Skip to content

chore: resolve open dependabot security alerts#421

Open
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#421
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented May 8, 2026
edited
Loading

Summary

Adds overrides in package.json to require at least the patched version of transitive dependencies (within the current major). Note: webpack-dev-server alerts (#69, #70) require a major upgrade (4.x → 5.x) — blocked by @nx/webpack@17.3.2 which requires webpack-dev-server ^4.9.3.

Dependabot Alerts Resolved

Alert Package Severity Fix
#128 serialize-javascript high Overridden to ^7.0.5 (RCE via RegExp/Date)
#158 serialize-javascript medium Overridden to ^7.0.5 (CPU exhaustion DoS)
#153 @tootallnate/once low Overridden to ^3.0.1 (Incorrect Control Flow)
#159 fast-uri high Overridden to ^3.1.2 (path traversal via percent-encoded dots)
#160 fast-uri high Overridden to ^3.1.2 (host confusion via percent-encoded delimiters)
#161 @babel/plugin-transform-modules-systemjs high Overridden to ^7.29.4 (arbitrary code generation from malicious input)

Unresolvable Alerts

Alert Package Reason
#69, #70 webpack-dev-server Patched version is 5.2.1, but @nx/webpack@17.3.2 requires ^4.9.3; major upgrade needed

@jonathannorris
chore: resolve open dependabot security alerts
5a63f0b 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies, including upgrading serialize-javascript to version 7.0.5 and @tootallnate/once to version 3.0.1, while adding minimatch and removing randombytes. Feedback highlights that the serialize-javascript upgrade introduces a breaking requirement for Node.js 20.0.0, which may impact environments on older LTS versions. Additionally, it is recommended to use caret ranges instead of the >= operator in the dependency overrides to ensure stability and prevent unintended major version upgrades.

Comment thread package-lock.json
Comment thread package.json Outdated
@jonathannorris
chore: resolve open dependabot security alerts
e7b0400 
- fast-uri 3.1.0 -> 3.1.2 (high, alerts #159 #160)
- @babel/plugin-transform-modules-systemjs 7.29.0 -> 7.29.4 (high, alert #161)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: use caret ranges in overrides for stability
3e5af21 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris marked this pull request as draft May 11, 2026 14:11
@jonathannorris jonathannorris marked this pull request as ready for review May 12, 2026 19:10
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds npm overrides to mitigate several Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies.

Changes:

  • Added overrides for serialize-javascript, @tootallnate/once, fast-uri, and @babel/plugin-transform-modules-systemjs.
  • Kept existing test-exclude override (with minimatch) and extended the override list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread package.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@beeme1mr beeme1mr Awaiting requested review from beeme1mr

@askpt askpt Awaiting requested review from askpt

@z4kn4fein z4kn4fein Awaiting requested review from z4kn4fein

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris