Skip to content

fix: remediate high & critical Dependabot and Wiz vulnerabilities#89

Open
pkaeding wants to merge 2 commits into
mainfrom
devin/1781295685-remediate-vulnerabilities
Open

fix: remediate high & critical Dependabot and Wiz vulnerabilities#89
pkaeding wants to merge 2 commits into
mainfrom
devin/1781295685-remediate-vulnerabilities

Conversation

@pkaeding

Copy link
Copy Markdown
Contributor

Summary

Remediates all 4 open Dependabot/Wiz security alerts by updating vulnerable dev dependencies.

Direct dependency updates:

  • esbuild: ^0.27.4^0.28.1 — fixes GHSA-g7r4-m6w7-qqqr (path traversal on Windows dev server, low severity)

Transitive dependency overrides:

dist/index.js rebuilt with the updated esbuild. All tests pass locally.

Link to Devin session: https://app.devin.ai/sessions/1200957b28bb4e9e948322a4e1e69176
Requested by: @pkaeding

- Update esbuild ^0.27.4 -> ^0.28.1 (direct dev dep, GHSA-g7r4-m6w7-qqqr)
- Add npm override for vite ^8.0.5 (transitive via vitest, CVE-2026-39363/39364/39365)
- Rebuild dist/index.js with updated esbuild

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@devin-ai-integration

Copy link
Copy Markdown

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot added the devin-pr PR created by Devin label Jun 12, 2026
Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@pkaeding pkaeding requested a review from a team June 12, 2026 20:24
@pkaeding pkaeding marked this pull request as ready for review June 12, 2026 20:24
@pkaeding pkaeding requested a review from a team as a code owner June 12, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

devin-pr PR created by Devin

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant