fix: upgrade basic-ftp to 5.2.0 (CVE-2026-27699)#6320
Conversation
There was a problem hiding this comment.
Code Review
This pull request adds the basic-ftp dependency to the root package.json. Feedback indicates that for this pnpm monorepo, version overrides for transitive dependencies should be placed in the pnpm.overrides section rather than the root dependencies to maintain project standards.
| }, | ||
| "dependencies": { | ||
| "basic-ftp": "5.2.0" | ||
| } | ||
| } |
There was a problem hiding this comment.
While this change would resolve the vulnerability, adding dependencies directly to the root package.json is not a standard practice in this pnpm monorepo. For transitive dependencies like basic-ftp, the idiomatic way to enforce a version is by using pnpm.overrides. This keeps the root package.json clean and clearly states the intention of overriding a dependency version across the workspace. Additionally, please verify the maintenance and security status of basic-ftp@5.2.0 to ensure the vulnerability data is not outdated; for instance, a library reported as deprecated might have resumed maintenance. Please revert this change and instead add "basic-ftp": "5.2.0" to the pnpm.overrides section.
}
}References
- Verify the maintenance and security status of dependencies flagged by automated tools, as this information may be outdated. A library reported as deprecated might have resumed maintenance.
8508cca to
bf0c3cf
Compare
824a42f to
bf8903b
Compare
Automated dependency upgrade by OrbisAI Security
bf8903b to
f315384
Compare
Summary
Upgrade basic-ftp from 5.0.5 to 5.2.0 to fix CVE-2026-27699.
Vulnerability
CVE-2026-27699pnpm-lock.yamlDescription: basic-ftp: basic-ftp: File overwrite due to path traversal
Evidence
Scanner confirmation: trivy rule
CVE-2026-27699flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Threat Model Context
This is a Node.js library - vulnerabilities affect downstream consumers who use this package.
Changes
package.jsonpnpm-lock.yamlVerification
This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.
Automated security fix by OrbisAI Security