Skip to content

Resolve Security Vulnerabilities (Feb 2025 Updates)#628

Open
ngoiyaeric wants to merge 1 commit into
mainfrom
fix/security-updates-feb-2025-14899061845399043746
Open

Resolve Security Vulnerabilities (Feb 2025 Updates)#628
ngoiyaeric wants to merge 1 commit into
mainfrom
fix/security-updates-feb-2025-14899061845399043746

Conversation

@ngoiyaeric
Copy link
Copy Markdown
Collaborator

@ngoiyaeric ngoiyaeric commented May 28, 2026

This PR addresses multiple security vulnerabilities reported by Dependabot by upgrading key dependencies to their latest secure versions.

Key changes:

  • Next.js: Upgraded to 16.2.6 to resolve multiple High and Moderate severity vulnerabilities (SSRF, Middleware bypass, DoS).
  • Drizzle ORM: Upgraded to 0.45.2 to fix a High severity SQL injection vulnerability (CVE-2026-39356).
  • uuid: Upgraded to 14.0.0 to fix a Moderate severity buffer bounds check vulnerability.
  • Middleware Migration: Following Next.js 16 recommendations, middleware.ts has been migrated to proxy.ts with the corresponding function export update.
  • Type Compatibility: Pinned @types/mapbox__mapbox-gl-draw to 1.4.8 to maintain compatibility with the latest mapbox-gl types.

All changes have been verified with a successful production build (bun run build).

PR created automatically by Jules for task 14899061845399043746 started by @ngoiyaeric

@google-labs-jules @ngoiyaeric
chore: update dependencies to resolve security vulnerabilities
8dff2da 
- Upgrade next to 16.2.6
- Upgrade drizzle-orm to 0.45.2
- Upgrade uuid to 14.0.0
- Migrate middleware.ts to proxy.ts (Next.js 16 convention)
- Pin @types/mapbox__mapbox-gl-draw to 1.4.8 to fix type conflicts

Co-authored-by: ngoiyaeric <115367894+ngoiyaeric@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 28, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented May 28, 2026

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
qcx Ready Ready Preview, Comment May 28, 2026 8:33am

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 28, 2026

Warning

Review limit reached

@ngoiyaeric, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1bb8b5be-1ca1-41dc-9b87-4aa166ba17de

📥 Commits

Reviewing files that changed from the base of the PR and between 10d2595 and 8dff2da.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • package.json
  • proxy.ts
  • tsconfig.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-updates-feb-2025-14899061845399043746

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 28, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ngoiyaeric @CLAassistant