chore: resolve open dependabot security alerts#1967
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
✅ Deploy Preview for polite-licorice-3db33c canceled.
|
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including an upgrade of js-cookie to version 3.0.7 in the playground app and minor version bumps for containerd and compress in the integration tests. A review comment suggests refining the js-cookie version override from a loose >=3.0.7 range to a safer ^3.0.7 caret range to avoid potential breaking changes from future major releases.
| "react-use": "^17.6.0" | ||
| }, | ||
| "overrides": { | ||
| "js-cookie": ">=3.0.7" |
There was a problem hiding this comment.
Using a loose version range like >=3.0.7 in overrides can lead to unexpected breaking changes if a new major version of js-cookie is released in the future. It is safer to use a caret range (^3.0.7) to allow only non-breaking updates while still receiving security patches and bug fixes within the v3.x series.
| "js-cookie": ">=3.0.7" | |
| "js-cookie": "^3.0.7" |
1 participant
Summary
Resolved 2 of 7 open Dependabot security alerts. The remaining 5 alerts are for
github.com/docker/dockerand currently have no patched version available upstream.Dependabot Alerts Resolved
js-cookie>=3.0.7inplayground-app/package.json(transitive viareact-use)github.com/containerd/containerd/v2v2.2.4viago get+go mod tidyintest/integration/go.modUnresolvable Alerts
These Docker-related alerts in
test/integration/go.mod(transitive viatestcontainers-go) have no upstream patched version yet:PUT /containers/{id}/archiveexecutes container binary on the hostdocker cpallows creation of arbitrary empty filesdocker cpallows bind mount redirection29.3.1but no such release exists yet