Skip to content

fix(deps): bump basic-ftp resolution to >=5.2.1 (GHSA-chqc-8p9q-pq6q)#8458

Closed
mukeshsp wants to merge 1 commit intomasterfrom
mukesh/CSHLD-586-fix-basic-ftp-vuln
Closed

fix(deps): bump basic-ftp resolution to >=5.2.1 (GHSA-chqc-8p9q-pq6q)#8458
mukeshsp wants to merge 1 commit intomasterfrom
mukesh/CSHLD-586-fix-basic-ftp-vuln

Conversation

@mukeshsp
Copy link
Copy Markdown
Contributor

@mukeshsp mukeshsp commented Apr 9, 2026

Summary

Fixes the bitgo-beta release audit failure caused by a HIGH severity vulnerability in basic-ftp.

Advisory: GHSA-chqc-8p9q-pq6q
Vulnerability: FTP command injection via CRLF sequences in file path parameters (basic-ftp v5.2.0)
Dependency chain: @bitgo/sdk-api > proxy-agent > pac-proxy-agent > get-uri > basic-ftp

Changes

  • package.json: bumped resolutions["basic-ftp"] from >=5.2.0 to >=5.2.1
  • yarn.lock: updated to resolve basic-ftp to the patched 5.2.1

Test plan

  • Verify yarn run improved-yarn-audit --min-severity high passes with no basic-ftp findings

Ticket: CSHLD-586

🤖 Generated with Claude Code

@mukeshsp @claude
fix(deps): bump basic-ftp resolution to >=5.2.1 (GHSA-chqc-8p9q-pq6q)
f900113 
Ticket: CSHLD-586

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mukeshsp mukeshsp requested a review from a team as a code owner April 9, 2026 13:26
@linear
Copy link
Copy Markdown

linear bot commented Apr 9, 2026

CSHLD-586 fix basic-ftp vulnerability by bumping resolution to >=5.2.1

@mukeshsp
Copy link
Copy Markdown
Contributor Author

mukeshsp commented Apr 9, 2026

Closing as duplicate of #8457

@mukeshsp mukeshsp closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mukeshsp