Skip to content

chore(deps): bump vulnerable transitives to address Dependabot alerts#14811

Merged
osama-rizk merged 1 commit into
mainfrom
security/dependabot-alerts-batch
May 12, 2026
Merged

chore(deps): bump vulnerable transitives to address Dependabot alerts#14811
osama-rizk merged 1 commit into
mainfrom
security/dependabot-alerts-batch

Conversation

@osama-rizk

Copy link
Copy Markdown
Contributor

Summary

Closes all 6 open Dependabot security alerts in a single lockfile-only update. Each vulnerable transitive is re-resolved within its existing semver range to pull in the patched version.

Bumps

Package Before After Alerts Severity
uuid 11.1.0 11.1.1 #226 (GHSA-w5hq-g745-h8pq) medium
fast-uri 3.0.6 3.1.2 #229, #230 high
fast-xml-builder 1.1.5 1.2.0 #227, #228 high / medium
@babel/plugin-transform-modules-systemjs 7.27.1 7.29.4 #231 high

uuid is intentionally kept on the 11.x line (patch bump 11.1.0 → 11.1.1) rather than the cross-major 14.0.0 jump Dependabot proposed in #14797, to avoid breaking-change risk for downstream consumers.

The @babel/plugin-transform-modules-systemjs upgrade transitively pulls forward several Babel sub-deps (@babel/parser, @babel/traverse, @babel/types, @babel/helper-module-transforms, etc.) and @jridgewell/* mappers. All collateral bumps are forward-only and stay within their existing semver ranges.

Supersedes Dependabot PRs #14797, #14806, #14807, #14808.

Test plan

  • yarn install --frozen-lockfile passes (lockfile internally consistent)
  • CI is green
  • Dependabot alerts auto-close after merge

🤖 Generated with Claude Code

@osama-rizk
osama-rizk requested a review from a team as a code owner May 12, 2026 09:35
@changeset-bot

changeset-bot Bot commented May 12, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 6092ab1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Re-resolves four transitive dependencies within their existing semver
ranges to pull in versions that close the open Dependabot alerts:

- uuid 11.1.0 -> 11.1.1 (GHSA-w5hq-g745-h8pq)
- fast-uri 3.0.6 -> 3.1.2 (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc)
- fast-xml-builder 1.1.5 -> 1.2.0 (GHSA-45c6-75p6-83cc, GHSA-5wm8-gmm8-39j9)
- @babel/plugin-transform-modules-systemjs 7.27.1 -> 7.29.4 (GHSA-fv7c-fp4j-7gwp)

Lockfile-only change; no package.json or source modifications.
@osama-rizk
osama-rizk force-pushed the security/dependabot-alerts-batch branch from a2958cc to 6092ab1 Compare May 12, 2026 09:39
@osama-rizk
osama-rizk merged commit 2c2e3ac into main May 12, 2026
41 checks passed
@osama-rizk
osama-rizk deleted the security/dependabot-alerts-batch branch May 12, 2026 14:35
soberm added a commit that referenced this pull request May 27, 2026
Bumps uuid minimum from ^11.0.0 to ^11.1.1 in @aws-amplify/core to
address CVE-2026-41907 (GHSA-w5hq-g745-h8pq): missing buffer bounds
check in uuid v3/v5/v6 API methods when an external output buffer is
provided.

The lockfile already resolved to 11.1.1 (via #14811), but the
package.json range still permitted resolution to vulnerable versions.
This change raises the floor to prevent regression.
soberm added a commit that referenced this pull request May 27, 2026
fix(deps): bump uuid to ^11.1.1 to fix CVE-2026-41907

Bumps uuid minimum from ^11.0.0 to ^11.1.1 in @aws-amplify/core to
address CVE-2026-41907 (GHSA-w5hq-g745-h8pq): missing buffer bounds
check in uuid v3/v5/v6 API methods when an external output buffer is
provided.

The lockfile already resolved to 11.1.1 (via #14811), but the
package.json range still permitted resolution to vulnerable versions.
This change raises the floor to prevent regression.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants