chore: fix 3 moderate CVEs via dep updates (2026-07-03)#5856
Conversation
There was a problem hiding this comment.
Pull request overview
Updates dev-only dependencies to remediate three moderate security advisories reported by npm audit (including markdownlint-cli2 and TypeScript ESLint toolchain updates), aiming to bring the audit report to 0 vulnerabilities.
Changes:
- Bump
markdownlint-cli2to^0.23.0(pulling in newermarkdown-it,js-yaml, and related deps). - Patch-bump
@typescript-eslint/{eslint-plugin,parser}andtypescript-eslintto^8.62.1. - Refresh
package-lock.jsonpernpm audit fix, updating transitive dependency versions.
Show a summary per file
| File | Description |
|---|---|
| package.json | Updates devDependencies for markdown linting and TypeScript ESLint tooling to address reported CVEs. |
| package-lock.json | Locks the new dependency graph, including updated transitive packages from audit remediation. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/2 changed files
- Comments generated: 1
- Review effort level: Low
| "husky": "^9.1.7", | ||
| "jest": "^30.4.2", | ||
| "markdownlint-cli2": "^0.21.0", | ||
| "markdownlint-cli2": "^0.23.0", | ||
| "ts-jest": "^29.4.11", | ||
| "typescript": "^5.9.3", | ||
| "typescript-eslint": "^8.62.0" | ||
| "typescript-eslint": "^8.62.1" |
|
⏳ Copilot review left inline comments. @copilot To proceed:
|
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Contribution Check completed successfully! |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
✅ Smoke Claude passed |
|
🔌 Smoke Services — All services reachable! ✅ |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🚀 Security Guard has started processing this pull request |
Smoke Test: Copilot BYOK (Direct) ModeStatus: PASS ✅ Running in direct BYOK mode via
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) - sibling workflow covers COPILOT_GITHUB_TOKEN path Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: PAT Auth
Overall: PASS — core connectivity confirmed. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Thanks for the dependency cleanup. One contribution-guideline issue to address before this is ready:
No tests or docs changes seem required for the dependency-only security update otherwise. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔍 Smoke Test Results
Overall: cc Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Claude Engine Validation
Overall result: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke test summary:
Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
|
Smoke test results: ❌ (Connectivity/MCP), ✅ (File/Bash). Overall: FAIL. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: API Proxy OpenTelemetry Tracing
Result: All scenarios pass or are expected-pending during development. The OTEL module is fully implemented and tested; the remaining gap (env var passthrough in Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Resolves 3 moderate severity vulnerabilities (GHSA-h67p-54hq-rp68, GHSA-6v5v-wf23-fmfq, and a transitive
js-yamlissue) all in dev-only toolchain dependencies.Dependency updates
markdownlint-cli2:^0.21.0→^0.23.0— pulls in patchedjs-yaml≥4.1.2 andmarkdown-it≥14.1.2, fixing both MODERATE CVEs@typescript-eslint/{eslint-plugin,parser}+typescript-eslint:^8.62.0→^8.62.1— patch bumpjs-yamltransitive via@istanbuljs/load-nyc-config— resolved vianpm audit fixnpm auditnow reports 0 vulnerabilities. All affected packages are dev-only with no production firewall impact.