Skip to content

chore(web/personas-open-source): remediate Dependabot vulns (#7327)#7386

Merged
mdmohsin7 merged 2 commits into
mainfrom
rex/personas-deps
May 19, 2026
Merged

chore(web/personas-open-source): remediate Dependabot vulns (#7327)#7386
mdmohsin7 merged 2 commits into
mainfrom
rex/personas-deps

Conversation

@mdmohsin7
Copy link
Copy Markdown
Member

@mdmohsin7 mdmohsin7 commented May 19, 2026
edited
Loading

Part of #7327. Branched from fresh main.

Result (option 2 — non-breaking only)

npm audit: 17 → 5. 2 of 3 CRITICALs cleared non-breaking: form-data, protobufjs (+ flatted/minimatch/picomatch transitive). net diff vs main: package-lock.json only (package.json unchanged).

Deferred residual — the next CRITICAL (runtime-test finding)

Initially this PR also bumped next 15.0.3 → 15.5.18 to clear the next CRITICAL. Runtime testing caught a regression: with next 15.5.18, mixpanel-browser 2.56.0 (version unchanged) throws an uncaught client TypeError: Cannot read properties of undefined (reading 'load_prop') on / and /chat — reproducible, and absent on the next 15.0.3 baseline under identical env (npm build/npm audit did not surface it; only next start + a route walkthrough did).

Per decision, the next bump was reverted (commit f94750edd). The next CRITICAL is a flagged, deferred residual — its only fix (next 15.5.18) introduces the mixpanel breakage, which needs a Next-15.5 + mixpanel-init code fix (out of scope for a deps PR). Tracked separately.

Remaining 5 (1C next + 3H/1M) are all gated behind the same next-15.5/16 + eslint-config-next majors — consistent with the other web apps' deferred next-major decision.

Validation

next build (next 15.0.3) → exit 0. next start route walkthrough (/, /chat, /login, /u/[username]) → 0 page errors, 0 5xx — identical to the unmodified next 15.0.3 baseline (the mixpanel regression is gone with the next bump reverted).

🤖 Generated with Claude Code

@mdmohsin7
chore(web/personas-open-source): remediate Dependabot vulns (#7327)
aac678f 
npm audit 17 -> 5 (3C/6H/8M -> 0C/3H/2M). ALL 3 CRITICALS cleared:
- next 15.0.3 -> ^15.5.18 (in-Next-15 minor; clears the next CRIT —
  NOT the 14->16 major the other web apps needed)
- form-data, protobufjs (non-breaking, lockfile)
+ flatted/minimatch/picomatch non-breaking transitive fixes.

RESIDUAL (5 — documented, breaking-major-gated, same class as the
web/app|admin|frontend next-16 decision):
- eslint-config-next / @next/eslint-plugin-next / glob (HIGH) — fix is
  eslint-config-next@16 -> forces eslint 8->9 + plugin migration
- next / postcss (MOD) — fix needs a further next major (16)
Flagged for the same deliberate next-16 / eslint-9 migration.

Validated: `next build` (Next 15.5.18) exit 0. (Pre-existing ERESOLVE
peer conflict next@15<->@radix-ui handled with --legacy-peer-deps;
not introduced by this change.)
@mdmohsin7 mdmohsin7 marked this pull request as ready for review May 19, 2026 10:50
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 19, 2026
edited
Loading

Greptile Summary

This PR remediates Dependabot security findings in web/personas-open-source by upgrading next from 15.0.3 to ^15.5.18 and bumping several transitive dependencies (flatted, form-data, @protobufjs/*, minimatch, picomatch, @img/sharp-*) in the lockfile. The audit score drops from 17 (3 critical) to 5 (0 critical) vulnerabilities.

  • next is updated from a pinned exact version to a caret range (^15.5.18), clearing the critical next CVE while staying within the 15.x minor track.
  • eslint-config-next intentionally remains at ^14.2.6 (resolved to 14.2.35), creating a documented major-version gap with next@15.x that is deferred to a future next-16/eslint-9 migration.

Confidence Score: 4/5

Safe to merge — all critical CVEs are cleared, the build passes, and the remaining five vulnerabilities are deliberately deferred with documented justification.

The next bump is a well-contained intra-major upgrade (15.0.3 → 15.5.18) validated by a successful next build. The only notable concern is the lingering eslint-config-next@14.x / next@15.x mismatch, which can cause lint rules to silently miss Next.js 15-specific issues, but this is explicitly acknowledged as a deferral decision rather than an oversight.

package.json — the eslint-config-next version gap deserves a follow-up tracking item to keep it from widening further as Next.js minor releases accumulate.

Important Files Changed

Filename Overview
web/personas-open-source/package.json Single meaningful change: next bumped from exact pin 15.0.3 to semver range ^15.5.18. eslint-config-next remains at ^14.2.6, creating a major-version mismatch with the upgraded Next.js — acknowledged as a deliberate deferral in the PR description.
web/personas-open-source/package-lock.json Lockfile updated to reflect next@15.5.18, flatted@3.4.2, form-data@4.0.5, @protobufjs/* sub-packages, minimatch@3.1.5, picomatch@2.3.2, and @img/sharp-*@0.34.5. All changes are consistent with the stated audit remediation.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm audit before\n17 vulns: 3C / 6H / 8M] --> B{Remediable without\nbreaking changes?}
    B -- Yes --> C[Bump next 15.0.3 → 15.5.18\nform-data, protobufjs,\nflatted, minimatch, picomatch]
    B -- No --> D[Deferred — requires\nnext major 16 +\neslint 8→9 migration]
    C --> E[npm audit after\n5 vulns: 0C / 3H / 2M]
    D --> F[eslint-config-next stays at 14.x\npostcss vulnerability remains]
    E --> G[next build → exit 0\nvia --legacy-peer-deps]
Loading

Comments Outside Diff (1)

  1. web/personas-open-source/package.json, line 48 (link)

    P2 eslint-config-next major version mismatch with Next.js

    eslint-config-next is pinned to ^14.2.6 (resolved to 14.2.35 in the lockfile), while next is now ^15.5.18. The eslint-config-next package is designed to be version-matched with your Next.js installation — the 14.x config does not know about Next.js 15 conventions (e.g. App Router stabilization, turbo config changes, updated Server Actions rules). In practice this means next lint may miss real Next.js 15 lint issues or emit stale warnings. The PR description documents this as a deliberate hold pending the next-16/eslint-9 migration, which is reasonable — just worth tracking explicitly so the version gap doesn't widen further.

Reviews (1): Last reviewed commit: "chore(web/personas-open-source): remedia..." | Re-trigger Greptile

@mdmohsin7
revert next 15.5.18 bump — option 2 (#7327, #7386)
f94750e 
Runtime test caught: next 15.0.3 -> 15.5.18 makes mixpanel-browser
2.56.0 (unchanged) throw an uncaught client TypeError
("Cannot read properties of undefined (reading 'load_prop')") on /
and /chat — reproducible, absent on the next 15.0.3 baseline (same
env). Per decision (option 2): keep the non-breaking critical +
transitive fixes (form-data, protobufjs, flatted, minimatch,
picomatch), revert next to 15.0.3.

net vs main: package-lock.json only (package.json unchanged).
npm audit 17 -> 5. Cleared: form-data, protobufjs (CRITICAL) + others.

RESIDUAL (flagged, deferred): the `next` CRITICAL stays — its fix
(next 15.5.18) introduces the mixpanel-browser regression above, which
needs a Next-15.5 + mixpanel-init code fix (out of scope for a deps
PR). Tracked separately.

Validated: `next build` exit 0; `next start` route walkthrough = 0
page errors / 0 5xx, identical to the unmodified next 15.0.3 baseline
(regression gone).
@mdmohsin7 mdmohsin7 merged commit 55d75d0 into main May 19, 2026
2 checks passed
@mdmohsin7 mdmohsin7 deleted the rex/personas-deps branch May 19, 2026 11:45
@mdmohsin7 mdmohsin7 mentioned this pull request May 19, 2026
Merged
@mdmohsin7
Copy link
Copy Markdown
Member Author

mdmohsin7 commented May 19, 2026

Follow-up: the deferred next residual from this PR (option 2 reverted next→15.0.3 because next 15.5 triggered the mixpanel load_prop SSR crash) is now resolved in #7399 — root-caused to module-scope mixpanel.init() executing during App-Router SSR, fixed with lazy browser-only init (public API unchanged). #7399 lands next@15.5.18 and clears all 27 personas alerts (2 critical + 8 high included); runtime-validated with a regression-isolation diff vs unmodified main (identical error profile, zero load_prop).

mdmohsin7 added a commit that referenced this pull request May 20, 2026
@mdmohsin7
fix(personas): land next@15.5.18 + fix mixpanel SSR load_prop regress…
f538e33 
…ion (#7327) (#7399)

Part of #7327. Lands the previously-deferred personas `next` security
bump by **root-causing and fixing** the mixpanel regression that blocked
#7386 (where option 2 reverted `next` to 15.0.3).

## Root cause (the #7386 blocker)
`src/lib/mixpanel.ts` called `mixpanel.init()` at **module top-level**.
App-Router `'use client'` pages are still **server-rendered on the
initial request**, so this module executed during SSR (Node, no
`window`/`localStorage`). Next 15.0.3 tolerated it; Next 15.5+ evaluates
it strictly and it throws `Cannot read properties of undefined (reading
'load_prop')` on `/` and `/chat`.

**Fix:** initialize lazily on first **client-side** use and no-op on the
server. The exported `Mixpanel` API is unchanged, so `page.tsx` /
`chat/page.tsx` need **zero edits**. (Verified: baseline server logs
`Mixpanel loaded successfully` server-side at 15.0.3 — exactly the
unsafe path now removed.)

## Security bumps (clears all 27 personas alerts)
| package | from | to | notes |
|---|---|---|---|
| next | 15.0.3 | **15.5.18** | ~25 alerts incl. **2 critical + 8
high**. 15.5.18 (not .16) is first-patched for GHSA-26hh-7cqf-hhc6
"Incomplete Fix Follow-Up" |
| eslint-config-next | ^14.2.6 | ^15.5.16 | Next-owned companion,
coupled to the next line |
| glob | (transitive) | 10.5.0 | high |
| postcss | ^8 | ^8.5.10 + `overrides: { "postcss": "$postcss" }` |
dedupes Next's **vendored** vulnerable `postcss@8.4.31` copy too |

`mixpanel-browser` intentionally **unchanged** at 2.56.0 — the bug was
our usage, not the library. **`npm audit` → 0 vulnerabilities.**

## Config cleanup (coupled)
Removed `output: 'standalone'` + a dead `import next` from
`next.config.mjs`. The Dockerfile deploys via `next start` and never
uses `.next/standalone`, so `standalone` was dead config that emits a
`"next start does not work with output: standalone"` warning (present
even at 15.0.3). Aligns config with the real deploy path.
`next-env.d.ts` regenerated by `next build` (version-coupled, kept in
sync).

## Validation (rigorous, not assumed)
- **`npm audit` → found 0 vulnerabilities** (all 27 alerts:
next/postcss/glob).
- **Build:** clean at 15.5.18; `/` and `/chat` prerender with **no
`load_prop`**.
- **Runtime regression-isolation:** built + `next start` for both this
branch and **unmodified main (next 15.0.3)**, identical dummy env,
Playwright walkthrough of `/`, `/chat`, `/login`, `/u/<user>`,
`/u/<missing>`:

| metric | baseline (15.0.3, unmodified) | this PR (15.5.18 + fix) |
|---|---|---|
| all 5 routes | 200 | 200 |
| **page errors** | **0** | **0** |
| 5xx | 0 | 0 |
| console errors | 1 (`/chat` 404, env/dummy-data) | 1 (`/chat` 404 —
*identical*) |

Byte-for-byte identical error profile → **zero regressions**; the
`load_prop` crash is gone.

## Alerts cleared
**27** (web/personas-open-source/package-lock.json): ~25 next (2
critical + 8 high + med/low) + 1 postcss + 1 glob.

Closes the deferred residual from #7386.
pull Bot pushed a commit to Mu-L/omi that referenced this pull request May 20, 2026
@mdmohsin7
fix(personas): lazy, browser-only mixpanel init (BasedHardware#7327)
74b159e 
mixpanel.init() ran at module scope, so it executed during App-Router
SSR (no window/localStorage). Next 15.0.3 tolerated it; Next 15.5+
surfaces it as 'Cannot read properties of undefined (reading
load_prop)' on / and /chat (the regression that blocked BasedHardware#7386).
Initialize lazily on first client-side use; no-op on the server.
Public Mixpanel API unchanged - no consumer edits needed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdmohsin7