Skip to content

Commit 133b66d

Browse files
committed
fix(security): audit and harden existing examples against supply-chain attacks
260-nestjs-websocket-stt (HIGH — 3 CVEs fixed): - path-to-regexp 8.3.0 → 8.4.2 via npm audit fix (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7) - @nestjs/core and @nestjs/platform-express 11.1.17 → 11.1.18 - Pinned all ^ ranges to exact versions in package.json 310-crewai-voice-agents-python (CVE documented): - crewai[tools]>=1.12.0 → ==1.13.0 - deepgram-sdk==v6.1.1 → ==6.1.1 (removed invalid v prefix) - python-dotenv>=1.0.0 → ==1.1.1 - CVE-2026-25645 (requests 2.32.5) documented: crewai-tools==1.13.0 pins requests~=2.32.5 upstream; cannot override without breaking tools 200, 240, 270, 280 (pinning): - Replaced all ^ and ~ ranges with exact versions from resolved lockfiles - No vulnerabilities found in these examples 270-sveltekit-live-transcription-ts (LOW — upstream blocker): - cookie <0.7.0 vulnerability via @sveltejs/kit; npm audit fix --force would downgrade to 0.0.30 (breaking). Upstream issue, monitored.
1 parent c211dd7 commit 133b66d

File tree

9 files changed

+64
-61
lines changed

9 files changed

+64
-61
lines changed

examples/200-vanilla-js-browser-transcription/package.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@
88
"test": "node tests/test.js"
99
},
1010
"dependencies": {
11-
"@deepgram/sdk": "^5.0.0",
12-
"dotenv": "^16.4.0",
13-
"express": "^4.21.0",
14-
"express-ws": "^5.0.2",
15-
"ws": "^8.18.0"
11+
"@deepgram/sdk": "5.0.0",
12+
"dotenv": "16.6.1",
13+
"express": "4.22.1",
14+
"express-ws": "5.0.2",
15+
"ws": "8.20.0"
1616
},
1717
"engines": {
1818
"node": ">=18"

examples/240-nuxt-streaming-stt-tts-ts/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@
1010
},
1111
"dependencies": {
1212
"@deepgram/sdk": "5.0.0",
13-
"nuxt": "^3.17.0"
13+
"nuxt": "3.21.2"
1414
},
1515
"devDependencies": {
16-
"typescript": "^5.8.0"
16+
"typescript": "5.9.3"
1717
}
1818
}

examples/260-nestjs-websocket-stt/package-lock.json

Lines changed: 11 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

examples/260-nestjs-websocket-stt/package.json

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,20 +11,20 @@
1111
},
1212
"dependencies": {
1313
"@deepgram/sdk": "5.0.0",
14-
"@nestjs/common": "^11.0.0",
15-
"@nestjs/core": "^11.1.17",
16-
"@nestjs/platform-express": "^11.1.17",
17-
"@nestjs/platform-socket.io": "^11.1.17",
18-
"@nestjs/websockets": "^11.1.17",
19-
"dotenv": "^16.4.0",
20-
"reflect-metadata": "^0.2.2",
21-
"rxjs": "^7.8.0",
22-
"socket.io": "^4.7.0"
14+
"@nestjs/common": "11.1.17",
15+
"@nestjs/core": "11.1.18",
16+
"@nestjs/platform-express": "11.1.18",
17+
"@nestjs/platform-socket.io": "11.1.17",
18+
"@nestjs/websockets": "11.1.17",
19+
"dotenv": "16.6.1",
20+
"reflect-metadata": "0.2.2",
21+
"rxjs": "7.8.2",
22+
"socket.io": "4.8.3"
2323
},
2424
"devDependencies": {
25-
"@types/node": "^22.0.0",
26-
"socket.io-client": "^4.8.3",
27-
"typescript": "^5.7.0"
25+
"@types/node": "22.19.15",
26+
"socket.io-client": "4.8.3",
27+
"typescript": "5.9.3"
2828
},
2929
"engines": {
3030
"node": ">=18"

