Skip to content

[DPEDE-1784](deps-dev): Bump fast-uri from 3.1.0 to 3.1.2#2045

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-fast-uri-3.1.2
Open

[DPEDE-1784](deps-dev): Bump fast-uri from 3.1.0 to 3.1.2#2045
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-fast-uri-3.1.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 9, 2026

Copy link
Copy Markdown
Contributor

Bumps fast-uri from 3.1.0 to 3.1.2.

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 9, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner May 9, 2026 02:28
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 9, 2026
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-2045/1/. ❌

Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot-npm_and_yarn-fast-uri-3.1.2 branch from 538ccfe to ac34e77 Compare May 14, 2026 10:32
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-2045/2/. ❌

@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Patch bump of fast-uri 3.1.0→3.1.2 fixes 2 high-severity CVEs (CVSS 7.5 each) with no breaking changes and no in-repo usage; escalated solely because the repository's overall critical-CI pass rate is 64.3%, driven by failing Dependabot update workflows for unrelated packages.

TL;DR

  • Merge: 🔍 review, then merge — The dependency and security axes are both clean; the only escalation trigger is CI health. A reviewer should confirm the failing CI runs are unrelated to this fast-uri bump before merging.
  • Breaks your code? ✅ Most likely not — fast-uri is not directly imported anywhere in this repo.
  • Security? ✅ This bump fixes GHSA-v39h-62p7-jpjc and GHSA-q3j6-qgpj-74h6 (CVSS 7.5 each); none still affect 3.1.2.
  • Update: fast-uriyou have 3.1.0, this PR installs 3.1.2 (patch, spans 2 releases). Fixes 2 high-severity URI-parsing advisories; no code impact.
Signal Value Interpretation
Bump type patch Semver patch (z-only: 3.1.0→3.1.2); patch bumps are API-compatible bug-fix-only releases by convention. Both intermediate releases are labeled ⚠️ Security Release with no API changes.
Dependency risk low Patch bump; the v3.1.1 and v3.1.2 changelogs contain only security fixes — no API surface changes. fast-uri is not imported in this repo, so blast radius is zero regardless.
Security risk low Two high-severity advisories (CVSS 7.5 each) existed against the old version; this bump resolves both. No advisory affects 3.1.2. See Security advisories below.
CI health risk high 28 critical runs scored; pass 64.3%, flaky 0% → ci_confidence: low. The core master-branch checks ("Push on master" 9/9 ✅, "Scheduled" 2/2 ✅) are fully green; the failing runs are Dependabot update workflows for unrelated packages (nuxt, vite, @babel/preset-env, etc.) that were classified as critical.
API usage in repo false Scanned all import forms (import … from 'fast-uri', require('fast-uri'), dynamic import('fast-uri'), re-export export … from 'fast-uri'); 0 hits across the full repo — package is not used directly in source.
Cross-repo signal standalone No publishable root manifest found in this repo; it does not produce a library package.
Data completeness complete All 5 signals obtained: classification ✅, API usage ✅, release notes ✅, CI health ✅, cascade ✅.
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: CI health confidence is low — critical pass_rate is 64.3%, below the 70% threshold for spot_check.

Escalation category: ci-health — Dependency risk and security risk are both low; this is a straightforward security patch with no code impact. The sole escalation trigger is the CI pass rate. Notably, the "Push on master" workflow (the actual build/test suite) passes 100% (9/9 runs), as do the "Scheduled" runs (2/2). The failing critical runs are all Dependabot update workflows for other packages.

Confidence breakdown — score: 0.85.

  • ✅ Patch classification — highest-confidence bump type; no API changes expected.

  • ✅ No in-repo usage of fast-uri — blast radius is zero regardless of any change.

  • ✅ Both advisories fixed by this bump; none remain open against 3.1.2.

  • ✅ Changelog confirms pure security fixes (no API changes in either v3.1.1 or v3.1.2).

  • ✅ No cascade conflicts — no competing open Dependabot PRs for fast-uri.

  • ⚠️ CI low (pass_rate 64.3%): −0.15.

  • 💡 To reach a lower route: The pass rate is dragged below 70% by failing Dependabot update workflows for other packages (nuxt, vite, etc.) — not by this repo's own test/build jobs. Once those other open Dependabot PRs are resolved or closed, the critical pass_rate should recover above 70% and future patches like this would route spot_check or auto_eligible. Confirming the currently failing workflows are unrelated to this fast-uri change is sufficient for a reviewer to proceed with merging.

What AiFEL checked

  1. Triage — classified patch (fast-uri 3.1.0→3.1.2).
  2. Symbol extraction — 0 import sites across 0 files; fast-uri is not directly used in source.
  3. Release-notes comparator — v3.1.1 and v3.1.2 are both labeled ⚠️ Security Release; no API or behavior changes outside the security fixes. v3.1.1 fixes GHSA-q3j6-qgpj-74h6 (path traversal via percent-encoded dot segments); v3.1.2 fixes GHSA-v39h-62p7-jpjc (host confusion via percent-encoded authority delimiters). No used-symbol impact (zero usage).
  4. CI health — 28 critical runs: pass 64.3%, flaky 0% → confidence low; informational excluded: none.
  5. Cascade coordinator — 0 conflicts.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. fast-uri is not imported anywhere in this repo's source, so no usage site is exposed to any change between 3.1.0 and 3.1.2.

Security advisories

✅ This bump resolves all 2 known advisories and none affect 3.1.2 — clear on the security axis.

Resolved by this bump (2): GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6 — no action needed (highest was CVSS 7.5).

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm fast-uri 3.1.0 3.1.2 Fixes 2 high-severity advisories (CVSS 7.5 each); routine security patch — no code impact

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "patch",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.85,
  "packages": [
    {
      "ecosystem": "npm",
      "name": "fast-uri",
      "old_version": "3.1.0",
      "new_version": "3.1.2"
    }
  ],
  "breaking_changes": [],
  "cascade_conflicts": [],
  "summary": "Patch bump of fast-uri 3.1.0→3.1.2 fixes 2 high-severity advisories (CVSS 7.5 each) with no code impact; escalated solely due to CI health confidence being low (pass_rate 64.3%, driven by failing Dependabot update workflows for unrelated packages).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-2045",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants