Skip to content

chore(SEC-10672): upgrade basic-ftp to 5.3.1#43

Draft
phantom-autopilot[bot] wants to merge 1 commit intomasterfrom
autopilot2/sec-10672_high-upgrade-basic-ftp-in-github-com-phantom-react-native-we
Draft

chore(SEC-10672): upgrade basic-ftp to 5.3.1#43
phantom-autopilot[bot] wants to merge 1 commit intomasterfrom
autopilot2/sec-10672_high-upgrade-basic-ftp-in-github-com-phantom-react-native-we

Conversation

@phantom-autopilot
Copy link
Copy Markdown

@phantom-autopilot phantom-autopilot Bot commented May 6, 2026

Summary

Resolves SEC-10672 — upgrade basic-ftp to 5.3.1 to fix GHSA-rpmf-866q-6p89 (CVE-2026-44240, HIGH).

basic-ftp <= 5.3.0 allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering.

Change

basic-ftp is a transitive dependency in this repo (via get-uri's ^5.0.2 range). Bumping the lockfile entry from 5.0.5 → 5.3.1 stays within the existing range, so no package.json changes are needed.

 basic-ftp@^5.0.2:
-  version "5.0.5"
+  version "5.3.1"

yarn install --frozen-lockfile succeeds and node_modules/basic-ftp/package.json reports "version": "5.3.1".

Test plan

  • yarn install --frozen-lockfile succeeds (lockfile consistent)
  • yarn lint passes (TypeScript + ESLint)
  • Verified node_modules/basic-ftp resolves to 5.3.1
  • No vulnerable 5.0.5 entry remains in yarn.lock

🤖 Generated with Claude Code

@phantom-autopilot
chore(SEC-10672): upgrade basic-ftp to 5.3.1
f9d2e43 
Resolves GHSA-rpmf-866q-6p89 (CVE-2026-44240) — basic-ftp <= 5.3.0
allows a malicious FTP server to cause client-side denial of service via
unbounded multiline control response buffering. basic-ftp is a transitive
dependency via get-uri's `^5.0.2` range; bumping the lockfile entry to
5.3.1 stays within the existing range.
@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 6, 2026

PR opened by agent

#43

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 6, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6197d442-7048-4ef9-b3e4-245d05d909f6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch autopilot2/sec-10672_high-upgrade-basic-ftp-in-github-com-phantom-react-native-we

Comment @coderabbitai help to get the list of available commands and usage tips.

@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 6, 2026

Pushed commit unknown to unknown

Commit, push, and open draft PR

PR opened by agent

open draft PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phantom-autopilot