Update dependencies to address Dependabot security alerts#3667
Merged
Conversation
Closes ~35 open Dependabot alerts by updating transitive and direct dependencies to patched versions: - fast-uri 3.1.0 → 3.1.2 (path traversal, host confusion) - @xmldom/xmldom 0.8.11 → 0.8.13 (XML injection x4) - brace-expansion 1.1.12 → 1.1.15 (ReDoS) - qs 6.14.0 → 6.15.2 (DoS via arrayLimit) - ip-address 10.1.0 → 10.1.1 (XSS) - basic-ftp 5.3.0 → 5.3.1 (DoS) - ws 8.18.0 → 8.21.0 (memory disclosure) - protobufjs 7.5.5 → 7.6.2 (DoS, code injection x8) - hono 4.12.7 → 4.12.23 (HTML injection, cache leakage, path traversal x11) - @hono/node-server 1.19.11 → 1.19.14 (middleware bypass) - lodash 4.17.23 → 4.18.1 (code injection, prototype pollution) - @babel/plugin-transform-modules-systemjs 7.27.1 → 7.29.7 (code injection) - @anthropic-ai/sdk ^0.90.0 → ^0.91.1 (insecure file permissions x2)
Collaborator
📊 Performance Test ResultsComparing 8b6c126 vs trunk app-size
site-editor
site-startup
Results are median values from multiple test runs. Legend: 🟢 Improvement (faster) | 🔴 Regression (slower) | ⚪ No change (<50ms diff) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related issues
Closes ~35 open Dependabot security alerts on the repository.
How AI was used in this PR
Claude identified which Dependabot alerts were fixable via
npm update(stale lockfile entries within existing semver ranges) vs. those requiring direct dep bumps or overrides, then applied all the easy wins in one shot.Proposed Changes
Updates transitive and direct dependencies to their patched versions to close the majority of open Dependabot security alerts. All updates are within the existing declared semver ranges of their parent packages — no breaking changes expected.
fast-uri@xmldom/xmldombrace-expansionqsip-addressbasic-ftpwsprotobufjshono@hono/node-serverlodash@babel/plugin-transform-modules-systemjs@anthropic-ai/sdkRemaining open alerts are blocked by exact-pinned third-party packages (
@php-wasm/*,@mariozechner/pi-*,electron2appx) or have no upstream fix (showdown). Those require upstream releases to resolve.Testing Instructions
npm run typecheckpassesnpm testpassesPre-merge Checklist
@anthropic-ai/sdkrange bump)@wp-playground/*and@php-wasm/*pins untouched