chore(deps-dev): update dependency @hey-api/openapi-ts to v0.97.3 [security]#1137
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps-dev): update dependency @hey-api/openapi-ts to v0.97.3 [security]#1137renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
📦 Bundle Size Report
Size Limits
Largest Files (Top 5)
View All Files (341 total)
✅ Bundle size check passed |
Contributor
📊 Coverage Report⚪ Coverage unchanged
Detailed BreakdownLines Coverage
Statements Coverage
Functions Coverage
Branches Coverage
✅ Coverage check passed |
Contributor
|
Deploy preview for adp-cost-calculator ready!
Deployed with vercel-action |
Contributor
|
Deploy preview for remote-flows ready!
Deployed with vercel-action |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.95.0→0.97.3@hey-api/openapi-ts's
buildClientParamstemplate: prototype chain substitution via unknown$<slot>___proto__keyCVE-2026-48819 / GHSA-hhx9-57xq-r5rw
More information
Details
Summary
dist/clients/core/params.tsin@hey-api/openapi-tsships a runtime template that is copied verbatim into every generated SDK asparams.gen.ts. When a caller passes an object argument containing an unknown key starting with a slot prefix ($body_,$headers_,$path_,$query_), the function strips the prefix and writes the remainder directly to that slot without validation. The key"$query___proto__"causes the returnedparams.queryobject to have its prototype chain substituted with attacker-controlled data. The issue is present in all versions through at least0.97.2.Details
The vulnerable branch in
dist/clients/core/params.ts:This branch runs for any key that (1) is not registered in the field map and (2) starts with one of the four slot prefixes. When a caller passes
"$query___proto__"as an extra key alongside a legitimate field, the key is not in the field map,key.startsWith("$query_")is true, andkey.slice(7)produces"__proto__". The bracket-writeparams["query"]["__proto__"] = valueinvokes the__proto__setter, which callsObject.setPrototypeOf(params.query, value).Reachability. Every generated endpoint method that accepts an object argument passes it through
buildClientParams. If the application forwards user-supplied request parameters to a generated client method — a common pattern in proxy servers, BFF layers, and API gateways — an attacker can include"$query___proto__"alongside a legitimate field (e.g."q"). The legitimate field ensuresstripEmptySlotsdoes not remove the affected slot (it has at least one own key), so the poisonedparams.queryobject is returned to the caller.Concrete field config that hey-api generates for a GET endpoint with one query param
q:A request
{ q: "hello", "$query___proto__": { isAdmin: true } }reaches this call with"q"going to the field map branch and"$query___proto__"falling through toextraPrefixes.PoC
poc.ts:Expected output:
No sentinel key is needed. The legitimate field
"q"keepsparams.queryalive throughstripEmptySlots.reproduce.zip
Impact
The returned
params.queryobject has its prototype chain substituted with the attacker-supplied value. Any downstream code that iterates it withfor..in(e.g., when serializing query parameters for an outgoing HTTP request) will enumerate the injected keys alongside legitimate ones. Applications that check inherited properties on the params object for routing or authorization decisions are also affected.Global
Object.prototypeis not modified — impact is limited to the returned slot object and its consumers.Every npm package generated by
@hey-api/openapi-tscarries this template. Downstream packages include@opencode-ai/sdk,@trigger.dev/sdk, and others. A fix in the template propagates to all of them on regeneration.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
hey-api/hey-api (@hey-api/openapi-ts)
v0.97.3Patch Changes
plugin(@hey-api/client-axios): fix: correct return type in SSE (#3919) (
a19b3a4) by @kitlangtonplugin(@tanstack/preact-query): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@hey-api/client-ofetch): fix: correct return type in SSE (#3919) (
a19b3a4) by @kitlangtonplugin(@tanstack/svelte-query): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@tanstack/angular-query-experimental): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@tanstack/react-query): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@hey-api/client-fetch): fix: correct return type in SSE (#3919) (
a19b3a4) by @kitlangtonplugin(@tanstack/react-query): add
useGetQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@hey-api/client-ky): fix: correct return type in SSE (#3919) (
a19b3a4) by @kitlangtonplugin(@tanstack/solid-query): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@hey-api/client-next): fix: correct return type in SSE (#3919) (
a19b3a4) by @kitlangtonplugin(@tanstack/preact-query): add
useGetQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(@hey-api/client-angular): fix: correct return type in SSE (#3919) (
58962a0) by @kitlangtonplugin(@hey-api/transformers): add support for Temporal API via temporal-polyfill in
dates(#3916) (bfa457a) by @OptoCloudplugin(@tanstack/vue-query): add
getQueryDataoption (#3827) (1aa4785) by @inas-sirhanplugin(zod): fix: avoid invalid
.extend()onz.record()when a discriminated union member is an empty object (#3915) (8fa9f3a) by @pullfrogUpdated Dependencies:
v0.97.2Patch Changes
plugin(zod): use enums from TypeScript if available (#3884) (
abc8ceb) by @mrlubosplugin(@hey-api/client-next): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@hey-api/sdk): support
valibotas response transformer (#3847) (6770f78) by @SukkaWplugin(@tanstack/vue-query): add
mutationKeysoption (#3858) (d86680a) by @slmnshplugin(@hey-api/client-nuxt): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@tanstack/svelte-query): add
mutationKeysoption (#3858) (d86680a) by @slmnshplugin(@hey-api/sdk): support
zodas response transformer (#3847) (6770f78) by @SukkaWplugin(@hey-api/client-angular): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@hey-api/client-fetch): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@hey-api/client-axios): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(valibot): use enums from TypeScript if available (#3884) (
abc8ceb) by @mrlubosplugin(@tanstack/react-query): add
mutationKeysoption (#3858) (d86680a) by @slmnshplugin(@tanstack/solid-query): add
mutationKeysoption (#3858) (d86680a) by @slmnshplugin(@hey-api/client-ofetch): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@hey-api/client-ky): fix: preserve query auth when when there are no other query parameters (#3853) (
a6ee7eb) by @copilot-swe-agentplugin(@tanstack/preact-query): add
mutationKeysoption (#3858) (d86680a) by @slmnshdsl: fix: cache lazy node result (#3855) (
7dee3c2) by @awdr74100plugin(@tanstack/angular-query-experimental): add
mutationKeysoption (#3858) (d86680a) by @slmnshUpdated Dependencies:
v0.97.1Patch Changes
additionalPropertieskey variables (#3841) (d880caa) by @pullfrogUpdated Dependencies:
v0.97.0Minor Changes
BREAKING plugin(@hey-api/client-ky): fix: pass previous result to error interceptors (#3814) (
0d388de) by @SukkaWBREAKING client: resolve
runtimeConfigPathrelative to the output folder (#3770) (296da55) by @inas-sirhanChanged
runtimeConfigPathbehaviorThis was a known, long-standing issue confusing first-time users. Before, defining client
runtimeConfigPathvalue would paste it verbatim to the generated output. This release changes the behavior to resolve relative to the current working directory the same way output path works.BREAKING plugin(@hey-api/client-angular):
requestandresponseobjects might be undefined (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-angular): fix: respect
throwOnErrorwhen request validation fails (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-next):
requestandresponseobjects might be undefined (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-fetch): fix: pass previous result to error interceptors (#3814) (
0d388de) by @SukkaWBREAKING plugin(@hey-api/client-ky):
requestandresponseobjects might be undefined (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-fetch):
requestandresponseobjects might be undefined (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-ofetch):
requestandresponseobjects might be undefined (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-ky): fix: respect
throwOnErrorwhen request validation fails (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-fetch): fix: respect
throwOnErrorwhen request validation fails (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-next): fix: pass previous result to error interceptors (#3814) (
0d388de) by @SukkaWBREAKING plugin(@hey-api/client-ky): respect ky instance defaults (#3806) (
d16cf1c) by @SukkaWChanged Ky client behavior
The Ky client was updated to be more intuitive. Some Ky options now need to be passed via the
kyOptionsfield and you need to passundefinedto unset an option.BREAKING plugin(@hey-api/client-ofetch): fix: respect
throwOnErrorwhen request validation fails (#3814) (0d388de) by @SukkaWBREAKING plugin(@hey-api/client-next): fix: respect
throwOnErrorwhen request validation fails (#3814) (0d388de) by @SukkaWPatch Changes
plugin(@tanstack/vue-query): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(@tanstack/react-query): add
useSetQueryDataoption (#3824) (1ef4af0) by @inas-sirhancli: print file count and generator speed (#3828) (
6e5249f) by @SukkaWplugin(@tanstack/preact-query): add
useSetQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(@tanstack/svelte-query): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(zod): fix: fallback
.discriminatedUnionto.unionif members contain intersection (#3813) (b88e8b5) by @copilot-swe-agentconfig: fix: remove
--applyflag from Biome post-processor commands (#3812) (084de63) by @copilot-swe-agentplugin(@tanstack/react-query): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(@tanstack/solid-query): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(@tanstack/preact-query): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanplugin(@tanstack/angular-query-experimental): add
setQueryDataoption (#3824) (1ef4af0) by @inas-sirhanUpdated Dependencies:
v0.96.1Patch Changes
parser: fix: re-add implicitly-filtered schemas in collectOperations (#3791) (
0d3cb9f) by @sbs44plugin(@hey-api/client-fetch): fix: narrow
headerstoHeadersinResolvedRequestOptions(#3757) (f69b192) by @inas-sirhanplugin(zod): add support for
.discriminatedUnion()(#3780) (3d8db90) by @copilot-swe-agentparser: fix: avoid encoding url unsafe characters (#3782) (
290c14f) by @copilot-swe-agentplugin(@hey-api/client-next): fix: narrow
headerstoHeadersinResolvedRequestOptions(#3757) (aa75345) by @inas-sirhanplugin(valibot): add support for
.variant()(#3780) (3d8db90) by @copilot-swe-agentplugin(zod): support generating
z.inputandz.outputtypes (#3759) (cda5297) by @mrlubosplugin(@hey-api/client-ky): fix: narrow
headerstoHeadersinResolvedRequestOptions(#3757) (ab2b315) by @inas-sirhanoutput: fix: surface postprocess errors (#3683) (
e69d79f) by @copilot-swe-agentplugin(@hey-api/client-angular): fix: narrow
headerstoHeadersinResolvedRequestOptions(#3757) (4ee9bd3) by @inas-sirhanplugin(@hey-api/client-ofetch): fix: narrow
headerstoHeadersinResolvedRequestOptions(#3757) (4f5afb9) by @inas-sirhanconfig: warn on duplicated plugin configurations (#3753) (
e78ce75) by @inas-sirhanUpdated Dependencies:
v0.96.0Minor Changes
e930278) by @mrlubosPatch Changes
plugin(@hey-api/client-axios): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosplugin(@hey-api/client-fetch): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosparser: fix: keep orphans when explicitly included in filters (#3714) (
8e2c4b1) by @mrlubosplugin(@hey-api/client-next): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosplugin(@hey-api/client-nuxt): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrluboscli: improve error message on invalid input (#3679) (
b643d7d) by @mrlubosplugin(@angular/common): fix: requests and resources broken default configuration (#3678) (
7ad5a2c) by @copilot-swe-agentplugin(@hey-api/client-ky): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosplugin(@hey-api/transformers): fix: return value for primitive array entries (#3733) (
43ff064) by @copilot-swe-agentplugin(@hey-api/client-angular): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosplugin(@hey-api/client-ofetch): simplify SSE line endings normalization (#3686) (
c9c1d44) by @mrlubosparser: fix: process enum metadata (#3727) (
397b63f) by @copilot-swe-agentUpdated Dependencies:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.