From 3be4251f21ad264b08fda520983da28b69cd807f Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Wed, 6 May 2026 17:31:12 -0400 Subject: [PATCH] fix(deps): bump basic-ftp (#78637) * fix(deps): bump basic-ftp Signed-off-by: sallyom * docs: note basic-ftp advisory fix Signed-off-by: sallyom --------- Signed-off-by: sallyom --- CHANGELOG.md | 1 + package.json | 2 +- pnpm-lock.yaml | 12 ++++++------ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 404370297f1..db4920aa25e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -464,6 +464,7 @@ Docs: https://docs.openclaw.ai - Telegram/streaming: finalize text replies by stopping the edited stream message instead of sending a second answer bubble, so Telegram turns cannot duplicate the streamed final response. (#77947) Thanks @obviyus. - web_search/Brave: fix provider selection when Brave is installed as an external plugin and `tools.web.search.provider: "brave"` is explicitly configured — a redundant provider re-resolution at startup could race and return an empty list, causing a spurious `WEB_SEARCH_PROVIDER_INVALID_AUTODETECT` warning and treating the explicitly configured provider as absent. Fixes #77676. Thanks @openperf. - Doctor/plugins: discover doctor contracts from load-path channel plugins during `openclaw doctor --fix`, so plugin-owned legacy config repair runs before validation. (#77477) Thanks @jalehman. +- Dependencies: bump transitive `basic-ftp` to 5.3.1 so the runtime lockfile no longer includes the vulnerable 5.3.0 build flagged by the production dependency audit. (#78637) Thanks @sallyom. ## 2026.5.3-1 diff --git a/package.json b/package.json index 7b8353db0b0..bcc64418553 100644 --- a/package.json +++ b/package.json @@ -1787,7 +1787,7 @@ "fast-xml-parser": "5.7.0", "request": "npm:@cypress/request@3.0.10", "request-promise": "npm:@cypress/request-promise@5.0.0", - "basic-ftp": "5.3.0", + "basic-ftp": "5.3.1", "file-type": "22.0.1", "form-data": "2.5.4", "ip-address": "10.2.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index ae5a265e44d..329b634f30e 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -15,7 +15,7 @@ overrides: fast-xml-parser: 5.7.0 request: npm:@cypress/request@3.0.10 request-promise: npm:@cypress/request-promise@5.0.0 - basic-ftp: 5.3.0 + basic-ftp: 5.3.1 file-type: 22.0.1 form-data: 2.5.4 ip-address: 10.2.0 @@ -4805,8 +4805,8 @@ packages: base64-js@1.5.1: resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==} - basic-ftp@5.3.0: - resolution: {integrity: sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==} + basic-ftp@5.3.1: + resolution: {integrity: sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==} engines: {node: '>=10.0.0'} bidi-js@1.0.3: @@ -11645,7 +11645,7 @@ snapshots: base64-js@1.5.1: {} - basic-ftp@5.3.0: {} + basic-ftp@5.3.1: {} bidi-js@1.0.3: dependencies: @@ -12446,7 +12446,7 @@ snapshots: get-uri@6.0.5: dependencies: - basic-ftp: 5.3.0 + basic-ftp: 5.3.1 data-uri-to-buffer: 6.0.2 debug: 4.4.3 transitivePeerDependencies: @@ -12454,7 +12454,7 @@ snapshots: get-uri@8.0.0: dependencies: - basic-ftp: 5.3.0 + basic-ftp: 5.3.1 data-uri-to-buffer: 8.0.0 debug: 4.4.3 transitivePeerDependencies: