fix: override vulnerable transitive deps

2026-02-09 05:19:32 +08:00 · 2026-02-01 14:29:45 -08:00
parent 1bdd9e313f
commit 2601f413c3
2 changed files with 76 additions and 56 deletions
--- a/package.json
+++ b/package.json
@@ -179,6 +179,7 @@
    "express": "^5.2.1",
    "file-type": "^21.3.0",
    "grammy": "^1.39.3",
+    "hono": "4.11.7",
    "jiti": "^2.6.1",
    "json5": "^2.2.3",
    "jszip": "^3.10.1",
@@ -237,8 +238,14 @@
  "pnpm": {
    "minimumReleaseAge": 2880,
    "overrides": {
+      "fast-xml-parser": "5.3.4",
+      "form-data": "2.5.4",
+      "@hono/node-server>hono": "4.11.7",
+      "hono": "4.11.7",
+      "qs": "6.14.1",
      "@sinclair/typebox": "0.34.47",
-      "tar": "7.5.7"
+      "tar": "7.5.7",
+      "tough-cookie": "4.1.3"
    }
  },
  "vitest": {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,8 +5,14 @@ settings:
  excludeLinksFromLockfile: false

 overrides:
+  fast-xml-parser: 5.3.4
+  form-data: 2.5.4
+  '@hono/node-server>hono': 4.11.7
+  hono: 4.11.7
+  qs: 6.14.1
  '@sinclair/typebox': 0.34.47
  tar: 7.5.7
+  tough-cookie: 4.1.3

 importers:

@@ -20,7 +26,7 @@ importers:
        version: 3.980.0
      '@buape/carbon':
        specifier: 0.14.0
-        version: 0.14.0(hono@4.11.4)
+        version: 0.14.0(hono@4.11.7)
      '@clack/prompts':
        specifier: ^1.0.0
        version: 1.0.0
@@ -102,6 +108,9 @@ importers:
      grammy:
        specifier: ^1.39.3
        version: 1.39.3
+      hono:
+        specifier: 4.11.7
+        version: 4.11.7
      jiti:
        specifier: ^2.6.1
        version: 2.6.1
@@ -1044,7 +1053,7 @@ packages:
    resolution: {integrity: sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw==}
    engines: {node: '>=18.14.1'}
    peerDependencies:
-      hono: ^4
+      hono: 4.11.7

  '@huggingface/jinja@0.5.4':
    resolution: {integrity: sha512-VoQJywjpjy2D88Oj0BTHRuS8JCbUgoOg5t1UGgbtGh2fRia9Dx/k6Wf8FqrEWIvWK9fAkfJeeLB9fcSpCNPCpw==}
@@ -3437,8 +3446,8 @@ packages:
  fast-uri@3.1.0:
    resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}

-  fast-xml-parser@5.2.5:
-    resolution: {integrity: sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==}
+  fast-xml-parser@5.3.4:
+    resolution: {integrity: sha512-EFd6afGmXlCx8H8WTZHhAoDaWaGyuIBoZJ2mknrNxug+aZKjkp0a0dlars9Izl+jF+7Gu1/5f/2h68cQpe0IiA==}
    hasBin: true

  fdir@6.5.0:
@@ -3497,17 +3506,10 @@ packages:
  forever-agent@0.6.1:
    resolution: {integrity: sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==}

-  form-data@2.3.3:
-    resolution: {integrity: sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==}
+  form-data@2.5.4:
+    resolution: {integrity: sha512-Y/3MmRiR8Nd+0CUtrbvcKtKzLWiUfpQ7DFVggH8PwmGt/0r7RSy32GuP4hpCJlQNEBusisSx1DLtD8uD386HJQ==}
    engines: {node: '>= 0.12'}
-
-  form-data@2.5.5:
-    resolution: {integrity: sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==}
-    engines: {node: '>= 0.12'}
-
-  form-data@4.0.5:
-    resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==}
-    engines: {node: '>= 6'}
+    deprecated: This version has an incorrect dependency; please use v2.5.5

  formdata-polyfill@4.0.10:
    resolution: {integrity: sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==}
@@ -3629,6 +3631,10 @@ packages:
    resolution: {integrity: sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==}
    engines: {node: '>=8'}

+  has-own@1.0.1:
+    resolution: {integrity: sha512-RDKhzgQTQfMaLvIFhjahU+2gGnRBK6dYOd5Gd9BzkmnBneOCRYjRC003RIMrdAbH52+l+CnMS4bBCXGer8tEhg==}
+    deprecated: This project is not maintained. Use Object.hasOwn() instead.
+
  has-symbols@1.1.0:
    resolution: {integrity: sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==}
    engines: {node: '>= 0.4'}
@@ -3654,8 +3660,8 @@ packages:
  highlight.js@10.7.3:
    resolution: {integrity: sha512-tzcUFauisWKNHaRkN4Wjl/ZA07gENAjFl3J/c480dprkGTg5EQstgaNFqBfUqCq54kZRIEcreTsAgF/m2quD7A==}

-  hono@4.11.4:
-    resolution: {integrity: sha512-U7tt8JsyrxSRKspfhtLET79pU8K+tInj5QZXs1jSugO1Vq5dFj3kmZsRldo29mTBfcjDRVRXrEZ6LS63Cog9ZA==}
+  hono@4.11.7:
+    resolution: {integrity: sha512-l7qMiNee7t82bH3SeyUCt9UF15EVmaBvsppY2zQtrbIhl/yzBTny+YUxsVjSjQ6gaqaeVtZmGocom8TzBlA4Yw==}
    engines: {node: '>=16.9.0'}

  hookified@1.15.0:
@@ -4621,9 +4627,8 @@ packages:
    resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
    engines: {node: '>=0.6'}

-  qs@6.5.3:
-    resolution: {integrity: sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==}
-    engines: {node: '>=0.6'}
+  querystringify@2.2.0:
+    resolution: {integrity: sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==}

  quick-format-unescaped@4.0.4:
    resolution: {integrity: sha512-tYC1Q1hgyRuHgloV/YXs2w15unPVh8qfu/qCTfhTYamaw7fyhumKa2yGpdSo87vY32rIclj+4fWYQXUMs9EHvg==}
@@ -4692,6 +4697,9 @@ packages:
    resolution: {integrity: sha512-QT7FVMXfWOYFbeRBF6nu+I6tr2Tf3u0q8RIEjNob/heKY/nh7drD/k7eeMFmSQgnTtCzLDcCu/XEnpW2wk4xCQ==}
    engines: {node: '>=9.3.0 || >=8.10.0 <9.0.0'}

+  requires-port@1.0.0:
+    resolution: {integrity: sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==}
+
  resolve-pkg-maps@1.0.0:
    resolution: {integrity: sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==}

@@ -5026,9 +5034,9 @@ packages:
    resolution: {integrity: sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==}
    engines: {node: '>=6'}

-  tough-cookie@2.5.0:
-    resolution: {integrity: sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==}
-    engines: {node: '>=0.8'}
+  tough-cookie@4.1.3:
+    resolution: {integrity: sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==}
+    engines: {node: '>=6'}

  tr46@0.0.3:
    resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==}
@@ -5105,6 +5113,10 @@ packages:
  universal-user-agent@7.0.3:
    resolution: {integrity: sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==}

+  universalify@0.2.0:
+    resolution: {integrity: sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==}
+    engines: {node: '>= 4.0.0'}
+
  universalify@2.0.1:
    resolution: {integrity: sha512-gptHNQghINnc/vTGIk0SOFGFNXw7JVrlRUtConJRlvaw6DuX0wO5Jeko9sWrMBhh+PsYAZ7oXAiOnf/UKogyiw==}
    engines: {node: '>= 10.0.0'}
@@ -5119,6 +5131,9 @@ packages:
  url-join@4.0.1:
    resolution: {integrity: sha512-jk1+QP6ZJqyOiuEI9AEWQfju/nB2Pw466kbA0LEZljHwKeMgd9WrAEgEGxjPDD2+TNbbb37rTyhEfrCXfuKXnA==}

+  url-parse@1.5.10:
+    resolution: {integrity: sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==}
+
  util-deprecate@1.0.2:
    resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}

@@ -5803,7 +5818,7 @@ snapshots:
  '@aws-sdk/xml-builder@3.972.2':
    dependencies:
      '@smithy/types': 4.12.0
-      fast-xml-parser: 5.2.5
+      fast-xml-parser: 5.3.4
      tslib: 2.8.1

  '@aws/lambda-invoke-store@0.2.3': {}
@@ -5855,14 +5870,14 @@ snapshots:

  '@borewit/text-codec@0.2.1': {}

-  '@buape/carbon@0.14.0(hono@4.11.4)':
+  '@buape/carbon@0.14.0(hono@4.11.7)':
    dependencies:
      '@types/node': 25.1.0
      discord-api-types: 0.38.37
    optionalDependencies:
      '@cloudflare/workers-types': 4.20260120.0
      '@discordjs/voice': 0.19.0
-      '@hono/node-server': 1.19.9(hono@4.11.4)
+      '@hono/node-server': 1.19.9(hono@4.11.7)
      '@types/bun': 1.3.6
      '@types/ws': 8.18.1
      ws: 8.19.0
@@ -6116,9 +6131,9 @@ snapshots:
    transitivePeerDependencies:
      - supports-color

-  '@hono/node-server@1.19.9(hono@4.11.4)':
+  '@hono/node-server@1.19.9(hono@4.11.7)':
    dependencies:
-      hono: 4.11.4
+      hono: 4.11.7
    optional: true

