chore(deps): npm audit fix + bump direct deps to latest patch within major#48
Merged
Conversation
…major `npm audit fix` cleared 10 transitive-dep vulnerabilities (dottie, moment, moment-timezone, path-to-regexp, qs, underscore, validator). All within the existing major lines; no breaking changes expected. Also bumps the direct deps that had open Snyk PRs against them to the latest patch in their current major: express 4.21.1 → 4.22.2 (Snyk #23, #42) pg 8.6.0 → 8.20.0 (Snyk #9) express-promise-router 4.0.1 → 4.1.1 (Snyk #12) sequelize 6.6.5 → 6.37.8 (Snyk #18) `npm audit` post-fix: 0 vulnerabilities. Test suite: 24 files / 167 tests still passing. Supersedes Snyk PRs #9, #12, #18, #23, #42. Closes #30 (the Snyk-backlog-triage tracker). The ancient PRs that target already-removed deps (#13 body-parser) get closed separately with a "no longer applicable" comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 17, 2026
CryptoJones
added a commit
that referenced
this pull request
May 17, 2026
) Continues the housekeeping pattern of #44 — keep the README endpoint table and CHANGELOG \`[Unreleased]\` in sync with merged PRs. README: - Append rows for the four PurchaseOrder/Inventory entities that gained endpoints in #50, #51, #52. CHANGELOG (under \`[Unreleased]\`): - PurchaseOrder + Inventory API rollout (the tracker, #49, and its three PRs) - JSON_BODY_LIMIT env hook (#45 / #46 / #47) - npm audit fix + dep bumps + Snyk PR triage (#30 / #48) Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #30.
Summary
Consolidated dependency cleanup — addresses everything in the open Snyk PR backlog that's still relevant.
Transitive fixes via
npm audit fix:Direct dep bumps (within current major, patch-bumped from oldest pinned):
Test plan
npm auditpost-fix → 0 vulnerabilitiesnpm run migratethen real DB)The remaining open Snyk PRs target packages that are already removed (
body-parser, #13) or propose downgrades (sequelize-clito 6.6.3, #24); they should be closed as no-longer-applicable in a follow-up.Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/