Skip to content

deps: patch Dependabot security alerts (angular & react-native)#259

Merged
ksroda-sa merged 1 commit into
mainfrom
deps/fix-dependabot-vulns
Jun 17, 2026
Merged

deps: patch Dependabot security alerts (angular & react-native)#259
ksroda-sa merged 1 commit into
mainfrom
deps/fix-dependabot-vulns

Conversation

@ksroda-sa

Copy link
Copy Markdown
Collaborator

Clears the open Dependabot vulnerability alerts. All affected packages are dev/build-time dependencies (none ship in the built apps).

Changes

react-native (login-pkce, token-refresh) — transitive deps re-resolved in range (yarn up -R), lockfile only:

angular (login-pkce, token-refresh) — @angular/build@22.0.1 (latest) exact-pins the vulnerable versions, so added resolutions to force the patches:

react / vue — already on vite 8.0.16 on main; those alerts are stale and should auto-close. No changes.

Verification

  • Both angular samples: ng build ✅ and vitest ✅ (3 tests pass) with the forced versions.
  • react-native: lockfile re-resolve only; unrelated ws 6.x / js-yaml 3.x lines left untouched.

🤖 Generated with Claude Code

react-native (login-pkce, token-refresh): re-resolve transitive deps to the
patched versions in range — ws 7.5.10 -> 7.5.11 (GHSA-96hv-2xvq-fx4p, high),
js-yaml 4.1.1 -> 4.2.0 (GHSA-h67p-54hq-rp68, medium).

angular (login-pkce, token-refresh): @angular/build@22.0.1 exact-pins the
vulnerable vite/esbuild/@babel/core and is the latest release, so add
`resolutions` to force the patched versions:
  - vite 7.3.2 -> 7.3.5 and 8.0.10 -> 8.0.16 (GHSA-fx2h-pf6j-xcff high,
    GHSA-v6wh-96g9-6wx3 medium)
  - esbuild 0.27.7/0.28.0 -> 0.28.1 (GHSA-gv7w-rqvm-qjhr high,
    GHSA-g7r4-m6w7-qqqr low)
  - @babel/core 7.29.0 -> 7.29.6 (GHSA-4x5r-pxfx-6jf8 low)

All are dev/build-time deps (not shipped in built apps). Verified: both
angular samples `ng build` and vitest pass. react/vue already on vite 8.0.16.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Yarn lockfiles (and adds Yarn resolutions for the Angular samples) to clear Dependabot security alerts affecting dev/build-time dependencies across the sample apps.

Changes:

  • React Native samples: bump transitive js-yaml to 4.2.0 and ws to 7.5.11 via lockfile re-resolve.
  • Angular samples: add resolutions to force patched vite, esbuild, and @babel/core, and update lockfiles accordingly.

Reviewed changes

Copilot reviewed 2 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
samples/react-native/token-refresh/yarn.lock Updates transitive js-yaml and ws versions to patched releases.
samples/react-native/login-pkce/yarn.lock Updates transitive js-yaml and ws versions to patched releases.
samples/angular/token-refresh/package.json Adds Yarn resolutions to force patched vite, esbuild, and @babel/core.
samples/angular/token-refresh/yarn.lock Lockfile updates reflecting the forced patched dependency versions.
samples/angular/login-pkce/package.json Adds Yarn resolutions to force patched vite, esbuild, and @babel/core.
samples/angular/login-pkce/yarn.lock Lockfile updates reflecting the forced patched dependency versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ksroda-sa ksroda-sa marked this pull request as ready for review June 16, 2026 11:17
@ksroda-sa ksroda-sa merged commit d7b689c into main Jun 17, 2026
24 checks passed
@ksroda-sa ksroda-sa deleted the deps/fix-dependabot-vulns branch June 17, 2026 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants