Skip to content

pnpm dependency update 2026-07-07#24

Merged
pviti merged 2 commits into
mainfrom
chore/deps-update-202607071005
Jul 7, 2026
Merged

pnpm dependency update 2026-07-07#24
pviti merged 2 commits into
mainfrom
chore/deps-update-202607071005

Conversation

@commercelayer-ci

Copy link
Copy Markdown
Contributor

Dependency update

Closes #23
Branch: chore/deps-update-202607071005
Based on stable: v3.2.3
Prerelease tag: v3.2.4-auto-deps-202607071005.0
Node.js: 20.x
pnpm: 10.x

Automated dependency update via pnpm. Review the dependency diff and validation output before merging.

Dependency update results

  • Check: success
  • Build: failure
  • Test: success
Build output

Semver bump log

package.json
  @biomejs/biome          ^2.4.11  →    ^2.5.2
  @commercelayer/cli-dev   ^3.1.1  →    ^3.1.5  [cooldown] 3.1.6
  @commercelayer/sdk      ^6.56.0  →   ^6.58.0
  @oclif/plugin-help      ^6.2.44  →   ^6.2.53
  @types/node             ^25.6.0  →   ^25.9.4
  mocha                   ^11.7.5  →   ^11.7.6
  oclif                   ^4.23.0  →  ^4.23.27
  semantic-release        ^25.0.3  →   ^25.0.5
  tsx                     ^4.21.0  →   ^4.23.0
  typescript               ^6.0.2  →    ^6.0.3

Audit log

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Serialize JavaScript is Vulnerable to RCE via          │
│                     │ RegExp.flags and Date.prototype.toISOString()          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-5c6j-r48x-rmvq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Serialize JavaScript has CPU Exhaustion Denial of      │
│                     │ Service via crafted array-like objects                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <7.0.5                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qj8w-gfj5-8c6v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>node-notifier>uuid                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ jsdiff has a Denial of Service vulnerability in        │
│                     │ parsePatch and applyPatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ diff                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.0.0 <8.0.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>diff                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-73rr-hh4g-fpgx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
4 vulnerabilities found
Severity: 1 low | 2 moderate | 1 high

Major updates log not updated

package.json
  @commercelayer/cli-dev   ^3.1.5  →    ^3.1.6
  @commercelayer/sdk      ^6.58.0  →   ^7.12.0
  @oclif/core             ^3.27.0  →  ^4.11.14
  @oclif/test             ^3.2.15  →   ^4.1.20
  @types/node             ^25.9.4  →   ^26.1.0
  open                     ^8.4.2  →   ^11.0.0

@commercelayer-ci commercelayer-ci added the dependencies Pull requests that update a dependency file label Jul 7, 2026
@commercelayer-ci commercelayer-ci self-assigned this Jul 7, 2026
@pviti pviti merged commit e140a7c into main Jul 7, 2026
1 check passed
@pviti pviti deleted the chore/deps-update-202607071005 branch July 7, 2026 12:52
@pviti

pviti commented Jul 7, 2026

Copy link
Copy Markdown
Member

🎉 This PR is included in version 3.2.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file released on @latest

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[VANTA] [VULNERABILITY] <MEDIUM> CVE-2026-41907, fix before 2026-07-21

2 participants