STSMACOM-947: Bump runtime deps in package.json and yarn.lock#1627
STSMACOM-947: Bump runtime deps in package.json and yarn.lock#1627julianladisch wants to merge 1 commit into
Conversation
https://folio-org.atlassian.net/browse/STSMACOM-947 To keep in sync with the versions used in snapshot environments and Sunflower environments the runtime dependencies in yarn.lock should be bumped to the latest version that the version range in package.json allows. * @babel/runtime ^7.28.6 → ^7.29.2 * dompurify ^3.0.9 → ^3.3.3 * lodash ^4.17.4 → ^4.17.23 * moment-timezone ^0.5.17 → ^0.5.48 * react-copy-to-clipboard ^5.0.1 → ^5.1.1 * react ^18.2.0 → ^18.3.1 * react-intl ^7.1.5 → ^7.1.14 Security fixes in transitive dependencies: * brace-expansion ^1.1.7: version 1.1.11 → 1.1.12 – CVE-2025-5889 – GHSA-v6h2-p8h4-qcjw * minimatch: 3.1.2 → 3.1.2, 5.1.6 → 5.1.9, 8.0.4 → 8.0.7, 9.0.4 → 9.0.9 – CVE-2026-26996 GHSA-3ppc-4f35-3m26 – CVE-2026-27904 GHSA-23c5-xmqv-rm74 – CVE-2026-27903 GHSA-7r86-cg39-jmmj
|
|
This PR against #main will not keep this repo in sync with the versions in Sunflower (Sunflower pins react to ~18.2.0 and this PR would bump it to ^18.3.0). Keeping To be clear, dependency management is something that deserves real attention, but taking a scattershot approach instead of a wholistic one is just a time-suck, especially in this case where there is marginal benefit (we remove some REDoS vulnerabilities in a test env) and literally zero impact in production since SSC’s lock file is ignored when building stripes or platform-complete. |
2 participants
https://folio-org.atlassian.net/browse/STSMACOM-947
To keep in sync with the versions used in snapshot environments and Sunflower environments the runtime dependencies in yarn.lock should be bumped to the latest version that the version range in package.json allows.
Security fixes in transitive dependencies: