated lockfile via pnpm

Generated by depagent — storyprotocol/ipkit.

@vtiwari-story vtiwari-story added the security Created by depagent label May 19, 2026
@vtiwari-story vtiwari-story requested a review from LeoHChen as a code owner May 19, 2026 23:23
@vtiwari-story vtiwari-story added the depagent Created by depagent label May 19, 2026
@vtiwari-story vtiwari-story added security Created by depagent depagent Created by depagent labels May 19, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ipkit Ready Ready Preview, Comment May 19, 2026 11:24pm

Request Review

@wiz-6cbc7756d1
Copy link
Copy Markdown
Contributor

wiz-6cbc7756d1 Bot commented May 19, 2026

Wiz Scan Summary

⚠️ Many findings detected
Many findings were detected, but only a subset of the findings are displayed inline due to API constraints. To view all findings inline, please click here.
Scanner Findings
Vulnerability Finding Vulnerabilities 3 Critical 18 High 33 Medium 12 Low
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total 3 Critical 18 High 33 Medium 12 Low

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

wiz-6cbc7756d1[bot]
wiz-6cbc7756d1 Bot reviewed May 19, 2026
View reviewed changes
Comment thread examples/custom-theme/package.json
"@story-protocol/ipkit": "workspace:*",
"@tanstack/react-query": "^5.28.9",
"next": "14.2.35",
"next": "15.0.8",
Copy link
Copy Markdown
Contributor

@wiz-6cbc7756d1 wiz-6cbc7756d1 Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Vulnerability Finding

The following vulnerabilities impact next versions <15.5.16: CVE-2024-56332, CVE-2025-29927, CVE-2025-32421, CVE-2025-48068, CVE-2025-49826, CVE-2025-55173, CVE-2025-57752, CVE-2025-57822, CVE-2025-59471, CVE-2026-23869, CVE-2026-23870, CVE-2026-27980, CVE-2026-29057, CVE-2026-44572, CVE-2026-44573, CVE-2026-44576, CVE-2026-44577, CVE-2026-44578, CVE-2026-44579, CVE-2026-44580, CVE-2026-44581, CVE-2026-44582.

These can be remediated by updating to version 15.5.16 or higher.

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Suggested change
"next": "15.0.8",
"next": "15.5.16",

Comment thread examples/simple-setup/package.json
"@story-protocol/ipkit": "workspace:*",
"@tanstack/react-query": "^5.28.9",
"next": "14.2.35",
"next": "15.0.8",
Copy link
Copy Markdown
Contributor

@wiz-6cbc7756d1 wiz-6cbc7756d1 Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Vulnerability Finding

The following vulnerabilities impact next versions <15.5.16: CVE-2024-56332, CVE-2025-29927, CVE-2025-32421, CVE-2025-48068, CVE-2025-49826, CVE-2025-55173, CVE-2025-57752, CVE-2025-57822, CVE-2025-59471, CVE-2026-23869, CVE-2026-23870, CVE-2026-27980, CVE-2026-29057, CVE-2026-44572, CVE-2026-44573, CVE-2026-44576, CVE-2026-44577, CVE-2026-44578, CVE-2026-44579, CVE-2026-44580, CVE-2026-44581, CVE-2026-44582.

These can be remediated by updating to version 15.5.16 or higher.

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Suggested change
"next": "15.0.8",
"next": "15.5.16",

Comment thread pnpm-lock.yaml
next@14.2.35:
resolution: {integrity: sha512-KhYd2Hjt/O1/1aZVX3dCwGXM1QmOV4eNM2UTacK5gipDdPN/oHHK/4oVGy7X8GMfPMsUTUEmGlsy0EY1YGAkig==}
engines: {node: '>=18.17.0'}
next@15.0.8:
Copy link
Copy Markdown
Contributor

@wiz-6cbc7756d1 wiz-6cbc7756d1 Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Vulnerability Finding

More Details

Vulnerabilities [next:15.0.8]

Name Severity Source Fixed version CVSS score CVSS exploitability score Has public exploit Has CISA KEV exploit
CVE-2024-56332 Medium https://github.com/advisories/GHSA-7m27-7ghc-44w9 15.1.2 5.3 3.9 false false
CVE-2025-29927 Critical https://github.com/advisories/GHSA-f82v-jwr5-mffw 15.2.3 9.1 3.9 true false
CVE-2025-32421 Low https://github.com/advisories/GHSA-qpjv-v59x-3qc4 15.1.6 3.7 2.2 true false
CVE-2025-48068 Low https://github.com/advisories/GHSA-3h52-269p-cp9r 15.2.2 2.3 2.8 false false
CVE-2025-49826 High https://github.com/advisories/GHSA-67rr-84xm-4c7r 15.1.8 7.5 3.9 false false
CVE-2025-55173 Medium https://github.com/advisories/GHSA-xv57-4mr9-wg8v 15.4.5 4.3 2.8 false false
CVE-2025-57752 Medium https://github.com/advisories/GHSA-g5qg-72qw-gw5v 15.4.5 6.2 2.5 false false
CVE-2025-57822 Medium https://github.com/advisories/GHSA-4342-x723-ch2f 15.4.7 8.2 3.9 true false
CVE-2025-59471 Medium https://github.com/advisories/GHSA-9g9p-9gw9-jx7f 15.5.10 7.5 3.9 false false
CVE-2026-23869 High https://github.com/advisories/GHSA-q4gf-8mx6-v5v3 15.5.15 7.5 3.9 true false
CVE-2026-23870 High https://github.com/advisories/GHSA-8h8q-6873-q5fj 15.5.16 7.5 3.9 true false
CVE-2026-27980 Medium https://github.com/advisories/GHSA-3x4c-7xq6-9pq8 15.5.14 6.9 3.9 false false
CVE-2026-29057 Medium https://github.com/advisories/GHSA-ggv3-7p47-pfv8 15.5.13 6.3 3.9 false false
CVE-2026-44572 Low https://github.com/advisories/GHSA-3g8h-86w9-wvmq 15.5.16 5.9 2.2 true false
CVE-2026-44573 High https://github.com/advisories/GHSA-36qx-fr4f-26g5 15.5.16 7.5 3.9 true false
CVE-2026-44576 Medium https://github.com/advisories/GHSA-wfc6-r584-vfw7 15.5.16 5.4 2.2 true false
CVE-2026-44577 Medium https://github.com/advisories/GHSA-h64f-5h5j-jqjh 15.5.16 5.9 2.2 true false
CVE-2026-44578 High https://github.com/advisories/GHSA-c4j6-fc7j-m34r 15.5.16 8.6 3.9 true false
CVE-2026-44579 High https://github.com/advisories/GHSA-mg66-mrh9-m8jx 15.5.16 7.5 3.9 true false
CVE-2026-44580 Medium https://github.com/advisories/GHSA-gx5p-jg67-6x7h 15.5.16 6.1 2.8 true false
CVE-2026-44581 Medium https://github.com/advisories/GHSA-ffhc-5mcf-pf4q 15.5.16 4.7 1.6 true false
CVE-2026-44582 Low https://github.com/advisories/GHSA-vfv6-92ff-j949 15.5.16 3.7 2.2 true false

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiz-6cbc7756d1 wiz-6cbc7756d1[bot] wiz-6cbc7756d1[bot] left review comments

@LeoHChen LeoHChen Awaiting requested review from LeoHChen LeoHChen is a code owner

@samfairbairn samfairbairn Awaiting requested review from samfairbairn samfairbairn is a code owner

@allenchuang allenchuang Awaiting requested review from allenchuang allenchuang is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

depagent Created by depagent security Created by depagent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vtiwari-story