Skip to content

fix: remediate Dependabot security alerts (2026-06-02)#360

Closed
typeagent-bot[bot] wants to merge 3 commits into
mainfrom
automated/fix-dependabot-alerts-20260602-3
Closed

fix: remediate Dependabot security alerts (2026-06-02)#360
typeagent-bot[bot] wants to merge 3 commits into
mainfrom
automated/fix-dependabot-alerts-20260602-3

Conversation

@typeagent-bot
Copy link
Copy Markdown
Contributor

@typeagent-bot typeagent-bot Bot commented Jun 2, 2026

Automated Dependabot Alert Remediation

This PR was generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and verified against npm ci, npm run build, and npm test before inclusion.

Summary

  • **Applied (1):**minimatch
  • Applied via root overrides: (none)
  • Rolled back (0): (none)
  • **Unfixable via lockfile bump / overrides (3):**qs @tootallnate/once tar
  • Skipped (recent rollback cooldown, 0): (none)

Packages marked Unfixable require a parent-package upgrade — the advisory's safe version is outside every direct parent's declared semver range, and a root overrides entry was either silently ignored by npm or would force an incompatible version. Triage manually.

Packages added under overrides are tracked technical debt — npm will hold them at the pinned version until the entry is removed, which may mask future upstream regressions. Remove the override once a parent has shipped a compatible release.

How this works

  1. Reads open Dependabot alerts via the REST API.
  2. For each alert, attempts in order: npm update <pkg> --package-lock-only, then root overrides entry.
  3. Verifies every resolved instance in package-lock.json is ≥ the advisory's first_patched_version.
  4. Runs npm ci, npm run build, and npm test; rolls back on failure and records a 7-day cooldown.
  5. Only fixes that pass all phases land in this PR.

Review checklist

  • Verify no unrelated lockfile churn
  • Investigate any newly-rolled-back packages separately
  • If overrides were added, confirm the pinned version is acceptable policy

TalZaccai and others added 3 commits June 2, 2026 12:08
@TalZaccai
diag: print App token permissions before git push (TEMP)
e3c1763 
Add a temporary diagnostic step that prints what the refreshed App
token can see on the repo, the install's repo selection, and a
git/refs read probe, so we can see exactly why git push 403s.

To be reverted once the underlying permission/install issue is fixed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@TalZaccai
ci(security): push with default GITHUB_TOKEN, not App token
f355a97 
Match the TypeAgent workflow pattern: keep persist-credentials: false
on checkout (so the token isn't reachable from npm scripts during the
verify phase), but at the very end of the job re-inject the workflow's
own GITHUB_TOKEN (already scoped to contents:write at the workflow
level) for the git push.

The App token is now used only where it must be — gh api dependabot/
alerts (which the default token can't reach) and gh pr create (so the
PR identity is the bot, not github-actions). Means the App no longer
needs Contents permission at all.

Also removes the temporary diagnostic step that confirmed the
permission issue.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
fix: remediate Dependabot security alerts
73e1c97 
Automated by fix-dependabot-alerts workflow.

Applied:minimatch
Rolled back:
Unfixable: 3 package(s)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@TalZaccai TalZaccai mentioned this pull request Jun 2, 2026
Merged
@TalZaccai
Copy link
Copy Markdown
Contributor

TalZaccai commented Jun 2, 2026

Closing — this PR was created by a manual workflow_dispatch run on a temporary diag branch (dev/talzacc/diag-app-token) that carried both the legitimate minimatch lockfile fix AND the workflow auth-pattern change from #361. The mixed diff isn't suitable for merge.

After #361 lands, the next scheduled run (or manual trigger from main) will produce a clean PR containing only the package-lock.json minimatch patch.

@TalZaccai TalZaccai closed this Jun 2, 2026
@TalZaccai TalZaccai deleted the automated/fix-dependabot-alerts-20260602-3 branch June 2, 2026 19:35
TalZaccai added a commit that referenced this pull request Jun 2, 2026
@TalZaccai
ci(security): push with default GITHUB_TOKEN, not App token (#361)
d3acad1 
The fix-dependabot-alerts workflow was using the GitHub App token for
git push, which required granting the App `Contents: write` at the
installation level. That permission wasn't (and didn't need to be)
granted, causing the scheduled run to 403 at `git push` with
'Permission to microsoft/TypeChat.git denied to typeagent-bot[bot]'.

Match the TypeAgent workflow pattern instead: keep
`persist-credentials: false` on checkout (so the token isn't reachable
from untrusted `npm` scripts during the verify phase), but at the very
end of the job re-inject the workflow's own GITHUB_TOKEN — already
scoped to `contents: write` via the workflow-level `permissions:`
block — for the git push.

The App token is now used only where it must be:
- `gh api dependabot/alerts` (the default GITHUB_TOKEN can't reach
  this endpoint)
- `gh pr create` / labels / closing superseded PRs (so the PR
  identity is the bot, not github-actions)

Verified end-to-end: a manual workflow_dispatch run against a temp
branch passed git push and opened #360.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TalZaccai