[WIP] Analysis only for Dependabot alerts in yarn/npm ecosystem#1869
Closed
Copilot wants to merge 1 commit into
Closed
[WIP] Analysis only for Dependabot alerts in yarn/npm ecosystem#1869Copilot wants to merge 1 commit into
Copilot wants to merge 1 commit into
Conversation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.
Original prompt
User requested analysis-only guidance (no PRs/issues) for Dependabot alerts in VATSIM-UK/uk-controller-api focusing on yarn/npm ecosystem. Do not create PR. No code changes requested.
The following is the prior conversation context from the user's chat exploration (may be truncated):
User: I need to get rid of the security issues such as
@semantic-release/github@12.0.6 requires undici@^7.0.0
semantic-release@25.0.2 requires undici@^7.0.0 via a transitive dependency on @semantic-release/github@12.0.6
semantic-release@25.0.2 requires undici@^5.28.5 via a transitive dependency on @actions/http-client@3.0.1
Assistant: You can’t “migrate away” from those particular issues by swapping Commitizen—those warnings are coming from your release tooling dependency graph (semantic-release + @semantic-release/github + GitHub Actions libraries), and the fix is to update the semantic-release toolchain (and/or pin/override
undici) so you’re no longer pulling vulnerable/flaggedundicimajors.Based on what you pasted, you currently have:
@semantic-release/github@12.0.6→ requiresundici@^7semantic-release@25.0.2→ pulls@semantic-release/github@12.0.6→undici@^7semantic-release@25.0.2→ also pulls@actions/http-client@3.0.1→undici@^5.28.5What to do (in order of “cleanest”)
1) Upgrade semantic-release + @semantic-release/github (best fix)
This is the most correct remediation because it updates the packages that declare those dependencies.
In
package.jsondevDependencies, bump at least:semantic-release@semantic-release/githubAnd ideally bump the whole semantic-release plugin set together:
@semantic-release/commit-analyzer@semantic-release/release-notes-generator@semantic-release/changelog@semantic-release/git@semantic-release/githubsemantic-releaseThen run
yarn installand re-check the tree (yarn why undici) to confirm you’re no longer stuck on old/vulnerable ranges.Why this works: newer versions often update their dependency constraints and/or update transitive GitHub Action libs.
If you tell me what package manager version you’re using (Yarn classic vs Berry) I can give exact commands; generally:
2) If you can’t upgrade, force a safe
undicivia overrides/resolutionsIf you’re blocked from upgrading semantic-release right now, you can often mitigate by forcing a newer patched
undiciversion across the tree.Yarn classic (v1): use
resolutionsAdd to
package.json:…but note: this won’t fix the
undici@^5.28.5path unless Yarn can legally unify it. If a dependency is truly constrained to^5, Yarn may keep5.xalongside7.x.Yarn Berry (v2+): use
resolutions/packageExtensionsBerry gives you more control, but same fundamental constraint issue: you can’t force a dependency outside its allowed semver range without risking breakage.
So: overrides are a stopgap, not the preferred fix.
3) Reduce dependency surface: remove
@semantic-release/github(only if acceptable)If your release process doesn’t actually need GitHub Releases / PR comments / assets, you can drop
@semantic-release/githubfrom your semantic-release plugins list. That would remove one major consumer ofundici.But your config currently uses
@semantic-release/github, and your workflow uses tokens; you probably do want GitHub Releases. So consider this only if you’re okay with “tags + changelog commit” but not GitHub Releases.What I need from you to make this precise
To recommend the exact upgrade targets (and avoid breaking changes), I need one of:
yarn.lock(or at least theundici,@semantic-release/github,@actions/http-clientsections), orWith that, I can give you an exact minimal-change plan like:
resolutionsstanza that actually unifies the tree.Also: the snippet you posted includes
actions/checkout@v6andactions/setup-node@v6in workflows—those@v6tags don’t look right (current major versions have historically been lower). If those are real in your repo, that’s another potential supply-chain/security issue worth correcting—but we should verify against the repo state you’re actually running.User: how to bump all dependencies
Assistant: To bump all dependencies in
VATSIM-UK/uk-controller-api, do it at two levels:This pull request was created from Copilot chat.