Skip to content

Update dependencies to resolve security findings#73

Closed
johan-j wants to merge 4 commits into
mainfrom
dependency-cleanup
Closed

Update dependencies to resolve security findings#73
johan-j wants to merge 4 commits into
mainfrom
dependency-cleanup

Conversation

@johan-j
Copy link
Copy Markdown
Contributor

@johan-j johan-j commented Mar 10, 2026
edited
Loading

Issue:

Resolve security findings: dependency updates and cleanup

Summary

Updates production dependencies to address all 5 Dependabot security findings and removes an unused package that was pulling in vulnerable transitive dependencies. Reduces npm audit findings from 13 → 5 (the remaining 5 are in a devDependency awaiting an upstream fix).

Security findings resolved

Finding Severity Resolution
undici → 6.23.0 low Upgraded @actions/core and @actions/github
fast-xml-parser → 5.3.4 low Upgraded @github/local-action (resolves to 5.5.1)
fast-xml-parser → 5.3.6 low Same as above
fast-xml-parser → 5.3.8 low Same as above
minimatch → 9.0.7 low Removed unused prettier-eslint

Dependency changes

Package Before After Section
@actions/core ^2.0.2 ^3.0.0 dependencies
@actions/github ^7.0.0 ^9.0.0 dependencies
@github/local-action ^5.1.0 ^7.0.1 devDependencies
prettier-eslint ^16.4.2 removed devDependencies
@rollup/plugin-json dependencies moved to devDependencies
@types/js-yaml dependencies moved to devDependencies

Config fixes

  • eslint.config.mjs: Changed tsconfigRootDir: '.'tsconfigRootDir: __dirname (required by updated @typescript-eslint/parser)
  • jest.config.js: Added moduleNameMapper for @actions/core and @actions/github (pure ESM packages need explicit resolution for jest.mock())

Remaining audit items

5 moderate-severity undici@5.29.0 findings remain inside @github/local-action@7.0.1@actions/artifact@actions/github@6.0.1 (transitive). This is the latest available version of the package — requires an upstream fix. These are devDependencies only and are not shipped in the action bundle.

Testing

  • npm run all passes (format, lint, 22/22 tests, coverage, bundle)

@johan-j johan-j requested a review from a team as a code owner March 10, 2026 20:48
Copilot AI review requested due to automatic review settings March 10, 2026 20:48
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Node/TypeScript action dependencies to address security findings (vuln-mgmt#181381) for this repository’s GitHub Action.

Changes:

  • Bump @actions/core to ^3.0.0 and @actions/github to ^9.0.0.
  • Move build/type-only packages to devDependencies and update @github/local-action to ^7.0.1.
  • Remove prettier-eslint from devDependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
johan-j added 3 commits March 10, 2026 10:53
@johan-j
Fix ESM compatibility for @actions/core@3 and @actions/github@9
4e22486 
- eslint: Use __dirname for tsconfigRootDir (required by newer @typescript-eslint/parser)
- jest: Add moduleNameMapper for pure ESM @actions packages
- Rebuild dist/
@johan-j
Set action runtime to node20
14f7084 
action.yml was still using node16, which is incompatible with
@actions/core@3, @actions/github@9, and openai@5 (all require Node >=18).
The engines field in package.json already specifies >=20.
@johan-j
Update licensed dependency cache
03251d6 
Regenerate .licenses/ cache after dependency version bumps.
Removes stale records for old transitive deps and adds new ones.
@johan-j johan-j closed this Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johan-j