Skip to content

chore(deps): Remediate low vulns (includes update to ai pkg) #4891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 11, 2025
Merged

chore(deps): Remediate low vulns (includes update to ai pkg) #4891

merged 6 commits into from
Nov 11, 2025

Conversation

@davidkonigsberg
Copy link
Collaborator

@davidkonigsberg davidkonigsberg commented Nov 7, 2025

Short description of the changes made

Fix CVE-2025-57319
Fix CVE-2025-48985

What was the motivation & context behind this PR?

Soc2

How has this PR been tested?

tested in CI

@vercel
Copy link
Contributor

vercel bot commented Nov 7, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
dev.ferndocs.com Ready Ready Preview Nov 10, 2025 5:50pm
fern-dashboard Ready Ready Preview Nov 10, 2025 5:50pm
fern-dashboard-dev Ready Ready Preview Nov 10, 2025 5:50pm
ferndocs.com Ready Ready Preview Nov 10, 2025 5:50pm
preview.ferndocs.com Ready Ready Preview Nov 10, 2025 5:50pm
prod-assets.ferndocs.com Ready Ready Preview Nov 10, 2025 5:50pm
prod.ferndocs.com Ready Ready Preview Nov 10, 2025 5:50pm
1 Skipped Deployment
Project Deployment Preview Updated (UTC)
fern-platform Ignored Ignored Nov 10, 2025 5:50pm

@devin-ai-integration @davidkonigsberg
fix(ask-fern): update streaming event handling for [email protected]
5dd523b 
- Change chunk.chunk.type from 'text' to 'text-delta' in stream-anthropic.ts and stream-cohere.ts
- Change chunk.chunk.text property access (text-delta uses 'text' not 'delta')
- Replace embeddingModel.modelId with embeddingModel.valueOf().toString() in all files
- Fixes TypeScript compilation errors after upgrading ai package from 5.0.0-beta.2 to 5.0.86

Co-Authored-By: David Konigsberg <[email protected]>
@devin-ai-integration @davidkonigsberg
chore: dedupe pnpm lockfile
f6c7f4c 
Co-Authored-By: David Konigsberg <[email protected]>
@davidkonigsberg davidkonigsberg changed the title chore(deps): Remediate low vulns chore(deps): Remediate low vulns (includes update to ai pkg) Nov 7, 2025
@davidkonigsberg davidkonigsberg marked this pull request as ready for review November 7, 2025 19:51
@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2025
edited
Loading

🌱 Smoke Test Preview

Testing branch changes with smoke test content:

🕷️ Smoke Test Crawler Results

Pages crawled: 29
Successful: 29 ✅
With errors: 0

🎉 All pages loaded successfully with no errors!

@davidkonigsberg davidkonigsberg merged commit 5fe96ad into app Nov 11, 2025
21 checks passed
@davidkonigsberg davidkonigsberg deleted the dak/soc2/remediate-low-vulns branch November 11, 2025 15:27
devin-ai-integration bot added a commit that referenced this pull request Nov 11, 2025
@devin-ai-integration @davidkonigsberg
chore(deps): force [email protected] via pnpm.overrides to remediate CVE-2025…
61d0e25 
…-48985

This fixes dependabot alert #234 by adding a pnpm override to force all
instances of the 'ai' package (including transitive dependencies) to use
version 5.0.86, which remediates CVE-2025-48985.

The previous PR #4891 updated the ai package to 5.0.86 in most places,
but @ai-sdk/[email protected] (a devDependency in search-ui) was still
pulling in [email protected], which is vulnerable. The pnpm override ensures
all instances use the patched version.

Fixes: https://github.com/fern-api/fern-platform/security/dependabot/234
Co-Authored-By: David Konigsberg <[email protected]>
@devin-ai-integration devin-ai-integration bot mentioned this pull request Nov 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sahil485 sahil485 sahil485 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davidkonigsberg @sahil485