Skip to content

fix(deps): security bumps for 2 Dependabot alerts#261

Open
rtBot wants to merge 1 commit into
mainfrom
deps/security-fixes-2026-06-30
Open

fix(deps): security bumps for 2 Dependabot alerts#261
rtBot wants to merge 1 commit into
mainfrom
deps/security-fixes-2026-06-30

Conversation

@rtBot

@rtBot rtBot commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Lockfile-only security bumps for transitive dependencies. No source or manifest changes, no major-version bumps.

Package Old → New Alert # Severity GHSA / CVE Status
http-proxy-middleware 2.0.9 → 2.0.10 #94 Medium GHSA-64mm-vxmg-q3vj / CVE-2026-55602 Fixed
webpack-dev-server 5.2.4 → 5.2.5 #92 Medium GHSA-mx8g-39q3-5c79 / CVE-2026-9595 Fixed

No CRITICAL alerts in this set.

Why

http-proxy-middleware (patch 2.0.10) and webpack-dev-server (patch 5.2.5) stay within the same major as installed and resolve cleanly via npm update --package-lock-only. (uuid root incidentally moved 14.0.0 → 14.0.1, both already above the vulnerable range.)

How tested

Lockfile-only. NOT built or tested locally (disk-discipline constraint). package-lock.json validated as parseable JSON. Rely on CI to confirm.

Residual risk / not-applicable (could NOT be safely fixed)

All remaining alerted packages are transitive copies pinned by parents such that the patched version would require a MAJOR bump of the parent (out of scope), or have no patch:

These require either upstream @wordpress/* major upgrades or maintainer fixes; left for a dedicated follow-up. Do not merge without CI review.

Open WordPress Playground Preview

- http-proxy-middleware 2.0.9->2.0.10 (#94)
- webpack-dev-server 5.2.4->5.2.5 (#92)
Lockfile-only. uuid root incidentally 14.0.0->14.0.1 (already patched).
Copilot AI review requested due to automatic review settings June 30, 2026 10:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@justlevine justlevine left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unclear exactly how these changes were made when an npm audit fix fails to address them and dependabot fills.

Tested locally by confirming that nvm use && npm ci don't fail or create lockfile changes. That combined with the existing CI should count.

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants