fix(deps): bump basic-ftp (#78637)

* fix(deps): bump basic-ftp Signed-off-by: sallyom <somalley@redhat.com> * docs: note basic-ftp advisory fix Signed-off-by: sallyom <somalley@redhat.com> --------- Signed-off-by: sallyom <somalley@redhat.com>
2026-05-08 22:40:43 +00:00 · 2026-05-06 17:31:12 -04:00
parent 51356620e9
commit 3be4251f21
3 changed files with 8 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -464,6 +464,7 @@ Docs: https://docs.openclaw.ai
 - Telegram/streaming: finalize text replies by stopping the edited stream message instead of sending a second answer bubble, so Telegram turns cannot duplicate the streamed final response. (#77947) Thanks @obviyus.
 - web_search/Brave: fix provider selection when Brave is installed as an external plugin and `tools.web.search.provider: "brave"` is explicitly configured — a redundant provider re-resolution at startup could race and return an empty list, causing a spurious `WEB_SEARCH_PROVIDER_INVALID_AUTODETECT` warning and treating the explicitly configured provider as absent. Fixes #77676. Thanks @openperf.
 - Doctor/plugins: discover doctor contracts from load-path channel plugins during `openclaw doctor --fix`, so plugin-owned legacy config repair runs before validation. (#77477) Thanks @jalehman.
+- Dependencies: bump transitive `basic-ftp` to 5.3.1 so the runtime lockfile no longer includes the vulnerable 5.3.0 build flagged by the production dependency audit. (#78637) Thanks @sallyom.

 ## 2026.5.3-1

--- a/package.json
+++ b/package.json
@@ -1787,7 +1787,7 @@
      "fast-xml-parser": "5.7.0",
      "request": "npm:@cypress/request@3.0.10",
      "request-promise": "npm:@cypress/request-promise@5.0.0",
-      "basic-ftp": "5.3.0",
+      "basic-ftp": "5.3.1",
      "file-type": "22.0.1",
      "form-data": "2.5.4",
      "ip-address": "10.2.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -15,7 +15,7 @@ overrides:
  fast-xml-parser: 5.7.0
  request: npm:@cypress/request@3.0.10
  request-promise: npm:@cypress/request-promise@5.0.0
-  basic-ftp: 5.3.0
+  basic-ftp: 5.3.1
  file-type: 22.0.1
  form-data: 2.5.4
  ip-address: 10.2.0
@@ -4805,8 +4805,8 @@ packages:
  base64-js@1.5.1:
    resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}

-  basic-ftp@5.3.0:
-    resolution: {integrity: sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==}
+  basic-ftp@5.3.1:
+    resolution: {integrity: sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==}
    engines: {node: '>=10.0.0'}

  bidi-js@1.0.3:
@@ -11645,7 +11645,7 @@ snapshots:

  base64-js@1.5.1: {}

-  basic-ftp@5.3.0: {}
+  basic-ftp@5.3.1: {}

  bidi-js@1.0.3:
    dependencies:
@@ -12446,7 +12446,7 @@ snapshots:

  get-uri@6.0.5:
    dependencies:
-      basic-ftp: 5.3.0
+      basic-ftp: 5.3.1
      data-uri-to-buffer: 6.0.2
      debug: 4.4.3
    transitivePeerDependencies:
@@ -12454,7 +12454,7 @@ snapshots:

  get-uri@8.0.0:
    dependencies:
-      basic-ftp: 5.3.0
+      basic-ftp: 5.3.1
      data-uri-to-buffer: 8.0.0
      debug: 4.4.3
    transitivePeerDependencies: