Skip to content

Commit 78e9f37

Browse files
Fletch153Fletch153
committed
chore: update dependencies to fix Dependabot alerts
1 parent 4f412ca commit 78e9f37

2 files changed

Lines changed: 588 additions & 719 deletions

File tree

DEPENDABOT_STATUS.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# Dependabot Security Alerts Status
2+
3+
**Repository**: `smartcontractkit/ea-framework-js`
4+
**Branch**: `dependabot-update-2026-02-08`
5+
**Date**: 2026-02-08
6+
7+
## Summary
8+
9+
| Metric | Count |
10+
|--------|-------|
11+
| Total Open Alerts | 3 |
12+
| Fixed | 3 |
13+
| Needs Approval | 0 |
14+
| Blocked | 0 |
15+
16+
## Alert Details
17+
18+
| # | Dependency | Severity | CVSS | CVE | Vulnerable Range | Patched | Resolved To | Fix Method | Status |
19+
|---|-----------|----------|------|-----|-----------------|---------|-------------|------------|--------|
20+
| 52 | glob | high | 7.5 | CVE-2025-64756 | >= 10.2.0, < 10.5.0 | 10.5.0 | 10.5.0 | Lockfile refresh | Fixed |
21+
| 50 | js-yaml | medium | 5.3 | CVE-2025-64718 | < 3.14.2 | 3.14.2 | 3.14.2 | Lockfile refresh | Fixed |
22+
| 49 | js-yaml | medium | 5.3 | CVE-2025-64718 | >= 4.0.0, < 4.1.1 | 4.1.1 | 4.1.1 | Lockfile refresh | Fixed |
23+
24+
## Fix Log
25+
26+
### Tier 1: Lockfile Refresh
27+
- Deleted `yarn.lock` and ran `yarn install` to regenerate
28+
- All 3 alerts resolved by the lockfile refresh alone
29+
30+
### Dependency Chain Details
31+
32+
| Alert | Dependency Chain | Before | After |
33+
|-------|-----------------|--------|-------|
34+
| #52 | c8 -> test-exclude -> glob, ava -> @vercel/nft -> glob | 10.4.5 | 10.5.0 |
35+
| #50 | ava -> supertap -> js-yaml | 3.14.1 | 3.14.2 |
36+
| #49 | eslint -> @eslint/eslintrc -> js-yaml | 4.1.0 | 4.1.1 |
37+
38+
## Verification
39+
40+
- **TypeScript compilation**: Passed (exit code 0)
41+
- **Test suite (AVA + c8)**: All tests passed (exit code 0)
42+
- **Build (`yarn build`)**: Pre-existing failure in nested `scripts/generator-adapter` sub-project due to local Node version mismatch (local: v20.11.0 vs required: v24.13.0). This failure exists on `main` and will pass in CI which uses Node 24.13.
43+
44+
## Notes
45+
- All 3 alerts are transitive, development-scope dependencies
46+
- No direct dependency changes were required
47+
- No code changes were required
48+
- CI runtime (Node 24.13) is correctly pinned in `.github/actions/setup/action.yaml` and `.tool-versions`

0 commit comments

Comments
 (0)