Skip to content

Cherry-pick dependency updates from main to dev#1734

Merged
badrishc merged 3 commits into
devfrom
badrishc/cherry-pick-deps-to-dev
Apr 24, 2026
Merged

Cherry-pick dependency updates from main to dev#1734
badrishc merged 3 commits into
devfrom
badrishc/cherry-pick-deps-to-dev

Conversation

@badrishc
Copy link
Copy Markdown
Collaborator

@badrishc badrishc commented Apr 24, 2026

Summary

Cherry-picks dependabot/security dependency updates from main that were missing on dev.

Included updates

PR Description
#1659 Bump the nuget-deps group with 14 updates (Directory.Packages.props)
#1705 Bump follow-redirects from 1.15.11 to 1.16.0 in /website (yarn.lock)

Already on dev (skipped)

PR Reason
#1629 undici — dev already has 7.24.7 (newer than main's 7.24.1)
#1634 dompurify override — dev already has 3.3.3 in package.json
#1636 dompurify yarn.lock fix — dev already has 3.3.3 in yarn.lock
#1733 Fix 5 open Dependabot npm alerts — will be applied after it merges to main

dependabot Bot and others added 2 commits April 24, 2026 09:07
@dependabot @badrishc
Bump the nuget-deps group with 14 updates (#1659)
1ebb053 
* Bump the nuget-deps group with 14 updates

Bumps diskann-garnet from 1.0.23 to 1.0.25
Bumps Microsoft.CodeAnalysis from 5.0.0 to 5.3.0
Bumps Microsoft.Extensions.Configuration.Binder from 10.0.3 to 10.0.5
Bumps Microsoft.Extensions.Configuration.Json from 10.0.3 to 10.0.5
Bumps Microsoft.Extensions.Logging from 10.0.3 to 10.0.5
Bumps Microsoft.Extensions.Logging.Configuration from 10.0.3 to 10.0.5
Bumps Microsoft.Extensions.Logging.Console from 10.0.3 to 10.0.5
Bumps Microsoft.IdentityModel.Protocols.OpenIdConnect from 8.16.0 to 8.17.0
Bumps Microsoft.IdentityModel.Validators from 8.16.0 to 8.17.0
Bumps NUnit from 4.5.0 to 4.5.1
Bumps NUnit3TestAdapter from 6.1.0 to 6.2.0
Bumps StackExchange.Redis from 2.11.8 to 2.12.8
Bumps System.IdentityModel.Tokens.Jwt from 8.16.0 to 8.17.0
Bumps System.Numerics.Tensors from 10.0.3 to 10.0.5

---
updated-dependencies:
- dependency-name: diskann-garnet
  dependency-version: 1.0.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.CodeAnalysis
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: Microsoft.Extensions.Configuration.Binder
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.Extensions.Configuration.Json
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.Extensions.Logging
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.Extensions.Logging.Configuration
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.Extensions.Logging.Console
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect
  dependency-version: 8.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: Microsoft.IdentityModel.Validators
  dependency-version: 8.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: NUnit
  dependency-version: 4.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
- dependency-name: NUnit3TestAdapter
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: StackExchange.Redis
  dependency-version: 2.12.8
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-deps
- dependency-name: System.Numerics.Tensors
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-deps
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update other required dependencies

Signed-off-by: Tiago Napoli <tiagonapoli@microsoft.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Tiago Napoli <tiagonapoli@microsoft.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tiago Napoli <tiagonapoli@microsoft.com>
@badrishc @dependabot
Bump follow-redirects from 1.15.11 to 1.16.0 in /website (#1705)
e9c2815 
Cherry-pick of dependabot security update from main.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 24, 2026 16:08
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Cherry-picks dependency/security updates from main into dev, aligning both the .NET centralized package versions and the website’s Yarn lockfile with the latest patched versions.

Changes:

  • Updated multiple centrally-managed NuGet package versions in Directory.Packages.props.
  • Bumped follow-redirects to 1.16.0 in website/yarn.lock.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
Directory.Packages.props Updates centrally pinned NuGet package versions (NUnit, Microsoft.Extensions.*, IdentityModel, StackExchange.Redis, etc.).
website/yarn.lock Updates the locked follow-redirects version to 1.16.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@badrishc
Fix 5 open Dependabot npm alerts in website dependencies (#1733)
522a38b 
Bump dompurify resolution 3.3.3 → 3.4.0 to fix:
  - CVE-2026-41239: SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
  - CVE-2026-41240: FORBID_TAGS bypassed by function-based ADD_TAGS
  - CVE-2026-41238: Prototype Pollution to XSS Bypass
  - GHSA: ADD_TAGS function form bypasses FORBID_TAGS

Add uuid resolution → 14.0.0 to fix:
  - GHSA: Missing buffer bounds check in v3/v5/v6 when buf is provided

uuid 14.0.0 is ESM-only but Node.js 22+ (required by engines) supports
require() of ESM modules, so CJS consumers like sockjs work correctly.
Verified: yarn build succeeds and docusaurus start launches cleanly.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@badrishc badrishc merged commit 17bddec into dev Apr 24, 2026
2 checks passed
@badrishc badrishc deleted the badrishc/cherry-pick-deps-to-dev branch April 24, 2026 16:59
@badrishc badrishc mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@badrishc