chore(security): close dependabot alerts q2 (#3456)

Closes ~80 dependabot alerts (3 critical, ~25 high, ~31 medium) by
bumping direct deps where possible and narrowly overriding the rest.
Cloud uses `resend` email transport and Node 20 - all bumps are safe for
both cloud and self-hosters.

## Direct upgrades

| Package | Where | From | To | Why |
|---|---|---|---|---|
| `vite` | root devDeps | ^5.4.21 | *(removed)* | dead pin; vitest pulls
vite transitively |
| `dompurify` | apps/webapp | ^3.2.6 | ^3.4.1 | XSS CVEs |
| `effect` | apps/webapp | ^3.11.7 | ^3.21.2 | AsyncLocalStorage CVE in
Effect fibers |
| `nodemailer` | internal-packages/emails | ^7.0.11 | ^8.0.6 | SMTP CRLF
injection (only affects self-hosters w/ smtp/aws-ses transport) |
| `uuid` | apps/webapp | ^9.0.0 | ^14.0.0 | buffer bounds check;
ESM-only but bundled by Remix |
| `uuid` + `@types/uuid` | packages/trigger-sdk | ^9.0.0 | *(removed)* |
dead deps, no usage |
| `@types/uuid` | apps/webapp | ^9.0.0 | *(removed)* | uuid 14 ships its
own types |
| `tar` | packages/cli-v3 | ^7.5.4 | ^7.5.13 | path traversal CVEs |
| `testcontainers` + `@testcontainers/postgresql` +
`@testcontainers/redis` | internal-packages/testcontainers | ^10.28.0 |
^11.14.0 | dev/test cleanup; one-line API fix for
`RedisContainer(image)` |
| `rimraf` | webapp + 6 packages | ^3.0.2 / ^5.0.7 | ^6.0.1 | dev/build
tool consolidation |

## Scoped overrides

All bound by both `>=` and `<` to avoid major-version yanks.

| Override | Closes |
|---|---|
| `tar@>=7 <7.5.11` → `^7.5.11` | supervisor's `@kubernetes/client-node
1.0.0` chain |
| `axios@>=1.0.0 <1.15.0` → `^1.15.0` | replaces older 1.9.0 pin |
| `systeminformation@>=5.0.0 <5.31.0` → `^5.31.0` | bumps existing
5.27.14 pin |
| `lodash@>=4.0.0 <4.18.0` → `^4.18.0` | bumps existing 4.17.23 pin |
| `lodash-es@>=4.0.0 <4.18.0` → `^4.18.0` | new (mirrors lodash) |
| `dompurify@>=3 <3.4.0` → `^3.4.1` | catches transitive dompurify via
mermaid |
| `vite@>=5.0.0 <6.4.2` → `^6.4.2` | path traversal; vite 5 has no patch
|
| `rollup@>=4 <4.59.0` → `^4.59.0` | path traversal in vite/vitest chain
|
| `flatted@>=3 <3.4.2` → `^3.4.2` | prototype pollution in eslint
flat-cache |
| `picomatch@>=2 <2.3.2` → `^2.3.2` | ReDoS in 2.x branch (transitive) |
| `picomatch@>=4 <4.0.4` → `^4.0.4` | ReDoS in 4.x branch
(vitest/tinyglobby) |
| `minimatch@>=3 <3.1.3` → `^3.1.3` | ReDoS in eslint 8 chain |
| `protobufjs@>=7 <7.5.5` → `^7.5.5` | **critical** RCE via
@opentelemetry/otlp-transformer |
| `fast-xml-parser@>=4 <4.5.5` → `^4.5.5` | DOCTYPE bypass + others (4.x
branch via aws-sdk in supervisor) |
| `fast-xml-parser@>=5 <5.7.0` → `^5.7.0` | **critical** + others (5.x
branch via aws-sdk in webapp) |
| `path-to-regexp@>=0.1 <0.1.13` → `^0.1.13` | ReDoS in express 4 /
@remix-run/express |
| `ajv@>=8 <8.18.0` → `^8.18.0` | DoS |
| `socket.io-parser@>=4 <4.2.6` → `^4.2.6` | DoS in @trigger.dev/core's
socket.io |
| `postcss@>=8 <8.5.10` → `^8.5.10` | XSS via stringify |
| `yaml@>=2 <2.8.3` → `^2.8.3` | DoS |
| `semver@>=5 <5.7.2` → `^5.7.2` | ReDoS in 5.x |
| `defu@>=6 <6.1.5` → `^6.1.5` | prototype pollution via __proto__ in
@prisma/config c12 chain |

## Dismissed (~47)

| Reason | Cluster | Count |
|---|---|---|
| `not_used` | langsmith + next 15.x in references/* | 10 |
| `not_used` | minimatch 8.x via prisma-generator-ts-enums
(references/prisma-6) | 3 |
| `not_used` | basic-ftp via puppeteer in references/hello-world +
references/seed | 2 |
| `not_used` | hono / @hono/node-server / express-rate-limit /
path-to-regexp 8.x / @modelcontextprotocol/sdk - all via mcp-sdk chain
(dormant in webapp; dev-only localhost in cli-v3) | 22 |
| `not_used` | fastify / @fastify/static / file-type via evalite devDep
| 5 |
| `tolerable_risk` | rollup 3 + minimatch 5/8/9/10 dev/build tooling |
13 |

## Notes

- **mcp-sdk chain**: `@vercel/sdk` in webapp imports `Vercel` API client
only; `mcp-server/*` subpath isn't loaded at runtime. cli-v3's MCP
server runs only via `trigger mcp` on developer machines. Bumping
`@modelcontextprotocol/sdk` to latest (1.29.0) wouldn't close these
alerts anyway - it ships hono ^4.11.4 which is still vulnerable - so
dismissal is the cleaner call.
- **References ignore list**: confirmed with current dependabot ignore
config; added `references/seed/package.json` (only gap).
- **undici** alerts (CVE-2026-1527, 4 alerts) will auto-close: lockfile
already at 6.25.0 > patched 6.24.0; just needs Dependabot rescan.
- **Effect 3.20 fix** is a runtime-only scheduler fix, no public API
changes - verified with research agent against our four `effect/*`
imports.
- **uuid 14** is ESM-only; we only call `validate`/`version` (no crypto
needed) so Node 20 requirement isn't load-bearing for us.
## Public packages (`packages/*`)

Minimal surface, deliberately. None of these change published runtime
behaviour - all changesets-worthy public package changes are deferred to
a regular release pass.

| Package | Change | Runtime impact |
|---|---|---|
| `packages/trigger-sdk` | Removed dead `uuid` dep (no source imports) |
None - dep was unused |
| `packages/cli-v3` | `tar` ^7.5.4 → ^7.5.13 | Patch bump within
already-allowed 7.x range; nothing CLI consumers see |
| `packages/core` / `packages/build` / `packages/python` /
`packages/rsc` / `packages/react-hooks` / `packages/schema-to-json` |
`rimraf` ^3.0.2 → ^6.0.1 in devDeps | Build-time only, no runtime change
|

No changeset added because nothing in these packages affects what
published consumers run.

## Validation

- Webapp typecheck (forced, no cache) passes after every commit
- Smoke-tested testcontainers v11 changes via real `postgresTest` +
`redisTest` (sync.test.ts, releaseConcurrency.test.ts) - both pass
- Webapp built + verified `require("uuid")` no longer in CJS server
output (now bundled inline)
- Test env webapp deployed at `dependabot-q2.rc0` (cloud#740) - no
issues observed
- Test suite run with package prerelease passed

