Title: Remediate OSV lockfile vulnerabilities before first release · Issue #55 · MendCode/MendCode · GitHub
Open Graph Title: Remediate OSV lockfile vulnerabilities before first release · Issue #55 · MendCode/MendCode
X Title: Remediate OSV lockfile vulnerabilities before first release · Issue #55 · MendCode/MendCode
Description: Summary OSV scanning currently blocks a real MendCode release because the checked-in lockfiles contain vulnerable dependency versions. Local command run from /Users/obed/Code/MendCode: docker run --rm -v "$PWD:/src" \ ghcr.io/google/osv-...
Open Graph Description: Summary OSV scanning currently blocks a real MendCode release because the checked-in lockfiles contain vulnerable dependency versions. Local command run from /Users/obed/Code/MendCode: docker run -...
X Description: Summary OSV scanning currently blocks a real MendCode release because the checked-in lockfiles contain vulnerable dependency versions. Local command run from /Users/obed/Code/MendCode: docker run -...
Opengraph URL: https://github.com/MendCode/MendCode/issues/55
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Remediate OSV lockfile vulnerabilities before first release","articleBody":"## Summary\n\nOSV scanning currently blocks a real MendCode release because the checked-in lockfiles contain vulnerable dependency versions.\n\nLocal command run from `/Users/obed/Code/MendCode`:\n\n```bash\ndocker run --rm -v \"$PWD:/src\" \\\n ghcr.io/google/osv-scanner:v2.3.8@sha256:64e86bec6df2466feea5137fc7c78fb3b7c21ec077f014d7130f64810e50676b \\\n scan --recursive /src/src/mendcode\n```\n\nResult on 2026-06-13:\n\n- 70 packages affected\n- 247 known vulnerabilities\n- 5 critical, 85 high, 136 medium, 21 low\n- 246 vulnerabilities report fixed versions\n- affected lockfiles: `src/mendcode/bun.lock`, `src/mendcode/sdks/vscode/bun.lock`\n\nExamples seen in output: `protobufjs`, `shell-quote`, `turbo`, `vite`, `undici`, `wrangler`, `esbuild`, `minimatch`, `serialize-javascript`, `hono`, `axios`, `astro`.\n\n## Release impact\n\nPR #54 adds a release workflow that runs OSV before dependency install and before publishing. That means release infrastructure can merge, but no public release should be published until this issue is closed.\n\n## Acceptance criteria\n\n- Regenerate lockfiles through the approved dependency workflow.\n- Do not hand-edit lockfile versions.\n- Run OSV and get a clean result, or document explicit accepted residual risk with maintainer sign-off.\n- Run the release workflow in `dry_run=true` after remediation.\n- Only publish a real GitHub Release after the OSV release gate passes.\n","author":{"url":"https://github.com/Obed0101","@type":"Person","name":"Obed0101"},"datePublished":"2026-06-13T02:05:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/55/MendCode/issues/55"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:1cccfb35-d4a6-6306-9e6c-c59b8def522c |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9074:2DB422:112CF01:17AD879:6A4DE2E5 |
| html-safe-nonce | 221a74e4a72b47b51c307239ab3eeb833d9d1ff0e19c875e3282e0135e417e28 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5MDc0OjJEQjQyMjoxMTJDRjAxOjE3QUQ4Nzk6NkE0REUyRTUiLCJ2aXNpdG9yX2lkIjoiMTc5ODE0MjY3OTM1Mjk5MjQ4NSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 53dfc7d99253466a872cbad2480101cbfc1deb518f16dd868a2e79e3cb89980b |
| hovercard-subject-tag | issue:4653919665 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/MendCode/MendCode/55/issue_layout |
| twitter:image | https://opengraph.githubassets.com/73ee380a36cfe2f9e99b47d9fb65f0b008465f510d82d4fcb1799cfaedde4d0e/MendCode/MendCode/issues/55 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/73ee380a36cfe2f9e99b47d9fb65f0b008465f510d82d4fcb1799cfaedde4d0e/MendCode/MendCode/issues/55 |
| og:image:alt | Summary OSV scanning currently blocks a real MendCode release because the checked-in lockfiles contain vulnerable dependency versions. Local command run from /Users/obed/Code/MendCode: docker run -... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | Obed0101 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/MendCode/MendCode git https://github.com/MendCode/MendCode.git |
| octolytics-dimension-user_id | 282124424 |
| octolytics-dimension-user_login | MendCode |
| octolytics-dimension-repository_id | 1262277607 |
| octolytics-dimension-repository_nwo | MendCode/MendCode |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1262277607 |
| octolytics-dimension-repository_network_root_nwo | MendCode/MendCode |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width