Skip to content

ci(deps): update pi-sidecar to 1.1.1 and fix 9 dependabot alerts#1136

Merged
myakove merged 2 commits into
mainfrom
ci/update-pi-sidecar-1.1.1
Jun 24, 2026
Merged

ci(deps): update pi-sidecar to 1.1.1 and fix 9 dependabot alerts#1136
myakove merged 2 commits into
mainfrom
ci/update-pi-sidecar-1.1.1

Conversation

@myakove

@myakove myakove commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

Bump @myk-org/pi-sidecar from 1.1.0 to 1.1.1 and add npm overrides to fix all 9 open Dependabot security alerts.

Changes

File Change
sidecar-helper/package.json Bump pi-sidecar, add overrides for undici and uuid
sidecar-helper/package-lock.json Updated lockfile — 0 vulnerabilities

Alerts Fixed

# Package Severity Advisory
39 pi-coding-agent High Predictable temp extension paths
40 pi-coding-agent Medium Extensions loaded without approval
38 pi-coding-agent Low Race condition in auth.json
37 pi-coding-agent Low XSS in HTML session exports
42 undici High WebSocket DoS
43 undici Medium HTTP header injection
44 undici Low SameSite attribute downgrade
41 undici Low Response queue poisoning
36 uuid Medium Missing buffer bounds check

Verification

npm audit → found 0 vulnerabilities

Bump @myk-org/pi-sidecar from 1.1.0 to 1.1.1 which fixes:
- @earendil-works/pi-coding-agent vulnerabilities (4 alerts)

Add npm overrides for transitive dependencies:
- undici >=6.27.0 (4 alerts via discord.js)
- uuid >=11.1.1 (1 alert via gaxios)

npm audit now shows 0 vulnerabilities.
@myakove-bot

Copy link
Copy Markdown
Collaborator

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

  • Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
  • Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
  • Issue Creation: Disabled for this repository
  • Pre-commit Checks: pre-commit runs automatically if .pre-commit-config.yaml exists
  • Branch Labeling: Branch-specific labels are applied to track the target branch
  • Auto-verification: Auto-verified users have their PRs automatically marked as verified
  • Labels: All label categories are enabled (default configuration)

📋 Available Commands

PR Status Management

  • /wip - Mark PR as work in progress (adds WIP: prefix to title)
  • /wip cancel - Remove work in progress status
  • /hold - Block PR merging (approvers only)
  • /hold cancel - Unblock PR merging
  • /verified - Mark PR as verified
  • /verified cancel - Remove verification status
  • /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
  • /regenerate-welcome - Regenerate this welcome message
  • /security-override - Set security check runs to pass (maintainers only)
  • /security-override cancel - Re-run security checks

Review & Approval

  • /lgtm - Approve changes (looks good to me)
  • /approve - Approve PR (approvers only)
  • /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
  • /assign-reviewers - Assign reviewers based on OWNERS file
  • /assign-reviewer @username - Assign specific reviewer
  • /check-can-merge - Check if PR meets merge requirements

Testing & Validation

  • /retest tox - Run Python test suite with tox
  • /retest build-container - Rebuild and test container image
  • /retest python-module-install - Test Python package installation
  • /retest pre-commit - Run pre-commit hooks and checks
  • /retest conventional-title - Validate commit message format
  • /retest all - Run all available tests

Container Operations

  • /build-and-push-container - Build and push container image (tagged with PR number)
    • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

  • /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
    • Multiple branches: /cherry-pick branch1 branch2 branch3
  • /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

  • /rebase - Rebase this PR branch onto its base branch

Label Management

  • /<label-name> - Add a label to the PR
  • /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

  1. Approval: /approve from at least one approver
  2. LGTM Count: Minimum 1 /lgtm from reviewers
  3. Status Checks: All required status checks must pass
  4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
  5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

  • myakove
  • rnetser

Reviewers:

  • myakove
  • rnetser
Available Labels
  • hold
  • verified
  • wip
  • lgtm
  • approve
  • automerge
AI Features
  • Conventional Title: Mode: fix (claude/claude-opus-4-6-1m)
  • Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)
  • Test Oracle: Triggers: approved (claude/claude-opus-4-6[1m]); /test-oracle can be used anytime
Security Checks
  • Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
  • Committer Identity Check: Verifies last committer matches PR author
  • Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

  • WIP Status: Use /wip when your PR is not ready for review
  • Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
  • Cherry-picking: Cherry-pick labels are processed when the PR is merged
  • Container Builds: Container images are automatically tagged with the PR number
  • Permission Levels: Some commands require approver permissions
  • Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

ci(deps): resolve pi-sidecar 1.1.1 and override undici/uuid for audit fixes
🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

Description

• Resolve @myk-org/pi-sidecar to 1.1.1 to pick up upstream security fixes.
• Add npm overrides for undici and uuid to remediate transitive Dependabot alerts.
• Regenerate package-lock to reflect the new resolved dependency graph.
Diagram

graph TD
  A["sidecar-helper/package.json"] --> B["npm install"] --> C["@myk-org/pi-sidecar@1.1.1"] --> D["pi-coding-agent (transitive)"]
  B --> E["override: undici >=6.27.0"]
  B --> F["override: uuid >=11.1.1"]
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Upgrade the top-level dependents instead of overriding
  • ➕ Avoids forcing versions that upstream packages may not have validated
  • ➕ Less risk of subtle runtime incompatibilities from overrides
  • ➖ May require larger upgrade surface (breaking changes)
  • ➖ Not always possible when vulnerable packages are deeply transitive
2. Pin exact versions (no ranges) for overrides
  • ➕ More deterministic installs and reproducibility across environments
  • ➕ Easier to reason about exactly what version fixed the advisory
  • ➖ Requires manual follow-up bumps for future patches
  • ➖ Can unnecessarily block compatible patch/minor updates

Recommendation: Current approach (pi-sidecar resolution + npm overrides) is pragmatic for quickly clearing transitive security alerts with minimal blast radius. If runtime issues appear, the next step should be upgrading the top-level dependents that bring in undici/uuid, then removing overrides to restore upstream-supported versioning.

Files changed (2) +4 / -0

Other (2) +4 / -0
package.jsonAdd npm overrides for patched undici/uuid versions +4/-0

Add npm overrides for patched undici/uuid versions

• Introduces an npm "overrides" block to force minimum safe versions of undici and uuid across the dependency tree. This is intended to remediate transitive security advisories without requiring broader dependency upgrades.

sidecar-helper/package.json

package-lock.jsonRegenerate lockfile with updated resolutions (pi-sidecar 1.1.1, overrides applied) +0/-0

Regenerate lockfile with updated resolutions (pi-sidecar 1.1.1, overrides applied)

• Updates the npm lockfile to reflect the resolved dependency graph, including @myk-org/pi-sidecar resolving to 1.1.1 and patched transitive versions of undici/uuid. This ensures consistent installs and aligns with a clean npm audit result.

sidecar-helper/package-lock.json

@qodo-code-review

qodo-code-review Bot commented Jun 24, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 30 rules

Grey Divider


Remediation recommended

1. UUID override floats majors ✓ Resolved 🐞 Bug ☼ Reliability
Description
sidecar-helper/package.json overrides uuid with an open-ended ">=11.1.1" range, allowing npm to
select much newer majors than transitive deps declare. The lockfile shows dependencies requesting
uuid: ^9.0.1 while the resolved uuid is 14.0.1, which raises compatibility risk for consumers
not tested against that major.
Code

sidecar-helper/package.json[R17-19]

+  "overrides": {
+    "undici": ">=6.27.0",
+    "uuid": ">=11.1.1"
Relevance

⭐⭐ Medium

No historical evidence for rejecting/accepting open-ended uuid overrides; closest dependency-version
guidance is unrelated/undetermined.

PR-#1127

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The PR adds an open-ended uuid override, and the lockfile shows it forces a major version (14.0.1)
even where transitive dependencies declare ^9.0.1.

sidecar-helper/package.json[16-20]
sidecar-helper/package-lock.json[57-71]
sidecar-helper/package-lock.json[4282-4294]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`overrides.uuid` is set to `>=11.1.1`, which can float to newer major versions and override transitive packages that requested older major versions.

## Issue Context
The lockfile shows transitive deps requesting `uuid ^9.0.1`, but the resolved/installed `uuid` is `14.0.1`.

## Fix Focus Areas
- sidecar-helper/package.json[17-19]

### Suggested fix
Use a bounded range (e.g. `^11.1.1`) or an exact patched version that fixes the advisory while avoiding major jumps. If only one dependency subtree needs the override, scope it to that subtree rather than overriding all `uuid` usage globally.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. Undici override floats majors ✓ Resolved 🐞 Bug ☼ Reliability
Description
sidecar-helper/package.json overrides undici with an open-ended ">=6.27.0" range, allowing npm
to select newer major versions than transitive deps declare. In the current lockfile, packages that
declare undici: 6.24.1 are forced onto undici@8.5.0, which increases the risk of runtime
incompatibilities when those deps were not authored/tested against undici v8.
Code

sidecar-helper/package.json[R17-19]

+  "overrides": {
+    "undici": ">=6.27.0",
+    "uuid": ">=11.1.1"
Relevance

⭐⭐ Medium

No prior review pattern on npm overrides floating majors; only sidecar lockfile resolution comments
in PR #1127.

