Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses Dependabot security alerts by updating release tooling and forcing patched transitive dependency versions via npm overrides.
Changes:
- Bump
semantic-releasefrom^19to^24.2.9. - Add npm
overridesto require patched versions ofhandlebars,picomatch,flatted, andglob-promise.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "benchmark": "^2.1.4", | ||
| "eslint": "^7.32.0", | ||
| "prettier": "^2.8.8", | ||
| "semantic-release": "^19.0.3", | ||
| "semantic-release": "^24.2.9", | ||
| "text-encoding": "^0.7.0", |
There was a problem hiding this comment.
semantic-release@24 requires Node >=20.8.1 (see package-lock). Since the repo now pins CI to Node 20, consider also adding an engines.node constraint (and/or documenting it) in package.json so local installs/runs on older Node versions fail fast with a clear message rather than breaking at release time.
Summary
semantic-releasefrom^19to^24— v24 pulls in@semantic-release/npm@12which depends onnpm@10, resolving bundled vulnerable versions oftarandminimatchoverridesforhandlebars >= 4.7.9,picomatch >= 2.3.2,flatted >= 3.4.2, andglob-promise >= 6.0.7to force patched transitive depsglob-promise >= 6.0.7drops thenpm-install-peersdependency that was pulling innpm@6with bundled vulnerabletarandminimatchResolves all 14 open Dependabot alerts (#90, #91, #93, #94, #95, #97, #99, #101, #102, #103, #105, #106, #108, #109).