  '@huggingface/jinja@0.5.4': {}
@@ -7339,7 +7354,7 @@ snapshots:
      '@types/retry': 0.12.0
      axios: 1.13.4(debug@4.4.3)
      eventemitter3: 5.0.4
-      form-data: 4.0.5
+      form-data: 2.5.4
      is-electron: 2.2.2
      is-stream: 2.0.1
      p-queue: 6.6.2
@@ -7846,7 +7861,7 @@ snapshots:
      '@types/caseless': 0.12.5
      '@types/node': 25.1.0
      '@types/tough-cookie': 4.0.5
-      form-data: 2.5.5
+      form-data: 2.5.4

  '@types/retry@0.12.0': {}

@@ -8224,7 +8239,7 @@ snapshots:
  axios@1.13.4(debug@4.4.3):
    dependencies:
      follow-redirects: 1.15.11(debug@4.4.3)
-      form-data: 4.0.5
+      form-data: 2.5.4
      proxy-from-env: 1.1.0
    transitivePeerDependencies:
      - debug
@@ -8729,7 +8744,7 @@ snapshots:

  fast-uri@3.1.0: {}

-  fast-xml-parser@5.2.5:
+  fast-xml-parser@5.3.4:
    dependencies:
      strnum: 2.1.2

@@ -8797,29 +8812,15 @@ snapshots:

  forever-agent@0.6.1: {}

-  form-data@2.3.3:
-    dependencies:
-      asynckit: 0.4.0
-      combined-stream: 1.0.8
-      mime-types: 2.1.35
-
-  form-data@2.5.5:
+  form-data@2.5.4:
    dependencies:
      asynckit: 0.4.0
      combined-stream: 1.0.8
      es-set-tostringtag: 2.1.0
-      hasown: 2.0.2
+      has-own: 1.0.1
      mime-types: 2.1.35
      safe-buffer: 5.2.1

-  form-data@4.0.5:
-    dependencies:
-      asynckit: 0.4.0
-      combined-stream: 1.0.8
-      es-set-tostringtag: 2.1.0
-      hasown: 2.0.2
-      mime-types: 2.1.35
-
  formdata-polyfill@4.0.10:
    dependencies:
      fetch-blob: 3.2.0
@@ -8974,6 +8975,8 @@ snapshots:

  has-flag@4.0.0: {}

+  has-own@1.0.1: {}
+
  has-symbols@1.1.0: {}

  has-tostringtag@1.0.2:
@@ -8997,8 +9000,7 @@ snapshots:

  highlight.js@10.7.3: {}

-  hono@4.11.4:
-    optional: true
+  hono@4.11.7: {}

  hookified@1.15.0: {}

@@ -10034,7 +10036,7 @@ snapshots:
    dependencies:
      side-channel: 1.1.0

-  qs@6.5.3: {}
+  querystringify@2.2.0: {}

  quick-format-unescaped@4.0.4: {}

@@ -10094,7 +10096,7 @@ snapshots:
      request: 2.88.2
      request-promise-core: 1.1.4(request@2.88.2)
      stealthy-require: 1.1.1
-      tough-cookie: 2.5.0
+      tough-cookie: 4.1.3

  request@2.88.2:
    dependencies:
@@ -10104,7 +10106,7 @@ snapshots:
      combined-stream: 1.0.8
      extend: 3.0.2
      forever-agent: 0.6.1
-      form-data: 2.3.3
+      form-data: 2.5.4
      har-validator: 5.1.5
      http-signature: 1.2.0
      is-typedarray: 1.0.0
@@ -10113,9 +10115,9 @@ snapshots:
      mime-types: 2.1.35
      oauth-sign: 0.9.0
      performance-now: 2.1.0
-      qs: 6.5.3
+      qs: 6.14.1
      safe-buffer: 5.2.1
-      tough-cookie: 2.5.0
+      tough-cookie: 4.1.3
      tunnel-agent: 0.6.0
      uuid: 3.4.0

@@ -10130,6 +10132,8 @@ snapshots:
    transitivePeerDependencies:
      - supports-color

+  requires-port@1.0.0: {}
+
  resolve-pkg-maps@1.0.0: {}

  restore-cursor@5.1.0:
@@ -10573,10 +10577,12 @@ snapshots:

  totalist@3.0.1: {}

-  tough-cookie@2.5.0:
+  tough-cookie@4.1.3:
    dependencies:
      psl: 1.15.0
      punycode: 2.3.1
+      universalify: 0.2.0
+      url-parse: 1.5.10

  tr46@0.0.3: {}

@@ -10634,6 +10640,8 @@ snapshots:

  universal-user-agent@7.0.3: {}

+  universalify@0.2.0: {}
+
  universalify@2.0.1: {}

  unpipe@1.0.0: {}
@@ -10644,6 +10652,11 @@ snapshots:

  url-join@4.0.1: {}

+  url-parse@1.5.10:
+    dependencies:
+      querystringify: 2.2.0
+      requires-port: 1.0.0
+
  util-deprecate@1.0.2: {}

  utils-merge@1.0.1: {}