Fix Dependabot alerts#17699
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7881d5d. Configure here.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| "minimatch": "^9.0.0", | ||
| "fast-uri": "3.1.2", | ||
| "vite": "7.3.2", | ||
| "fast-xml-builder": "1.1.7", | ||
| "lodash-es": "4.18.1", | ||
| "picomatch@<3.0.0": "2.3.2", | ||
| "picomatch@>=4.0.0 <4.0.4": "4.0.4" |
There was a problem hiding this comment.
Would rather not solve this with overrides if possible, but bump the transitive dep chain
There was a problem hiding this comment.
I'm not sure how much we can avoid this, will take a look
There was a problem hiding this comment.
You're right @chargome, most of them were fixable in the lockfile through the pnpm cli
please take another look 👀
|
Superseded by #17998, which is a fresh branch from master that addresses all remaining open alerts (plus 2 new ones: #324 uuid, #325 js-cookie) without the merge conflicts. Followed @chargome's feedback to prefer lockfile updates over overrides where possible — only using overrides where upstream packages haven't released fixes. Closing in favor of #17998. |
4 participants
Fixes high-severity Dependabot alerts:
Also fixes medium-severity Dependabot alerts: