We patched three dependency CVEs today and brought the platform to zero known vulnerabilities. Both the Next.js frontend and Express backend now build clean with a passing npm audit.

Audit Status: 0 vulnerabilities

All production dependencies across web and agentbot-backend pass npm audit with zero findings.

What We Patched

Highdefu ≤6.1.4

Prototype pollution via __proto__ key in defaults argument

Fixed: 6.1.7 — GHSA-737v-mqg7-c878

Moderatehono ≤4.12.11

5 CVEs: cookie name bypass, IPv4-mapped IPv6 IP matching, path traversal in toSSG(), middleware bypass via repeated slashes, setCookie() validation

Fixed: 4.12.12

Moderate@hono/node-server <1.19.13

Middleware bypass via repeated slashes in serveStatic

Fixed: 1.19.13

How We Fixed It

Standard npm audit fix failed due to peer dependency conflicts across the monorepo workspace (mppx, wagmi/porto, @nuxt/kit transitive trees). We resolved this with root-level npm overrides:

// package.json (root)
"overrides": {
  "hono": "^4.12.12",
  "@hono/node-server": "^1.19.13",
  "defu": "^6.1.5"
}

This forces all transitive consumers to resolve the patched versions regardless of what their ownpackage.json declares, without breaking peer dependency resolution for the rest of the tree.

Verification

npm audit — 0 vulnerabilities
npm run build (web) — passes, all routes compile
npm run build (backend) — tsc passes with zero errors

We run npm auditas part of every readiness check. If you're building on Agentbot, your containers inherit these fixes on next deploy.