fix: resolve security alerts (serialize-javascript, XP-SK-001)#693
fix: resolve security alerts (serialize-javascript, XP-SK-001)#693
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies across the repository, including an override for serialize-javascript to version 7.0.5 in the VS Code extension and website. It also includes updates for brace-expansion, underscore, and terser-webpack-plugin, removes the randombytes dependency, and deletes the version metadata from the agnix skill definition. Additionally, the toml dependency in Cargo.lock is downgraded from version 1.0.1 to 0.8.23. I have no feedback to provide.
There was a problem hiding this comment.
Pull request overview
Resolves security/code-scanning alerts by tightening metadata in SKILL frontmatter and overriding vulnerable JavaScript dependencies in the docs site and VS Code extension.
Changes:
- Remove the non-standard
versionfield fromplugin/skills/agnix/SKILL.mdfrontmatter (XP-SK-001). - Add npm
overridesforserialize-javascript@^7.0.5inwebsite/andeditors/vscode/, and update corresponding lockfiles. - Update
Cargo.lockto resolveagnix-workspace-teststotoml 0.8.23.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| website/package.json | Adds serialize-javascript override to address vulnerability. |
| website/package-lock.json | Lockfile updates reflecting dependency/override resolution. |
| plugin/skills/agnix/SKILL.md | Removes non-standard frontmatter key to satisfy XP-SK-001. |
| editors/vscode/package.json | Adds serialize-javascript override for extension toolchain deps. |
| editors/vscode/package-lock.json | Lockfile updates reflecting dependency/override resolution. |
| Cargo.lock | Adjusts resolved toml version for workspace test crate. |
Files not reviewed (2)
- editors/vscode/package-lock.json: Language not supported
- website/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add engines.node >= 20.0.0 to website and vscode extension (serialize-javascript@7 requires Node 20+) - Add CHANGELOG.md entry for security fixes
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4dea9977a0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Avoid overwriting engines.vscode by merging the Node constraint into the existing engines object instead of adding a duplicate key.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 1 comment.
Files not reviewed (2)
- editors/vscode/package-lock.json: Language not supported
- website/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
versionfield fromplugin/skills/agnix/SKILL.mdfrontmatter (fixes code scanning alert #1062, rule XP-SK-001)serialize-javascriptto^7.0.5inwebsite/andeditors/vscode/to fix CPU exhaustion DoS vulnerability (fixes Dependabot alerts test: add fixture coverage for rule families #122 and fix: normalize paths for exclude glob matching (#67) #123)Test plan
cargo test --workspace- 4,076 tests passnpm auditinwebsite/- 0 vulnerabilitiesnpm auditineditors/vscode/- 0 vulnerabilities