Author: nicktrn

apps/webapp/package.json

@@ -147,9 +147,9 @@
     "cross-env": "^7.0.3",
     "cuid": "^2.1.8",
     "date-fns": "^4.1.0",
-    "dompurify": "^3.2.6",
+    "dompurify": "^3.4.1",
     "dotenv": "^16.4.5",
-    "effect": "^3.11.7",
+    "effect": "^3.21.2",
     "emails": "workspace:*",
     "eventsource": "^4.0.0",
     "evt": "^2.4.13",
@@ -227,7 +227,7 @@
     "tiny-invariant": "^1.2.0",
     "ulid": "^2.3.0",
     "ulidx": "^2.2.1",
-    "uuid": "^9.0.0",
+    "uuid": "^14.0.0",
     "ws": "^8.11.0",
     "zod": "3.25.76",
     "zod-error": "1.5.0",
@@ -249,7 +249,6 @@
     "@types/bcryptjs": "^2.4.2",
     "@types/compression": "^1.7.2",
     "@types/cookie": "^0.6.0",
-    "@types/dompurify": "^3.2.0",
     "@types/eslint": "^8.4.6",
     "@types/express": "^4.17.13",
     "@types/humanize-duration": "^3.27.1",
@@ -270,7 +269,6 @@
     "@types/slug": "^5.0.3",
     "@types/supertest": "^6.0.2",
     "@types/tar": "^6.1.4",
-    "@types/uuid": "^9.0.0",
     "@types/ws": "^8.5.3",
     "@typescript-eslint/eslint-plugin": "^5.59.6",
     "@typescript-eslint/parser": "^5.59.6",
@@ -292,7 +290,7 @@
     "prettier": "^2.8.8",
     "prettier-plugin-tailwindcss": "^0.3.0",
     "prop-types": "^15.8.1",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "style-loader": "^3.3.4",
     "supertest": "^7.0.0",
     "tailwind-scrollbar": "^3.0.1",

apps/webapp/remix.config.js

@@ -31,6 +31,7 @@ module.exports = {
     "parse-duration",
     "uncrypto",
     "std-env",
+    "uuid",
   ],
   browserNodeBuiltinsPolyfill: {
     modules: {

internal-packages/emails/package.json

@@ -13,15 +13,15 @@
     "@aws-sdk/client-sesv2": "^3.716.0",
     "@react-email/components": "0.0.16",
     "@react-email/render": "^0.0.12",
-    "nodemailer": "^7.0.11",
+    "nodemailer": "^8.0.6",
     "react": "^18.2.0",
     "react-email": "^2.1.1",
     "resend": "^3.2.0",
     "tiny-invariant": "^1.2.0",
     "zod": "3.25.76"
   },
   "devDependencies": {
-    "@types/nodemailer": "^7.0.4",
+    "@types/nodemailer": "^8.0.0",
     "@types/react": "18.2.69"
   },
   "engines": {

internal-packages/otlp-importer/package.json

@@ -28,7 +28,7 @@
   },
   "devDependencies": {
     "@types/node": "^20",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "ts-proto": "^1.167.3"
   },
   "engines": {

internal-packages/testcontainers/package.json

@@ -15,11 +15,11 @@
     "ioredis": "^5.3.2"
   },
   "devDependencies": {
-    "@testcontainers/postgresql": "^10.28.0",
-    "@testcontainers/redis": "^10.28.0",
+    "@testcontainers/postgresql": "^11.14.0",
+    "@testcontainers/redis": "^11.14.0",
     "@trigger.dev/core": "workspace:*",
     "std-env": "^3.9.0",
-    "testcontainers": "^10.28.0",
+    "testcontainers": "^11.14.0",
     "tinyexec": "^0.3.0"
   },
   "scripts": {

internal-packages/testcontainers/src/utils.ts

@@ -75,7 +75,9 @@ export async function createRedisContainer({
   port?: number;
   network?: StartedNetwork;
 }) {
-  let container = new RedisContainer().withExposedPorts(port ?? 6379).withStartupTimeout(120_000); // 2 minutes
+  let container = new RedisContainer("redis:7.2")
+    .withExposedPorts(port ?? 6379)
+    .withStartupTimeout(120_000); // 2 minutes
 
   if (network) {
     container = container.withNetwork(network).withNetworkAliases("redis");
@@ -97,7 +99,7 @@ export async function createRedisContainer({
   const [error] = await tryCatch(verifyRedisConnection(startedContainer));
 
   if (error) {
-    await startedContainer.stop({ timeout: 30 });
+    await startedContainer.stop({ timeout: 30_000 });
     throw new Error("verifyRedisConnection error", { cause: error });
   }
 
