Skip to content

chore: bump dependencies (consolidates Dependabot PRs #45–#52)#53

Merged
ionos-landgraf-vin merged 2 commits intomainfrom
chore/bump-dependencies
Apr 16, 2026
Merged

chore: bump dependencies (consolidates Dependabot PRs #45–#52)#53
ionos-landgraf-vin merged 2 commits intomainfrom
chore/bump-dependencies

Conversation

@ionos-landgraf-vin
Copy link
Copy Markdown
Collaborator

@ionos-landgraf-vin ionos-landgraf-vin commented Apr 16, 2026
edited
Loading

Summary

Consolidates all 8 open Dependabot PRs and fixes a security advisory into a single update.

GitHub Actions

Action Old New PR
docker/setup-buildx-action v3 v4 Closes #47
docker/build-push-action v6 v7 Closes #50
docker/login-action v3 v4 Closes #49
docker/metadata-action v5 v6 Closes #48
azure/setup-helm v4 v5 Closes #46

Ruby gems

Package Old New Notes
json 2.18.0 2.19.3 Security fix: CVE-2026-33210 format string injection (GHSA-3m6g-2423-7cp3)

npm packages (/frontend)

Package Old New PR
dompurify 3.3.2 3.4.0 Security: prototype pollution / mXSS fixes — Closes #52
vite 7.3.1 7.3.2 Closes #51
picomatch 4.0.3 4.0.4 Closes #45

Test plan

  • CI passes (test, lint, typecheck, security, build-container jobs)
  • bundle-audit check reports no vulnerabilities
  • No functional code changes — version strings only

ionos-landgraf-vin and others added 2 commits April 16, 2026 11:49
@ionos-landgraf-vin @claude
chore: bump dependencies (consolidates Dependabot PRs #45#52)
a000e46 
Bumps GitHub Actions:
- docker/setup-buildx-action v3 → v4 (#47)
- docker/build-push-action v6 → v7 (#50)
- docker/login-action v3 → v4 (#49)
- docker/metadata-action v5 → v6 (#48)
- azure/setup-helm v4 → v5 (#46)

Bumps npm packages in /frontend:
- dompurify 3.3.2 → 3.4.0 — security: prototype pollution / mXSS fixes (#52)
- vite 7.3.1 → 7.3.2 (#51)
- picomatch 4.0.3 → 4.0.4 (#45)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@ionos-landgraf-vin @claude
fix: bump json >= 2.19.2 to fix CVE-2026-33210 (format string injection)
13750d3 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@ionos-landgraf-vin ionos-landgraf-vin merged commit 5434e92 into main Apr 16, 2026
8 checks passed
@ionos-landgraf-vin ionos-landgraf-vin deleted the chore/bump-dependencies branch April 16, 2026 09:52
@ionos-landgraf-vin ionos-landgraf-vin restored the chore/bump-dependencies branch April 16, 2026 13:25
@ionos-landgraf-vin ionos-landgraf-vin deleted the chore/bump-dependencies branch April 16, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ionos-landgraf-vin