Summary
Trivy Security Scan (required CI gate) fails on a HIGH dependency vuln: ws@8.19.0, CVE-2026-48779 ("ws: Memory exhaustion DoS from tiny fragments and data"), fixed in 8.21.0.
This blocks every PR's required Security Scan, including unrelated ones (surfaced on #325, a Python-only MCP change). Likely a newly published CVE that flipped a previously-green gate red.
Where it comes from
ws is a frontend transitive dependency (frontend/bun.lock), pulled by:
@supabase/realtime-js@2.95.3 -> ws@^8.18.2 (runtime: Supabase realtime WebSocket)happy-dom@20.7.0 -> ws@^8.18.3 (dev/test)
Both ranges already admit 8.21.0, so the fix is an in-range lockfile bump, no parent upgrade needed.
Fix
cd frontend && bun update ws (resolves to >= 8.21.0), verify frontend/bun.lock shows ws@8.21.0+, run bun run typecheck && bun run test && bun run build. One-line lockfile change, its own PR (separate from #325, one concern per PR).
Severity
HIGH (CVSS DoS). Low live exposure at current scale, but it is a required-gate blocker and a clean fix.
Summary
Trivy
Security Scan(required CI gate) fails on a HIGH dependency vuln:ws@8.19.0, CVE-2026-48779 ("ws: Memory exhaustion DoS from tiny fragments and data"), fixed in8.21.0.This blocks every PR's required Security Scan, including unrelated ones (surfaced on #325, a Python-only MCP change). Likely a newly published CVE that flipped a previously-green gate red.
Where it comes from
wsis a frontend transitive dependency (frontend/bun.lock), pulled by:@supabase/realtime-js@2.95.3->ws@^8.18.2(runtime: Supabase realtime WebSocket)happy-dom@20.7.0->ws@^8.18.3(dev/test)Both ranges already admit
8.21.0, so the fix is an in-range lockfile bump, no parent upgrade needed.Fix
cd frontend && bun update ws(resolves to >= 8.21.0), verifyfrontend/bun.lockshowsws@8.21.0+, runbun run typecheck && bun run test && bun run build. One-line lockfile change, its own PR (separate from #325, one concern per PR).Severity
HIGH (CVSS DoS). Low live exposure at current scale, but it is a required-gate blocker and a clean fix.