PR-#1127

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The PR introduces the open-ended override, and the lockfile demonstrates it results in a
major-version resolution that conflicts with transitive dependency declarations (6.24.1 requested vs
8.5.0 resolved).

sidecar-helper/package.json[10-20]
sidecar-helper/package-lock.json[663-681]
sidecar-helper/package-lock.json[3572-3591]
sidecar-helper/package-lock.json[4267-4275]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`overrides.undici` is set to an open-ended range (`>=6.27.0`), which can float to newer major versions and override transitive packages that requested older undici versions.

## Issue Context
The lockfile shows transitive deps still declare `undici: 6.24.1`, but the resolved/installed `undici` is `8.5.0`.

## Fix Focus Areas
- sidecar-helper/package.json[17-19]

### Suggested fix
Change the override to a tested, bounded range (e.g. `^6.27.0`) or an exact patched version (e.g. `6.27.x`) that addresses the advisories without permitting major-version jumps. If only specific subtrees need overriding, scope the override to those packages instead of globally overriding all `undici` consumers.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread sidecar-helper/package.json Outdated
Comment thread sidecar-helper/package.json Outdated
Change undici override from >=6.27.0 to ^6.27.0 (stays in 6.x)
Change uuid override from >=11.1.1 to ^11.1.1 (stays in 11.x)

Addresses Qodo review finding about open-ended overrides allowing
unintended major version jumps for transitive dependencies.
@myakove

myakove commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator Author

@qodo-code-review[bot]

The following review comments were reviewed and a decision was made:

sidecar-helper/package.json:17 (qodo bug) — Undici override floats majors

Addressed: Fixed in commit a80ef17 — changed overrides from open-ended >= to bounded ^ ranges:

  • undici: >=6.27.0^6.27.0 (resolves to 6.27.0 for discord.js deps, stays in 6.x)
  • uuid: >=11.1.1^11.1.1 (resolves to 11.1.1, stays in 11.x)

npm audit still shows 0 vulnerabilities.

sidecar-helper/package.json:17 (qodo bug) — UUID override floats majors

Addressed: Fixed in commit a80ef17 — changed overrides from open-ended >= to bounded ^ ranges:

  • undici: >=6.27.0^6.27.0 (resolves to 6.27.0 for discord.js deps, stays in 6.x)
  • uuid: >=11.1.1^11.1.1 (resolves to 11.1.1, stays in 11.x)

npm audit still shows 0 vulnerabilities.

@qodo-code-review

Copy link
Copy Markdown

code-review[bot]

The following review comments were reviewed and a decision was made:

sidecar-helper/package.json:17 (qodo bug) — Undici override floats majors

Addressed: Fixed in commit a80ef17 — changed overrides from open-ended >= to bounded ^ ranges:

  • undici: >=6.27.0^6.27.0 (resolves to 6.27.0 for discord.js deps, stays in 6.x)
  • uuid: >=11.1.1^11.1.1 (resolves to 11.1.1, stays in 11.x)

npm audit still shows 0 vulnerabilities.

sidecar-helper/package.json:17 (qodo bug) — UUID override floats majors

Addressed: Fixed in commit a80ef17 — changed overrides from open-ended >= to bounded ^ ranges:

  • undici: >=6.27.0^6.27.0 (resolves to 6.27.0 for discord.js deps, stays in 6.x)
  • uuid: >=11.1.1^11.1.1 (resolves to 11.1.1, stays in 11.x)

npm audit still shows 0 vulnerabilities.

Thanks — both finding 1 and finding 2 are already marked implemented, so there’s nothing else to do here. The bounded ^ overrides keep undici and uuid within their respective major versions, and npm audit still reports 0 vulnerabilities.

@qodo-code-review

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit a80ef17

@myakove myakove merged commit 95ad8f9 into main Jun 24, 2026
8 of 10 checks passed
@myakove myakove deleted the ci/update-pi-sidecar-1.1.1 branch June 24, 2026 05:13
@myakove-bot

Copy link
Copy Markdown
Collaborator

New container for ghcr.io/myk-org/github-webhook-server:latest published

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants