@checkstack/auth-backend 0.4.25 → 0.4.27

package/CHANGELOG.md

@@ -1,5 +1,60 @@
 # @checkstack/auth-backend
 
+## 0.4.27
+
+### Patch Changes
+
+- b33fb4d: Refresh `bun.lock` to clear MEDIUM-severity Trivy advisories on transitive
+  runtime dependencies. No public API change — bumping every workspace
+  package that lists `@orpc/server` as a direct dep so consumers re-resolve
+  the optional `ws` peer to the patched release on their next install.
+
+  - `ws` `8.20.0` → `8.20.1` (CVE-2026-45736). Pulled into the install tree
+    as `@orpc/server`'s optional WebSocket peer; Bun auto-installs it into
+    every backend package that depends on `@orpc/server`, so a stale 8.20.0
+    ships in the consumer's `node_modules` until the parent package
+    re-resolves.
+  - `brace-expansion` `5.0.5` → `5.0.6` (CVE-2026-45149). Pulled in only
+    through dev tooling (`minimatch@10` via `@typescript-eslint` and
+    `storybook`'s `glob@13`), so it does not ship to consumers and no
+    workspace `package.json` lists it; the lockfile bump alone clears the
+    finding for the Docker image and the local dev tree. No version bump
+    is attributed to this advisory.
+
+  The fix lives entirely in `bun.lock` — no `package.json`, `overrides`, or
+  `resolutions` change is needed because both parent ranges (`minimatch@10
+→ brace-expansion@^5.0.5`, `@orpc/server / storybook / happy-dom →
+ws@>=8.18.x`) already accept the patched releases, and `bun install`
+  keeps the resolved versions sticky after the initial `bun update`.
+
+- Updated dependencies [1909a61]
+- Updated dependencies [b33fb4d]
+  - @checkstack/backend-api@0.15.3
+  - @checkstack/command-backend@0.1.27
+
+## 0.4.26
+
+### Patch Changes
+
+- 080627f: Pin `kysely` to `^0.28.17` as a direct dependency to resolve CVE-2026-44635
+  (JSON-path traversal injection via unsanitized path-leg metacharacters in
+  `JSONPathBuilder.key()` / `.at()`). better-auth lists kysely as a peer
+  dependency, and Bun was auto-resolving it through the optionalPeers
+  mechanism — pinning here keeps us inside better-auth's peer range
+  (`^0.28.5`) while picking up the fix.
+
+  Two unrelated transitive vulnerabilities (`fast-uri` 3.1.0 → 3.1.2 covering
+  CVE-2026-6321/6322, `protobufjs` 7.5.5 → 7.5.8 covering
+  CVE-2026-44289/44290/44291/44293) were resolved by a plain lockfile refresh
+  and do not require package version bumps.
+
+- Updated dependencies [9016526]
+  - @checkstack/common@0.10.0
+  - @checkstack/auth-common@0.7.0
+  - @checkstack/notification-common@1.1.0
+  - @checkstack/backend-api@0.15.2
+  - @checkstack/command-backend@0.1.26
+
 ## 0.4.25
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.4.25",
+  "version": "0.4.27",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -15,21 +15,22 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/auth-common": "0.6.5",
-    "@checkstack/backend-api": "0.15.0",
-    "@checkstack/notification-common": "1.0.1",
-    "@checkstack/command-backend": "0.1.24",
+    "@checkstack/auth-common": "0.7.0",
+    "@checkstack/backend-api": "0.15.2",
+    "@checkstack/notification-common": "1.1.0",
+    "@checkstack/command-backend": "0.1.26",
     "better-auth": "^1.4.7",
     "drizzle-orm": "^0.45.0",
     "hono": "^4.12.14",
+    "kysely": "^0.28.17",
     "jose": "^6.1.3",
     "zod": "^4.2.1",
-    "@checkstack/common": "0.8.0",
+    "@checkstack/common": "0.10.0",
     "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/scripts": "0.3.0",
+    "@checkstack/scripts": "0.3.2",
     "@checkstack/tsconfig": "0.0.7",
     "@types/node": "^20.0.0",
     "drizzle-kit": "^0.31.10",