fix: deps upgrade, proper prettier types, expose augmented ast types

[Copilot]

koa < 3.1.2 allows Host Header Injection via ctx.hostname, enabling attacks like password reset poisoning and OAuth callback manipulation. Affected version (3.1.1) enters the dependency graph via rulesync → fastmcp → mcp-proxy → pipenet → koa.

Changes

• package.json — adds pnpm.overrides to force koa to >=3.1.2 across all transitive resolutions
• pnpm-lock.yaml — updated to resolve koa@3.1.2

"pnpm": {
  "overrides": {
    "koa": ">=3.1.2"
  }
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Vulnerability in ripple project</issue_title>
<issue_description>While working on ripple project, I identified CVE-2026-27959 affecting the Koa package. The issue is caused by improper parsing of the HTTP Host header in the ctx.hostname API, where malformed values containing special characters can manipulate the resolved hostname. This could enable attacks such as password reset poisoning, email verification bypass, and OAuth callback manipulation, potentially leading to account compromise.

CVE Link
CVE Report</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: Ripple
An AI assistant specialized in the Ripple TypeScript UI framework

• Fixes Vulnerability in ripple project #780

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Note

Medium Risk
Touches formatting/printing logic and AST typing across the Prettier and ESLint plugins, which can change output and lint behavior across many files despite being largely type/compatibility driven.

Overview
Updates build/tooling dependencies and bundler configs (Tree-sitter node-addon-api/tree-sitter-cli/node-gyp, Rollup plugin deps, and multiple tsdown configs) to newer versions and more explicit output settings.

Exposes Ripple’s augmented compiler AST typings as public ripple/types/* exports (new estree, estree-jsx, acorn re-export .d.ts files) and shifts downstream packages (eslint-plugin, prettier-plugin) off direct estree/estree-jsx types to these unified types.

Refactors the Prettier plugin to use the new typed AST surface (e.g., start/end locations, comment handling, rest parameter/type annotation printing, JSX namespaced tag printing, and TS mapped modifier handling) and adds regression tests for rest params, mapped modifiers, and namespaced tags.

^{Written by Cursor Bugbot for commit ca77822. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
new-website	Ready	Preview, Comment	Mar 5, 2026 1:44am
ripple	Ready	Preview, Comment	Mar 5, 2026 1:44am

[leonidaz]

@copilot what package has this koa dependency?

[Copilot]

@copilot what package has this koa dependency?

The koa dependency comes in transitively through the rulesync dev dependency:

rulesync → fastmcp → mcp-proxy → pipenet → koa@3.1.1

rulesync is used in the root package.json to generate AI agent instruction files (e.g., CLAUDE.md, AGENTS.md).

[leonidaz]

@cursor review

we should probably try upgrading rulesync to 7.12.2 in the pnpm-workspace.yaml

[leonidaz]

@cursor review

and make changes as commits to this branch

[leonidaz]

@cursor review

[leonidaz]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}