Skip to content

Upgrade dependencies to fix security vulnerabilities in ws-manager-bridge#21387

Open
Abuchtela wants to merge 2 commits intogitpod-io:mainfrom
Abuchtela:main
Open

Upgrade dependencies to fix security vulnerabilities in ws-manager-bridge#21387
Abuchtela wants to merge 2 commits intogitpod-io:mainfrom
Abuchtela:main

Conversation

@Abuchtela
Copy link
Copy Markdown

@Abuchtela Abuchtela commented Apr 9, 2026
edited
Loading

Description

Related Issue(s)

Fixes #

How to test

Documentation

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@Abuchtela Abuchtela requested a review from a team as a code owner April 9, 2026 11:47
Copilot AI review requested due to automatic review settings April 9, 2026 11:47
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates ws-manager-bridge dependencies to address reported security vulnerabilities by bumping the express version.

Changes:

  • Upgrade express in components/ws-manager-bridge from ^4.17.3 to ^4.21.2.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

components/ws-manager-bridge/package.json
Comment on lines 40 to 44
"@gitpod/ws-manager": "0.1.5",
"@gitpod/ws-manager-bridge-api": "0.1.5",
"express": "^4.17.3",
"express": "^4.21.2",
"inversify": "^6.0.1",
"ioredis": "^5.3.2",
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ws-manager-bridge uses the workspace yarn lockfile for dependency resolution (see components/ws-manager-bridge/BUILD.yaml yarnLock: ${coreYarnLockBase}/yarn.lock). Bumping express to ^4.21.2 without updating the root yarn.lock (and offline-mirror artifacts, if applicable) will likely break reproducible installs/builds because the lockfile currently pins express@^4.17.3.

Please regenerate and commit the corresponding lockfile changes (and any offline mirror updates) for this new semver range.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Abuchtela @snyk-bot