chore(deps): bulk dependency updates and security fixes#217
Merged
chore(deps): bulk dependency updates and security fixes#217
Conversation
Consolidate 6 Dependabot PRs and resolve all 26 npm security alerts: Docker images: - rocker/r-ver 4.5.2 → 4.5.3 (Dockerfile + CI) - axllent/mailpit v1.29.0 → v1.29.6 GitHub Actions: - dorny/paths-filter v3 → v4 - actions/configure-pages v5 → v6 - actions/deploy-pages v4 → v5 npm dependencies: - rollup-plugin-visualizer 6.0.5 → 7.0.1 - npm audit fix for 22 vulnerabilities (dompurify, vite, unhead, rollup, minimatch, picomatch, flatted, immutable, lodash, undici, svgo, brace-expansion, path-to-regexp, yaml, markdown-it, qs, ajv) - serialize-javascript override to ^7.0.5 for remaining 4 Closes #204, #208, #210, #213, #215, #216
berntpopp
force-pushed
the
chore/bulk-dependency-security-updates
branch
from
ec033bf to
8df6050
Compare
There was a problem hiding this comment.
Pull request overview
Consolidates multiple Dependabot updates into a single PR to address npm security advisories and refresh CI/Docker dependencies across the app and API components.
Changes:
- Bump Mailpit dev image tag and R base image version (4.5.2 → 4.5.3).
- Update GitHub Actions used for CI and Pages deployment (paths-filter/configure-pages/deploy-pages).
- Update frontend dev dependencies (rollup-plugin-visualizer) and add an npm override to force a patched
serialize-javascript.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
docker-compose.dev.yml |
Updates Mailpit image tag for local/dev stack. |
app/package.json |
Updates dev tooling dependency and adds overrides for a security fix. |
api/Dockerfile |
Bumps R base image and updates version references in comments/labels. |
.github/workflows/gh-pages.yml |
Updates Pages-related GitHub Actions versions. |
.github/workflows/ci.yml |
Updates paths-filter action and R setup version in CI jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Vite 7.x introduced host security that blocks requests from unrecognized hosts (connection reset). Add allowedHosts: true to vite.config.ts for Docker dev server. Also add Host(`127.0.0.1`) to Traefik router rules in the dev override so requests from the host machine via 127.0.0.1 are routed correctly.
Keep renv.lock R version in sync with Dockerfile and CI workflow after the rocker/r-ver 4.5.2 → 4.5.3 bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm audit)Docker images
rocker/r-veraxllent/mailpitGitHub Actions
dorny/paths-filteractions/configure-pagesactions/deploy-pagesnpm dependencies
rollup-plugin-visualizerserialize-javascriptPlus
npm audit fixresolved 22 transitive vulnerabilities across: dompurify, vite, unhead, rollup, minimatch, picomatch, flatted, immutable, lodash/lodash-es, undici, svgo, brace-expansion, path-to-regexp, yaml, markdown-it, qs, ajv.Dev environment fixes
vite.config.ts: AddedallowedHosts: true— Vite 7.x host security blocks Docker proxy requestsdocker-compose.override.yml: AddedHost(127.0.0.1)to Traefik router rules for host machine accessapi/renv.lock: Updated R version to 4.5.3 for consistency with Dockerfile and CISecurity alerts addressed
All 41 Dependabot security alerts (22 high, 17 moderate, 2 low) should be resolved by this PR.
TODO
serialize-javascriptoverride fromapp/package.jsononcevite-plugin-pwaupdates its dependency chain (workbox-build→@rollup/plugin-terser→serialize-javascript >=7.0.5)Closes #204, #208, #210, #213, #215, #216
Test plan
npm run lint— passesnpm run type-check— passesnpm run format:check— passesnpm run test:unit— 244/244 tests passnpm audit— 0 vulnerabilities