chore(security): ignore CVE-2026-12151 in Next.js bundled undici #240

Merged
james merged 1 commit from trivyignore-next-undici into main 2026-06-23 13:13:32 +00:00
Owner
No description provided.
chore(security): ignore CVE-2026-12151 in Next.js bundled undici
All checks were successful
Commits / Conventional Commits (pull_request) Successful in 8s
PR / OSV-Scanner (pull_request) Successful in 1m49s
PR / Client (web export smoke) (pull_request) Successful in 2m7s
PR / Lint (pull_request) Successful in 2m11s
PR / Static analysis (pull_request) Successful in 2m13s
PR / pnpm audit (pull_request) Successful in 2m22s
PR / OpenAPI (pull_request) Successful in 2m46s
PR / Package age policy (soft) (pull_request) Successful in 34s
PR / Typecheck (pull_request) Successful in 2m54s
Secrets / gitleaks (pull_request) Successful in 47s
PR / Test (sqlite) (pull_request) Successful in 3m5s
PR / Build (pull_request) Successful in 3m10s
PR / Test (postgres) (pull_request) Successful in 3m10s
PR / Coverage (soft) (pull_request) Successful in 1m20s
PR / Trivy (image) (pull_request) Successful in 1m49s
0c8fedb4c5
Next.js 16.2.9 bundles undici 6.21.0 inside
next/dist/compiled/edge-runtime/index.js. The vendored copy is not
in pnpm-lock and cannot be bumped without upgrading Next.js; 16.2.9
is the latest stable.

Carol has zero Edge routes — proxy.ts is Node-only and no route
under apps/api/app/ declares runtime = 'edge', so the bundled
edge-runtime/index.js ships on disk but is never loaded at
runtime. Mirrors the picomatch precedent already in .trivyignore.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

📊 Test coverage

Patch coverage: no testable lines changed.

Overall (app/, lib/, db/, excluding UI per ADR-0019):

Metric Value Soft target
Lines 83.0% ≥ 50%
Branches 75.9% ≥ 75%
Functions 91.3% informational

Soft thresholds per ADR-0019. Coverage is informational and does not block merge.

<!-- coverage-comment --> ## 📊 Test coverage **Patch coverage:** no testable lines changed. **Overall** (`app/`, `lib/`, `db/`, excluding UI per ADR-0019): | Metric | Value | Soft target | |---|---|---| | Lines | 83.0% ✅ | ≥ 50% | | Branches | 75.9% ✅ | ≥ 75% | | Functions | 91.3% | informational | Soft thresholds per [ADR-0019](docs/adr/0019-coverage-soft-targets.md). Coverage is informational and does not block merge.
james merged commit 542dfd6d9e into main 2026-06-23 13:13:32 +00:00
james deleted branch trivyignore-next-undici 2026-06-23 13:13:32 +00:00
Sign in to join this conversation.
No description provided.