Fix dependabot security vulnerabilities in npm dependencies#233
Fix dependabot security vulnerabilities in npm dependencies#233
Conversation
…, override undici Co-authored-by: lcollins <528874+lcollins@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses 9 security vulnerabilities (1 high, 8 moderate) in npm dependencies, primarily ReDoS and undici decompression chain issues. The changes are limited to dependency version bumps, an npm override, and a minor TypeScript config adjustment needed by the new dependency types.
Changes:
- Bumped
@actions/githubfrom^6.0.0to^8.0.0and@octokit/restfromlatestto^22.0.1to fix known CVEs in transitive dependencies. - Added
overrides: { "undici": ">=6.23.0" }to force a safe undici version for the@actions/core → @actions/http-client → undicichain. - Added
"lib": ["ES2022"]totsconfig.jsonto supportErrorOptionstype referenced by@octokit/request-errorv7.
Reviewed changes
Copilot reviewed 1 out of 6 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Bumped @actions/github and @octokit/rest versions; added undici override |
| package-lock.json | Updated lockfile reflecting all transitive dependency changes |
| tsconfig.json | Added "lib": ["ES2022"] for ES2022 type definitions |
| dist/licenses.txt | Updated bundled licenses: removed @fastify/busboy, deprecation, once, wrappy; added fast-content-type-parse, json-with-bigint |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "unescape": "latest" | ||
| }, | ||
| "overrides": { | ||
| "undici": ">=6.23.0" |
There was a problem hiding this comment.
The unbounded override "undici": ">=6.23.0" resolves to v7.22.0 in the current lockfile, which is fine. However, the open-ended >= range means a future npm install (without a lockfile) could pull in undici v8+, potentially introducing breaking changes. Consider pinning to a major range like "^6.23.0" or ">=6.23.0 <8" to limit the blast radius to tested major versions. That said, since the lockfile pins v7.22.0 and @actions/github v8 itself depends on ^6.23.0, a narrower override would still be effective.
| "undici": ">=6.23.0" | |
| "undici": ">=6.23.0 <8" |
9 vulnerabilities (1 high, 8 moderate) in transitive and direct dependencies, primarily ReDoS and undici decompression chain issues.
Dependency updates
@actions/github:^6.0.0→^8.0.0— v8 pulls in@actions/http-client ^3.xwhich usesundici ^6.23.0, fixing the unbounded decompression chain CVE. v9 was skipped — it's ESM-only and incompatible with this project's CommonJS output.@octokit/rest:latest(resolved20.1.1) →^22.0.1— fixes ReDoS in@octokit/plugin-paginate-rest(GHSA-h5c3-5r3r-rr8q)overrides: { "undici": ">=6.23.0" }— forces safe undici version for the@actions/core → @actions/http-client → undicichain, which remains on v5.x in the 1.x release lineTypeScript config
Added
"lib": ["ES2022"]totsconfig.json—@octokit/request-errorv7 (pulled in by@actions/githubv8) referencesErrorOptions, introduced in ES2022. Output target remains ES6.✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.