chore(deps): patch uuid and webpack-dev-server security alerts (dev-only)#442
Merged
Conversation
Add overrides to force transitive `uuid` to ^11.1.1 (GHSA-w5hq-g745-h8pq) and `webpack-dev-server` to ^5.2.4 (GHSA-79cf-xcqc-c78w). Both alerts are dev-scope only — neither package is in the plugin's published `files` list, so consumers are unaffected. The bumps apply to local build/test tooling.
🦋 Changeset detectedLatest commit: 9e6fa62 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses two GitHub security advisories in the repo’s dev/tooling dependency tree by adding npm overrides so transitive packages resolve to patched versions, and updates the lockfile accordingly. It also adds a changeset to publish the resulting patch release.
Changes:
- Add npm
overridesto forceuuid→^11.1.1andwebpack-dev-server→^5.2.4. - Refresh
package-lock.jsonto reflect the overridden resolutions and their updated transitive dependencies. - Add a patch changeset describing the dev-only security dependency overrides.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Adds overrides entries to force patched versions of uuid and webpack-dev-server. |
| package-lock.json | Updates lockfile to the overridden resolutions and new transitive dependency graph. |
| .changeset/security-deps-uuid-wds.md | Adds a patch changeset documenting the dev-only security advisory remediation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Aligns the declared Node engine with .nvmrc (20) and CI. The newly overridden webpack-dev-server@^5.2.4 requires Node >=18.12, and some deeper transitives want Node 20+, so the previous ">=16.0.0" was factually wrong after PR #442's lockfile regeneration. Addresses Copilot review feedback.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/wpengine/wp-graphql-content-blocks/sessions/06e6a544-286c-46ca-bb37-881b7f0f0b3c Co-authored-by: josephfusco <6676674+josephfusco@users.noreply.github.com>
ahuseyn
approved these changes
May 27, 2026
Member
Author
|
Review nudge for @wpengine/headless-open-source — this PR is the gating piece for the 4.8.5 patch release:
Once this merges, the changesets action will refresh #403 to consolidate WP 6.9 compat + these security fixes into the same 4.8.5 release. |
4 tasks
josephfusco
added a commit
that referenced
this pull request
May 27, 2026
PR #442 (1c3b6df) added webpack-dev-server@5.2.4 to package-lock.json but the corresponding `overrides` entry never made it into package.json. `npm ci` on main now fails with "Missing: webpack-dev-server@4.15.2 from lock file" because the natural dep tree (via @wordpress/scripts) wants 4.15.2 while the lockfile has 5.2.4 with no override to bridge the gap. This breaks the release workflow — without it, the changesets action cannot install deps to refresh PR #403 or publish 4.8.5. Adding the missing override is sufficient; the lockfile is already at the correct resolution and `npm install --package-lock-only` is a no-op. Verified locally: `npm ci --dry-run` now exits 0.
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two entries to the
overridesblock inpackage.jsonto force transitive dependencies to patched versions:uuid→^11.1.1— resolves GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6)webpack-dev-server→^5.2.4— resolves GHSA-79cf-xcqc-c78w (cross-origin source code exposure on non-HTTPS)Dependabot couldn't auto-fix either:
uuidis purely transitive (Dependabot's job is configuredallowed-updates: directonly — 4 prior runs failed), andwebpack-dev-serverwas pinned at 4.x via@wordpress/scripts's constraint with no 4.x backport from upstream.Why this is non-breaking for consumers
Neither package is referenced by code in this repo (no
require/importofuuidorwebpack-dev-serveranywhere inincludes/,bin/, or root*.php). Both exist only in the dev/test tooling tree. The plugin'sfilesarray publishes onlyincludes/,vendor/, license/readme, andwp-graphql-content-blocks.php—node_modulesnever ships.Test plan
npm installsucceeds with no peer-dep conflicts (409 added, 181 removed, 537 changed)npm ls uuidreturnsuuid@11.1.1 overridden(single resolution)npm ls webpack-dev-serverreturnswebpack-dev-server@5.2.4 overridden(single resolution)@wordpress/scriptsandwebpack-dev-serverbothrequire()cleanly under Node 20Release impact
Includes a
patch-level changeset so this rolls into the next release (currently@wpengine/wp-graphql-content-blocks@4.8.5queued in #403).