Skip to content

build(deps): resolve dependabot security alerts#1074

Merged
dsanders11 merged 1 commit into
mainfrom
sam/fix-dependabot-alerts
Apr 4, 2026
Merged

build(deps): resolve dependabot security alerts#1074
dsanders11 merged 1 commit into
mainfrom
sam/fix-dependabot-alerts

Conversation

@MarshallOfSound

Copy link
Copy Markdown
Member

Resolves 24 of 27 open Dependabot alerts. All fixes are via yarn up -R on the dependency or its parent chain; only one resolutions override is needed.

Direct devDep bumps

  • @typescript-eslint/eslint-plugin / @typescript-eslint/parser ^6.21.0^7.18.0 (pulls minimatch@^9.0.4)
  • markdownlint-cli2 ^0.20.0^0.21.0 (pulls markdown-it@14.1.1, micromatch@4.0.8). Not ^0.22.0 — that introduces smol-toml@1.6.0 which has its own open advisory.

Transitive bumps via yarn up -R

  • serve-handler → 6.1.7, express → 4.22.1, body-parser → 1.20.4, compression → 1.8.1, eslint → 8.57.1, terser-webpack-plugin → 5.4.0
  • minimatch → 3.1.5 / 9.0.9 / 10.2.4, node-forge → 1.4.0, path-to-regexp → 0.1.13, qs → 6.14.2, on-headers → 1.1.0, picomatch → 4.0.4, ajv → 6.14.0 / 8.18.0, brace-expansion → 1.1.13, glob → 10.5.0, mdast-util-to-hast → 13.2.1, http-cache-semantics → 4.2.0, axios → 1.14.0, yaml → 2.8.3

Resolutions

  • Removed both pre-existing entries (http-cache-semantics, markdownlint-cli2/micromatch) — parent chains now resolve safely on their own.
  • Added serialize-javascript: ^7.0.5copy-webpack-plugin@11 and css-minimizer-webpack-plugin@5 (via @docusaurus/core@3.9.2) still request ^6.x with no in-range release on 7; no path without a Docusaurus major bump.

Remaining (3 alerts)

lodash-es ×3 — fixed in 4.18.0 (published 2026-03-31), blocked by npmMinimalAgeGate: 10080 until 2026-04-07. Same applies to lodash (via Docusaurus). Will follow up once the gate clears rather than preapprove.


yarn npm audit: 37 → 5 advisories (all lodash/lodash-es). yarn install --immutable, yarn lint, yarn build all pass with no new warnings vs main.

@MarshallOfSound MarshallOfSound requested a review from a team as a code owner April 4, 2026 08:44
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedeslint@​8.41.0 ⏵ 8.57.189100100 +150100
Updated@​typescript-eslint/​parser@​6.21.0 ⏵ 7.18.0100 +110071 +198100
Updated@​typescript-eslint/​eslint-plugin@​6.21.0 ⏵ 7.18.099 +110080 +198100
Updatedmarkdownlint-cli2@​0.20.0 ⏵ 0.21.09910010085 -1100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Publisher changed: npm path-to-regexp is now published by ulisesgascon

Author: ulisesgascon

From: ?npm/@docusaurus/core@3.9.2npm/path-to-regexp@0.1.13

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying electron-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 0988e8a
Status: ✅  Deploy successful!
Preview URL: https://526f6e00.electron-website.pages.dev
Branch Preview URL: https://sam-fix-dependabot-alerts.electron-website.pages.dev

View logs

@dsanders11 dsanders11 merged commit ccdc66a into main Apr 4, 2026
6 checks passed
@dsanders11 dsanders11 deleted the sam/fix-dependabot-alerts branch April 4, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants