fix: upgrade basic-ftp to 5.2.0 (CVE-2026-27699)#6320
fix: upgrade basic-ftp to 5.2.0 (CVE-2026-27699)#6320orbisai0security wants to merge 1 commit intoFlowiseAI:mainfrom
Conversation
Automated dependency upgrade by Orbis Security AI
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds the basic-ftp dependency to the root package.json. Feedback indicates that for this pnpm monorepo, version overrides for transitive dependencies should be placed in the pnpm.overrides section rather than the root dependencies to maintain project standards.
| }, | ||
| "dependencies": { | ||
| "basic-ftp": "5.2.0" | ||
| } | ||
| } |
There was a problem hiding this comment.
While this change would resolve the vulnerability, adding dependencies directly to the root package.json is not a standard practice in this pnpm monorepo. For transitive dependencies like basic-ftp, the idiomatic way to enforce a version is by using pnpm.overrides. This keeps the root package.json clean and clearly states the intention of overriding a dependency version across the workspace. Additionally, please verify the maintenance and security status of basic-ftp@5.2.0 to ensure the vulnerability data is not outdated; for instance, a library reported as deprecated might have resumed maintenance. Please revert this change and instead add "basic-ftp": "5.2.0" to the pnpm.overrides section.
}
}References
- Verify the maintenance and security status of dependencies flagged by automated tools, as this information may be outdated. A library reported as deprecated might have resumed maintenance.
1 participant
Summary
Upgrade basic-ftp from 5.0.5 to 5.2.0 to fix CVE-2026-27699.
Vulnerability
CVE-2026-27699pnpm-lock.yamlDescription: basic-ftp: basic-ftp: File overwrite due to path traversal
Changes
package.jsonpnpm-lock.yamlVerification
Automated security fix by OrbisAI Security