@@ -236,7 +238,7 @@ export async function useContainer<TContainer extends StartedTestContainer>(
     metadata.useDurationMs = useDurationMs;
   } finally {
     // WARNING: Testcontainers by default will not wait until the container has stopped. It will simply issue the stop command and return immediately.
-    // If you need to wait for the container to be stopped, you can provide a timeout. The unit of timeout option here is second
-    await logCleanup(name, container.stop({ timeout: 10 }), metadata);
+    // If you need to wait for the container to be stopped, you can provide a timeout. The unit of timeout option here is milliseconds (changed from seconds in testcontainers v11)
+    await logCleanup(name, container.stop({ timeout: 10_000 }), metadata);
   }
 }

package.json

@@ -62,7 +62,6 @@
     "tsx": "^3.7.1",
     "turbo": "^1.10.3",
     "typescript": "5.5.4",
-    "vite": "^5.4.21",
     "vite-tsconfig-paths": "^4.0.5",
     "vitest": "3.1.4"
   },
@@ -90,17 +89,35 @@
       "@types/node": "20.14.14",
       "express@^4>body-parser": "1.20.3",
       "@remix-run/dev@2.17.4>tar-fs": "2.1.4",
-      "testcontainers@10.28.0>tar-fs": "3.1.1",
+      "tar@>=7 <7.5.11": "^7.5.11",
       "form-data@^2": "2.5.4",
       "form-data@^3": "3.0.4",
       "form-data@^4": "4.0.4",
-      "axios@1.9.0": ">=1.12.0",
+      "axios@>=1.0.0 <1.15.0": "^1.15.0",
       "js-yaml@>=3.0.0 <3.14.2": "3.14.2",
       "js-yaml@>=4.0.0 <4.1.1": "4.1.1",
       "jws@<3.2.3": "3.2.3",
       "qs@>=6.0.0 <6.14.1": "6.14.1",
-      "systeminformation@>=5.0.0 <5.27.14": "5.27.14",
-      "lodash@>=4.0.0 <4.17.23": "4.17.23"
+      "systeminformation@>=5.0.0 <5.31.0": "^5.31.0",
+      "lodash@>=4.17 <4.18.0": "^4.18.0",
+      "lodash-es@>=4.17 <4.18.0": "^4.18.0",
+      "dompurify@>=3 <3.4.0": "^3.4.1",
+      "vite@>=5.0.0 <6.4.2": "^6.4.2",
+      "rollup@>=4 <4.59.0": "^4.59.0",
+      "flatted@>=3 <3.4.2": "^3.4.2",
+      "picomatch@>=2 <2.3.2": "^2.3.2",
+      "picomatch@>=4 <4.0.4": "^4.0.4",
+      "minimatch@>=3 <3.1.3": "^3.1.3",
+      "protobufjs@>=7 <7.5.5": "^7.5.5",
+      "fast-xml-parser@>=4 <4.5.5": "^4.5.5",
+      "fast-xml-parser@>=5 <5.7.0": "^5.7.0",
+      "path-to-regexp@>=0.1 <0.1.13": "^0.1.13",
+      "ajv@>=8 <8.18.0": "^8.18.0",
+      "socket.io-parser@>=4 <4.2.6": "^4.2.6",
+      "postcss@>=8 <8.5.10": "^8.5.10",
+      "yaml@>=2 <2.8.3": "^2.8.3",
+      "semver@>=5 <5.7.2": "^5.7.2",
+      "defu@>=6 <6.1.5": "^6.1.5"
     },
     "onlyBuiltDependencies": [
       "@depot/cli",

packages/cli-v3/package.json

@@ -64,7 +64,7 @@
     "cpy-cli": "^5.0.0",
     "execa": "^8.0.1",
     "find-up": "^7.0.0",
-    "rimraf": "^5.0.7",
+    "rimraf": "^6.0.1",
     "ts-essentials": "10.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0"
@@ -140,7 +140,7 @@
     "std-env": "^3.7.0",
     "strip-ansi": "^7.1.0",
     "supports-color": "^10.0.0",
-    "tar": "^7.5.4",
+    "tar": "^7.5.13",
     "tiny-invariant": "^1.2.0",
     "tinyexec": "^0.3.1",
     "tinyglobby": "^0.2.10",

packages/core/package.json

@@ -215,7 +215,7 @@
     "ai": "^6.0.0",
     "defu": "^6.1.4",
     "esbuild": "^0.23.0",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "superjson": "^2.2.1",
     "ts-essentials": "10.0.1",
     "tshy": "^3.0.2",

packages/react-hooks/package.json

@@ -44,7 +44,7 @@
     "@arethetypeswrong/cli": "^0.15.4",
     "@types/react": "*",
     "@types/react-dom": "*",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0"
   },