Skip to content

chore(deps): resolve Dependabot security alerts#2475

Merged
B4nan merged 1 commit intomasterfrom
chore/dependabot-security-fixes
Apr 29, 2026
Merged

chore(deps): resolve Dependabot security alerts#2475
B4nan merged 1 commit intomasterfrom
chore/dependabot-security-fixes

Conversation

@B4nan
Copy link
Copy Markdown
Member

@B4nan B4nan commented Apr 28, 2026

Summary

Resolves 11 of 12 open Dependabot alerts. The 12th (uuid) was dismissed separately as tolerable risk.

Lockfile-only fixes (npm audit fix)

Package Before → After Alert
dompurify 3.3.3 → 3.4.1 #200, #202, #203, #204
fast-xml-parser 5.5.11 → 5.7.2 #206
follow-redirects 1.15.11 → 1.16.0 #199
protobufjs 7.5.4 → 7.5.6 #201 (critical)

Direct dep bump

  • styled-components: 6.3.12^6.4.1 (minor bump; 6.4.x dropped its postcss dep entirely)

Transitive overrides (added to existing overrides block)

All overrides are patch/minor-level within the same major and pose minimal compatibility risk.

Dismissed (separately, in Dependabot UI)

  • Feature: Updated run ressurect #205 uuid (GHSA-w5hq-g745-h8pq) — vulnerable code path is uuid.v3/v5/v6 with the buf parameter. Our consumers (sockjs, postman-collection, mermaid) only call uuid.v4 without buf, so the path is not exercised. The patch (uuid@14) is ESM-only and would break the affected CJS consumers; no backport exists.

Test plan

  • npm install succeeds
  • npm run lint:code passes
  • npm run openapi:bundle passes
  • npm run openapi:lint passes (exercises spectral, which uses overridden lodash)
  • npm audit shows zero root vulnerabilities
  • npm run build (let CI run this)
  • Verify Dependabot auto-closes the 11 alerts after merge

🤖 Generated with Claude Code

@B4nan @claude
chore(deps): resolve Dependabot security alerts
6b85935 
Resolve 11 of 12 open Dependabot alerts via lockfile updates,
direct dep bump, and transitive overrides:

- npm audit fix: dompurify, fast-xml-parser, follow-redirects, protobufjs
- bump styled-components: 6.3.12 -> ^6.4.1 (drops vulnerable postcss)
- override postcss ^8.5.10 (transitive in @redocly/cli's pinned styled-components 6.3.9)
- override yaml@1 ^1.10.3 (transitive in cosmiconfig, swagger2openapi, openapi-to-postmanv2)
- override lodash ^4.18.0 (transitive in openapi-to-postmanv2 and postman-collection)

The remaining uuid alert (GHSA-w5hq-g745-h8pq) was dismissed as
tolerable_risk: vulnerable code path is uuid.v3/v5/v6 with the buf
parameter, while our consumers (sockjs, postman-collection, mermaid)
only call uuid.v4 without buf. The patch is uuid@14, which is ESM-only
and would break the affected CJS consumers; no backport exists.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added this to the 139th sprint - Tooling team milestone Apr 28, 2026
@github-actions github-actions Bot added the t-tooling Issues with this label are in the ownership of the tooling team. label Apr 28, 2026
@B4nan B4nan added the adhoc Ad-hoc unplanned task added during the sprint. label Apr 28, 2026
@apify-service-account
Copy link
Copy Markdown

apify-service-account commented Apr 28, 2026

Preview for this PR was built for commit 6b85935 and is ready at https://pr-2475.preview.docs.apify.com!

@B4nan B4nan requested a review from barjin April 28, 2026 16:00
barjin
barjin approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@barjin barjin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks alright to me, thank you @B4nan !

Comment thread package.json
"react": "^19.1.0",
"react-dom": "^19.1.0",
"react-github-btn": "^1.4.0",
"styled-components": "6.3.12",
Copy link
Copy Markdown
Member

@barjin barjin Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering why this was pinned, but renovate[bot] seems to have updated it multiple times before anyway.

@B4nan B4nan merged commit a37aa01 into master Apr 29, 2026
15 of 16 checks passed
@B4nan B4nan deleted the chore/dependabot-security-fixes branch April 29, 2026 08:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barjin barjin barjin approved these changes

Assignees

@B4nan B4nan

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Milestone

139th sprint - Tooling team

Development

Successfully merging this pull request may close these issues.

[priority] Write the "Compute units and consumption" article for "actors/running"

3 participants

@B4nan @apify-service-account @barjin