Conversation
Upgrade open-cli from ^6.0.1 to ^8.0.0 in packages/stateless and packages/providers. The old open-cli@6 pulled in file-type@16.5.4 (CJS), which was vulnerable to CVE-2026-31808 (infinite loop in ASF parser on malformed input with zero-size sub-header). open-cli@8 depends on file-type@^18.7.0, which is then resolved to ^21.3.4 by the existing pnpm override (file-type@>=17.0.0 <21.3.4), a version that includes the fix. Advisory: GHSA-5v7r-6r5c-r473 Strategy: Replace parent dependency (open-cli 6→8) Co-authored-by: Dima Grossman <dima@grossman.io>
✅ Deploy Preview for dashboard-v2-novu-staging canceled.
|
Contributor
|
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow specific formatting rules and it looks like your proposed title needs to be adjusted. Your PR title is: Requirements:
Expected format: Details: PR title must end with 'fixes TICKET-ID' (e.g., 'fixes NOV-123') or include ticket ID in branch name |
scopsy
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades
open-clifrom^6.0.1to^8.0.0inpackages/statelessandpackages/providersto resolve a moderate severity vulnerability infile-type.Vulnerability Details
file-type(versions >=13.0.0 <21.3.1)sizefield of zero, the parser enters an infinite loop. An attacker can stall the Node.js event loop with a 55-byte payload.Fix Strategy
Replace parent dependency —
open-cli@6brought infile-type@16.5.4(CJS), which was in the vulnerable range. Upgrading toopen-cli@8shifts the dependency tofile-type@^18.7.0, which is then resolved to^21.3.4by the existing pnpm override (file-type@>=17.0.0 <21.3.4: ^21.3.4), a version that includes the security fix.open-cliis a devDependency used only for opening documentation in a browser — upgrading it from v6 to v8 is low-risk. v8 is ESM-only (type: "module") withengines: { node: ">=18" }, which is compatible with the monorepo's Node 20 environment and is fine since it's only used as a CLI binary.Changes
packages/stateless/package.json:open-cli^6.0.1→^8.0.0packages/providers/package.json:open-cli^6.0.1→^8.0.0pnpm-lock.yamlVerification
pnpm auditconfirms the file-type advisory (1114301) is no longer presentpnpm build:v2passes successfully