Skip to content

fix(deps): Resolve Dependabot security alerts#17998

Open
sfanahata wants to merge 1 commit into
masterfrom
fix/dependabot-alerts-batch
Open

fix(deps): Resolve Dependabot security alerts#17998
sfanahata wants to merge 1 commit into
masterfrom
fix/dependabot-alerts-batch

Conversation

@sfanahata
Copy link
Copy Markdown
Contributor

@sfanahata sfanahata commented Jun 2, 2026
edited
Loading

DESCRIBE YOUR PR

Resolves all open Dependabot security alerts that can be addressed via dependency updates. Supersedes #17699 (which is 177 commits behind master and has merge conflicts).

High-severity alerts fixed (4):

Medium-severity alerts fixed (18):

Cleanup:

  • Removed @types/dompurify from devDependencies and pnpm overrides — dompurify 3.x ships its own TypeScript definitions, and @types/dompurify is officially deprecated as a stub

Override justifications:

Override Why not a direct bump?
dompurify: 3.4.0 mermaid and @sentry-internal/global-search pull it transitively
fast-xml-parser: ^5.7.0 @google-cloud/storage depends on old version
postcss: ^8.5.10 Next.js 15.5.18 bundles postcss 8.4.31 internally
uuid: ^11.1.1 No 8.x/9.x patch exists; uuid 11.x is API-compatible; 3 of 4 consumers already dropped uuid in their latest releases

Alerts from PR 17699 already fixed on master (skipped):

  • Dependabot alerts 285, 286 (lodash-es) — fixed via mermaid 11.15.0 bump
  • Dependabot alert 290 (next) — fixed via PR 17676
  • Dependabot alerts 304, 305 (fast-uri) — already resolved

IS YOUR CHANGE URGENT?

  • None: Not urgent, can wait up to 1 week+

PRE-MERGE CHECKLIST

  • Checked Vercel preview for correctness, including links
  • PR was reviewed and approved by any necessary SMEs (subject matter experts)
  • PR was reviewed and approved by a member of the Sentry docs team

fix(deps): resolve Dependabot security alerts
12697c9 
Bump direct dependencies:
- dompurify: 3.3.2 -> 3.4.0 (8 medium alerts: #291-#298)
- js-cookie: ^3.0.5 -> ^3.0.7 (1 high alert: #325)

Update pnpm overrides for transitive dependencies:
- dompurify: 3.3.2 -> 3.4.0 (force transitive consumers to patched version)
- fast-xml-parser: ^5.5.7 -> ^5.7.0 (1 high: #303, 1 medium: #300)
- postcss: add ^8.5.10 override (1 medium: #301, next.js bundles 8.4.31)
- uuid: add ^11.1.1 override (1 medium: #324, no 9.x/8.x patch exists)

Lockfile updates via pnpm update:
- vite: 7.3.1 -> 7.3.5 (2 high: #287-#288, 1 medium: #289)
- picomatch: 2.3.1 -> 2.3.2, 4.0.3 -> 4.0.4 (2 high: #279-#280, 2 medium: #281-#282)
- brace-expansion: 2.0.2 -> 2.1.1 (1 medium: #284)
- yaml: 1.10.2 -> 1.10.3, 2.8.2 -> 2.9.0 (2 medium: #277-#278)

Cleanup:
- Remove @types/dompurify from devDependencies and overrides
  (dompurify 3.x ships its own types; @types/dompurify is deprecated)
@sfanahata sfanahata requested review from chargome and sergical June 2, 2026 19:53
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 2, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
develop-docs Ready Ready Preview, Comment Jun 2, 2026 7:53pm
sentry-docs Ready Ready Preview, Comment Jun 2, 2026 7:53pm

Request Review

@sfanahata sfanahata mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chargome chargome Awaiting requested review from chargome

@sergical sergical Awaiting requested review from sergical

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sfanahata