chore(security): bump jwt-go, svelte, and kysely past their CVE windows#387
Merged
Conversation
Five Dependabot alerts on main collapse into three transitive bumps. github.com/golang-jwt/jwt/v5 moves from 5.2.1 to 5.2.2 to close the header-parsing memory-allocation flaw (high). Svelte goes from 5.55.6 to 5.55.8 which covers the three open medium-severity advisories: the DOM-clobbering XSS path, the SSR spread-attribute XSS, and the hydratable promise serialization XSS. Kysely steps to 0.28.17 to clear the JSON-path traversal injection (high), pulled in transitively by @inlang/paraglide-js at build time but worth keeping current so CI stops flagging it. The Go side is a // indirect dep and lerd has no direct JWT call sites, so the runtime exposure was small even before the bump. Svelte is the real one — the dashboard renders user-controlled site names, env values, and dump payloads, so each of those XSS paths was a live concern for any LAN-shared or remote-controlled install. Kysely is only reachable through paraglide's build-time SDK, so the runtime impact was nil, but the lockfile drift was noisy.
Merged
geodro
added a commit
that referenced
this pull request
May 19, 2026
The 1.21.0 line graduates from beta with eight follow-up commits on top of v1.21.0-beta.1. A LAN-exposure audit closes three dashboard endpoints that were reachable on lan:expose installs (raw .env, push-test, an unauthenticated mailpit webhook) and adds path-traversal validation for the new public_dir override (#382). mysql and mariadb pick up catatonit as PID 1 via a new init flag on the preset schema, so podman stop returns in around a second instead of timing out at 30s and lerd service restart stops wedging at the 30-90s mark (#383, closes #380). Host workers stopped via the UI or lerd worker stop no longer resurrect on the next fsnotify event or launchd heal tick, and the same fix puts lerd's bin directory on PATH for npm-spawned subprocesses so wayfinder and friends can find php (#375, #376, closes #381). The PHP-FPM runtime stage gets git back after the multi-stage split in #364 dropped it (#377), restoring VCS-typed composer repositories. Notification clicks land on the right tab now: worker_failed deep-links via the site's primary domain and dump arrivals jump straight to the Dumps sub-tab (#384). The .lerd.yaml container block accepts a target field for multi-stage Containerfiles, with the cache key mixing target in so flipping stages on an unchanged file actually rebuilds (#385, addresses #379), and the MCP service_add tool picks up the matching init argument so agent-driven flows reach feature parity with the YAML path (#386). And a security pass bumps jwt-go to 5.2.2, svelte to 5.55.8, and kysely to 0.28.17 closing one high-severity JWT header-parsing flaw, three medium svelte XSS paths, and one high kysely JSON-path traversal injection (#387).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Five Dependabot alerts on main collapse into three transitive bumps.
github.com/golang-jwt/jwt/v5moves from 5.2.1 to 5.2.2 to close the header-parsing memory-allocation flaw (high). Svelte goes from 5.55.6 to 5.55.8 which covers the three open medium-severity advisories: the DOM-clobbering XSS path, the SSR spread-attribute XSS, and the hydratable promise serialization XSS. Kysely steps to 0.28.17 to clear the JSON-path traversal injection (high), pulled in transitively by@inlang/paraglide-jsat build time but worth keeping current so CI stops flagging it.The Go side is a
// indirectdep and lerd has no direct JWT call sites, so the runtime exposure was small even before the bump. Svelte is the real one, the dashboard renders user-controlled site names, env values, and dump payloads, so each of those XSS paths was a live concern for any LAN-shared or remote-controlled install. Kysely is only reachable through paraglide's build-time SDK, so the runtime impact was nil, but the lockfile drift was noisy.