DEV3-4806 Fix security vulnerabilities in dependencies#1658
Open
arturfromtabnine wants to merge 2 commits intomasterfrom
Open
DEV3-4806 Fix security vulnerabilities in dependencies#1658arturfromtabnine wants to merge 2 commits intomasterfrom
arturfromtabnine wants to merge 2 commits intomasterfrom
Conversation
Upgrade direct dependencies and add yarn resolutions to fix 19 security vulnerabilities identified by Snyk. Direct dependency upgrades: - axios: ^0.21.0 → ^1.12.0 (major) - diff: ^5.0.0 → ^5.2.2 (patch) - systeminformation: ^5.6.10 → ^5.31.0 (minor) - tmp: ^0.2.1 → ^0.2.4 (patch) - underscore: ^1.13.6 → ^1.13.8 (patch) Transitive dependency resolutions: - brace-expansion: 1.1.11 → 1.1.12 - minimatch: 3.1.2 → 3.1.3 - follow-redirects: 1.15.3 → 1.15.9 Also adds .yarnrc.yml for Yarn 4.x compatibility and updates .gitignore to exclude Yarn Berry cache files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a reusable skill for fixing security vulnerabilities in transitive dependencies using yarn resolutions, focusing on patch/minor upgrades to avoid breaking changes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses 19 security vulnerabilities identified by Snyk in project dependencies by upgrading direct dependencies and adding yarn resolutions for transitive dependencies.
Snyk scan result after this PR: ✅ No vulnerable paths found
Changes
Direct Dependency Upgrades
Transitive Dependency Resolutions (via yarn resolutions)
New Files Added
.yarnrc.ymlnodeLinker: node-modulessetting which tells Yarn 4 to use the traditional node_modules installation strategy (instead of Plug'n'Play) for compatibility with the existing project setup. This file was auto-generated when runningyarn installwith Yarn 4.x..gitignoreupdate.yarn/install-state.gzto gitignore. This is a Yarn Berry cache file that stores the install state for faster subsequent installs - it should not be committed as it's machine-specific and regenerated automatically.Test Plan
1. Build Verification
yarn build- verify no compilation errorsyarn lint- verify no new lint errorsyarn test- verify all unit tests pass2. Code Review API Testing (
src/codeReview/api.ts)supportedExtensions()returns extensions list correctlyquerySuggestions()POST request works with proper payload/response3. Chat WebView Dev Mode (
src/tabnineChatWidget/ChatViewProvider.ts)4. Axios 1.x Specific Testing (Major Upgrade)
response.dataaccess works as expectederror.response,error.message)5. E2E Smoke Test
References
🤖 Generated with Claude Code