fix(security): upgrade CLI deps and add overrides (#2952)

D-K-P · nicktrn · web-flow · commit 5fb9cc36bcc1 · 2026-01-27T16:33:04.000Z
- Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621 ReDoS) - Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition) - Add pnpm overrides for transitive deps: - qs <6.14.0 → 6.14.0 (CVE-2025-15284 DoS) - systeminformation <5.27.14 → 5.27.14 (CVE-2025-68154 cmd injection) - lodash <4.17.23 → 4.17.23 (CVE-2025-13465 prototype pollution) --------- Co-authored-by: nicktrn <55853254+nicktrn@users.noreply.github.com>
diff --git a/package.json b/package.json
@@ -94,7 +94,10 @@
       "axios@1.9.0": ">=1.12.0",
       "js-yaml@>=3.0.0 <3.14.2": "3.14.2",
       "js-yaml@>=4.0.0 <4.1.1": "4.1.1",
-      "jws@<3.2.3": "3.2.3"
+      "jws@<3.2.3": "3.2.3",
+      "qs@>=6.0.0 <6.14.1": "6.14.1",
+      "systeminformation@>=5.0.0 <5.27.14": "5.27.14",
+      "lodash@>=4.0.0 <4.17.23": "4.17.23"
     },
     "onlyBuiltDependencies": [
       "@depot/cli",
diff --git a/packages/cli-v3/package.json b/packages/cli-v3/package.json
@@ -83,7 +83,7 @@
   "dependencies": {
     "@clack/prompts": "0.11.0",
     "@depot/cli": "0.0.1-cli.2.80.0",
-    "@modelcontextprotocol/sdk": "^1.24.0",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/api-logs": "0.203.0",
     "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
@@ -138,7 +138,7 @@
     "std-env": "^3.7.0",
     "strip-ansi": "^7.1.0",
     "supports-color": "^10.0.0",
-    "tar": "^7.4.3",
+    "tar": "^7.5.4",
     "tiny-invariant": "^1.2.0",
     "tinyexec": "^0.3.1",
     "tinyglobby": "^0.2.10",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