examples/270-sveltekit-live-transcription-ts/package.json

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,16 @@
1313
},
1414
"dependencies": {
1515
"@deepgram/sdk": "5.0.0",
16-
"@sveltejs/adapter-node": "^5.2.0",
17-
"@sveltejs/kit": "^2.21.0",
18-
"@sveltejs/vite-plugin-svelte": "^5.0.0",
19-
"dotenv": "^16.4.0",
20-
"svelte": "^5.0.0",
21-
"vite": "^6.0.0"
16+
"@sveltejs/adapter-node": "5.5.4",
17+
"@sveltejs/kit": "2.55.0",
18+
"@sveltejs/vite-plugin-svelte": "5.1.1",
19+
"dotenv": "16.6.1",
20+
"svelte": "5.55.1",
21+
"vite": "6.4.1"
2222
},
2323
"devDependencies": {
24-
"typescript": "^5.7.0",
25-
"ws": "^8.18.0"
24+
"typescript": "5.9.3",
25+
"ws": "8.20.0"
2626
},
2727
"engines": {
2828
"node": ">=18"

examples/280-express-react-live-transcription-ts/client/package.json

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,14 +10,14 @@
1010
"preview": "vite preview"
1111
},
1212
"dependencies": {
13-
"react": "^19.0.0",
14-
"react-dom": "^19.0.0"
13+
"react": "19.2.4",
14+
"react-dom": "19.2.4"
1515
},
1616
"devDependencies": {
17-
"@types/react": "^19.0.0",
18-
"@types/react-dom": "^19.0.0",
19-
"@vitejs/plugin-react": "^4.3.0",
20-
"typescript": "^5.6.0",
21-
"vite": "^6.0.0"
17+
"@types/react": "19.2.14",
18+
"@types/react-dom": "19.2.3",
19+
"@vitejs/plugin-react": "4.7.0",
20+
"typescript": "5.9.3",
21+
"vite": "6.4.1"
2222
}
2323
}

examples/280-express-react-live-transcription-ts/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
"test": "node tests/test.js"
1313
},
1414
"dependencies": {
15-
"ws": "^8.18.0"
15+
"ws": "8.20.0"
1616
},
1717
"engines": {
1818
"node": ">=18"

examples/280-express-react-live-transcription-ts/server/package.json

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,20 @@
1010
},
1111
"dependencies": {
1212
"@deepgram/sdk": "5.0.0",
13-
"cors": "^2.8.5",
14-
"dotenv": "^16.4.0",
15-
"express": "^4.21.0",
16-
"express-ws": "^5.0.2",
17-
"ws": "^8.18.0"
13+
"cors": "2.8.6",
14+
"dotenv": "16.6.1",
15+
"express": "4.22.1",
16+
"express-ws": "5.0.2",
17+
"ws": "8.20.0"
1818
},
1919
"devDependencies": {
20-
"@types/cors": "^2.8.17",
21-
"@types/express": "^5.0.0",
22-
"@types/express-ws": "^3.0.5",
23-
"@types/node": "^22.0.0",
24-
"@types/ws": "^8.5.13",
25-
"ts-node": "^10.9.2",
26-
"typescript": "^5.6.0"
20+
"@types/cors": "2.8.19",
21+
"@types/express": "5.0.6",
22+
"@types/express-ws": "3.0.6",
23+
"@types/node": "22.19.15",
24+
"@types/ws": "8.18.1",
25+
"ts-node": "10.9.2",
26+
"typescript": "5.9.3"
2727
},
2828
"engines": {
2929
"node": ">=18"
Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1-
crewai[tools]>=1.12.0
2-
deepgram-sdk==v6.1.1
3-
python-dotenv>=1.0.0
1+
crewai[tools]==1.13.0
2+
deepgram-sdk==6.1.1
3+
python-dotenv==1.1.1
4+
# NOTE: crewai-tools==1.13.0 pins requests~=2.32.5 (CVE-2026-25645).
5+
# This cannot be overridden without breaking crewai-tools.
6+
# Track: https://github.com/crewAIInc/crewAI-tools/issues for a fix.

0 commit comments

Comments
 (0)