fix(deps):Upgrade vulnerable dependency to address CVE detected by Trivy#12
fix(deps):Upgrade vulnerable dependency to address CVE detected by Trivy#12yeshamavani merged 1 commit intomainfrom
Conversation
SonarQube reviewer guideSummary: Updates dependency versions in package-lock.json and package.json, including npm to 11.12.1, ibm-cloud-sdk-core to 5.4.9, and various utility libraries with security and compatibility improvements. Review Focus: Pay close attention to the ibm-cloud-sdk-core upgrade from 5.4.5 to 5.4.9, which introduces a significant dependency change—file-type upgraded from 16.5.4 to 21.3.2 (major version bump). This brings new peer dependencies (@tokenizer/inflate, strtok3, token-types, uint8array-extras) and a new direct dependency (load-esm). Verify these new dependencies don't conflict with existing code and test file-type functionality. Also note npm bundled dependency removals (cli-columns, promise-retry, validate-npm-package-license) and the node-forge security patch. Start review at: package.json. This is where the direct dependency changes are specified. Focus on the ibm-cloud-sdk-core version bump and node-forge override update, as these are the intentional changes that drive the lock file updates. Understanding the root causes here will help contextualize the cascading dependency changes in package-lock.json.
|
|
🎉 This PR is included in version 2.0.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
2 participants
This pull request updates the
node-forgedependency in thepackage.jsonfile to a newer version. This is a minor maintenance change to ensure the project uses the latest compatible version ofnode-forge.