Skip to content

fix: address Dependabot security alerts#1534

Merged
maekawataiki merged 6 commits into
mainfrom
fix/dependabot-security-updates
Apr 18, 2026
Merged

fix: address Dependabot security alerts#1534
maekawataiki merged 6 commits into
mainfrom
fix/dependabot-security-updates

Conversation

@okamoto-aws
Copy link
Copy Markdown
Collaborator

@okamoto-aws okamoto-aws commented Apr 17, 2026
edited
Loading

Summary

Address all open Dependabot security alerts and upgrade CI to Node.js 22 (current LTS).

Changes

1. Direct dependency updates

Package From To Locations
axios ^1.13.5 ^1.15.0 cdk, web, browser-extension
vite ^6.4.1 ^6.4.2 web, browser-extension
lodash-es ^4.17.23 ^4.18.0 browser-extension

2. Transitive dependency resolution (no overrides needed)

All transitive vulnerabilities are resolved naturally through the direct dependency updates and lock file regeneration:

Package Resolved Version How
lodash 4.18.1 @aws-amplify/ui pins 4.18.1 directly; npm dedupes for all consumers
lodash-es 4.18.1 Same mechanism via Amplify
follow-redirects 1.16.0 axios 1.15.0 requires ^1.15.6, npm resolves to 1.16.0
dompurify 3.4.0 mermaid requires ^3.0.5, npm resolves to 3.4.0
fast-xml-parser 5.5.8 @aws-sdk/xml-builder pins 5.5.8 (above CVE fix 5.5.7, updated in SDK v3.1014.0)

3. Python dependency pins

Package Version Locations
python-multipart >=0.0.26 research-agent-core-runtime, generic-agent-core-runtime
cryptography >=46.0.7 research-agent-core-runtime, generic-agent-core-runtime

4. CI modernization

Item From To Reason
Node.js 18.x 22.x Node.js 18 reached EOL in April 2025
actions/checkout v3 v4 v3 uses deprecated Node.js 16 runner
actions/setup-node v3 v4 v3 uses deprecated Node.js 16 runner

5. Build fix

  • Added as ArrayBuffer cast in useSpeechToSpeech/index.ts to fix TypeScript error caused by vite 6.4.2 type change (Int16Array.buffer returns ArrayBufferLike instead of ArrayBuffer)

Addressed CVEs

CVE Package Severity Resolution
CVE-2025-62718 axios Medium Direct update to 1.15.0
CVE-2026-40175 axios Medium Direct update to 1.15.0
CVE-2026-39363 vite High Direct update to 6.4.2
CVE-2026-39365 vite Medium Direct update to 6.4.2
CVE-2026-4800 lodash / lodash-es High Amplify pins 4.18.1 + lock file regen
CVE-2026-2950 lodash / lodash-es Medium Amplify pins 4.18.1 + lock file regen
CVE-2026-33349 fast-xml-parser Medium @aws-sdk pins 5.5.8 + lock file regen
CVE-2026-40347 python-multipart Medium pyproject.toml pin
CVE-2026-39892 cryptography Medium pyproject.toml pin

Testing

  • npm ci
  • npm run web:build
  • npx -w packages/cdk cdk synth
  • Remaining 14 npm audit findings (elliptic, file-type, prismjs, serialize-javascript) are unrelated and require breaking changes to fix

Shintaro Okamoto added 2 commits April 17, 2026 19:51
fix: address Dependabot security alerts for npm and Python dependencies
2e977fe 
- Update direct dependencies: axios ^1.15.0, vite ^6.4.2, lodash-es ^4.18.0
- Add npm overrides for transitive dependencies: lodash >=4.18.1,
  lodash-es >=4.18.1, dompurify >=3.4.0, fast-xml-parser >=5.5.7,
  follow-redirects >=1.16.0
- Pin python-multipart >=0.0.26 and cryptography >=46.0.7 in pyproject.toml
- Fix TypeScript build error caused by vite 6.4.2 type definition change
fix: update browser-extension lockfile and uv.lock files
2ee990d
@okamoto-aws okamoto-aws added auto-deploy 自動的に検証用 AWS アカウントにデプロイするための Label and removed auto-deploy 自動的に検証用 AWS アカウントにデプロイするための Label labels Apr 17, 2026
Shintaro Okamoto added 4 commits April 17, 2026 20:22
fix: regenerate package-lock.json with Node.js 18 for CI compatibility
69058cf
fix: upgrade CI Node.js 18→22 and regenerate package-lock.json
4d41dbf 
Node.js 18 reached EOL in April 2025. Update CI workflows to use
Node.js 22 (current LTS) and regenerate package-lock.json accordingly.
Also bump actions/checkout and actions/setup-node from v3 to v4.
fix: remove fast-xml-parser from overrides to fix CDK Lambda bundling
4bd071d 
CDK NodejsFunction bundler copies the root package-lock.json but
generates its own package.json without overrides, causing npm ci to
fail when overridden versions don't match the lock file entries.

fast-xml-parser will be addressed when @aws-sdk updates its dependency.
fix: remove npm overrides (unnecessary with updated dependencies)
c698a20 
All transitive vulnerabilities are resolved without overrides:
- lodash/lodash-es: @aws-amplify/ui pins 4.18.1 directly
- follow-redirects: axios 1.15.0 pulls 1.16.0 via ^1.15.6
- dompurify: mermaid pulls 3.4.0 via ^3.0.5
- fast-xml-parser: @aws-sdk/xml-builder pins 5.5.8 (above CVE fix)
@okamoto-aws okamoto-aws added the auto-deploy 自動的に検証用 AWS アカウントにデプロイするための Label label Apr 17, 2026
maekawataiki
maekawataiki approved these changes Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@maekawataiki maekawataiki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@maekawataiki maekawataiki merged commit 910b7e7 into main Apr 18, 2026
12 checks passed
@okamoto-aws okamoto-aws deleted the fix/dependabot-security-updates branch April 18, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maekawataiki maekawataiki maekawataiki approved these changes

Assignees

No one assigned

Labels

auto-deploy 自動的に検証用 AWS アカウントにデプロイするための Label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@okamoto-aws @maekawataiki