fix: upgrade express-rate-limit to 8.2.2, 8.1.1, 8.0.2 (CVE-2026-30827)

[orbisai0security]

Summary

Upgrade express-rate-limit from 8.2.1 to 8.2.2, 8.1.1, 8.0.2 to fix CVE-2026-30827.

Vulnerability

Field	Value
ID	CVE-2026-30827
Severity	HIGH
Scanner	trivy
Rule	CVE-2026-30827
File	bun.lock

Description: express-rate-limit: express-rate-limit: Denial of Service for IPv4 clients due to incorrect IPv6 subnet masking

Changes

• bun.lock
• package.json

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

---

Summary by cubic

Upgrades express-rate-limit to 8.2.2 to fix CVE-2026-30827 (DoS for IPv4 due to incorrect IPv6 subnet masking). Updates lockfile to ensure safe resolution of related packages.

• Dependencies
  • Bump express-rate-limit to 8.2.2.
  • Update transitive ip-address to 10.1.0.
  • Refresh optional oh-my-opencode binaries to 3.17.2.

^{Written for commit 73b6454. Summary will update on new commits.}

[github-actions]

All contributors have signed the CLA. Thank you! ✅
_{Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Requires human review: Dependency logic change (IP masking) and unrelated updates to optional binary dependencies (oh-my-opencode) prevent being 100% sure of no regressions.}

[orbisai0security]

I have read the CLA Document and I hereby sign the CLA

[code-yeongyu]

[sisyphus-bot]

PR sweep first-pass triage on dev.

• Author: orbisai0security
• Title: fix: upgrade express-rate-limit to 8.2.2, 8.1.1, 8.0.2 (CVE-2026-30827)
• Closing issues: none detected
• Review decision: none yet
• Mergeable state: CONFLICTING (rebase needed)
• CI status: green / no failing checks

Needs rebase + review. Please rebase onto current dev first; then a review can land cleanly.

Assigning code-yeongyu so the maintainer can prioritize a focused review of this PR. If the linked issue above has been triaged, the verdict there is the authoritative direction for this change.

[anupamme]

@orbisai0security can you resolve merge conflicts?

[code-yeongyu]

[sisyphus-bot] Hi orbisai0security. 🙏 Thanks for flagging CVE-2026-30827 in express-rate-limit; the IPv6 subnet-masking DoS is a real issue.

Picking this back up from the 5/16 triage: dev currently has express-rate-limit at ^8.5.1 in package.json, which is several minor versions ahead of the 8.0.2 / 8.1.1 / 8.2.2 line this PR proposes upgrading to. The express-rate-limit 8.5.x series includes the same CVE fix as 8.2.2 and beyond, so the underlying vulnerability is already mitigated on current dev.

I'm going to close this out so the rate-limit version doesn't get pinned backwards. If your scanner is still flagging the resolved version in bun.lock after the next install (which can happen when transitive depends hold an older copy), please open a fresh issue with the scanner output and I'll happily reopen the investigation. Really appreciate the heads-up either way.

[orbisai0security]

Closing the loop here: the current dev branch now carries an express-rate-limit override at ^8.5.1, which is outside the CVE-2026-30827 affected range. Given that, this older PR is no longer needed.