[FIX] dependabot vulnrability issues#3575
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses security vulnerabilities in dependencies by updating three key packages: PostCSS, tmp, and qs. The changes also include a major version update to @cucumber/cucumber (v10 to v12) and various transitive dependency updates reflected in the package-lock.json.
Changes:
- Updated
qsfrom^6.14.1to^6.14.2(resolves to 6.15.0) to fix denial of service vulnerability - Updated
postcssfrom^8.4.36to8.4.49(pinned version) to fix line return parsing error - Added override for
tmpat^0.2.4(resolves to 0.2.5) to fix arbitrary file/directory write vulnerability - Updated
@cucumber/cucumberfrom^10.3.1to12.6.0(major version bump with pinned version) - Updated package-lock.json with all transitive dependency changes
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Updated dependency versions for qs, postcss, and @cucumber/cucumber; added overrides for qs and tmp |
| package-lock.json | Comprehensive lock file update reflecting all direct and transitive dependency changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
muli-cohen
approved these changes
Feb 23, 2026
muli-cohen
changed the title
Taras-Hlukhovetskyi
pushed a commit
to Taras-Hlukhovetskyi/ui
that referenced
this pull request
Feb 24, 2026
## 📝 Description <!-- A clear, concise summary of what this PR does. --> <!-- Include context, motivation, or related issues (e.g., "Replaces Sass with CSS Modules"). --> 1. Fix PostCSS line return parsing error 2. Fix tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter 3. Fix qs's arrayLimit bypass in comma parsing allows denial of service --- ## 🛠️ Changes Made <!-- List the main updates in this PR. --> <!-- Example: - Replaced Sass styles with CSS Modules - Updated Button component props for accessibility - Adjusted CI workflow to run on push for all branches --> - Update dependencies --- ## ✅ Checklist - [x] I have given the PR a well-structured title describing the domain and the specific change that was made - [x] I tested the changes in the browser (locally or via preview build) - [x] I confirmed that existing tests pass - [ ] I added or updated unit / integration tests (if needed) - [x] I checked that this change doesn’t introduce new console warnings or lint / formatting errors - [ ] I updated the relevant Jira ticket with the appropriate details and status --- ## 🔗 References - Related ticket / issue: [ML-12108](https://iguazio.atlassian.net/browse/ML-12108), [ML-12109](https://iguazio.atlassian.net/browse/ML-12109), [ML-12170](https://iguazio.atlassian.net/browse/ML-12170) - Figma / design spec: - Documentation: --- ## 🚨 Potentially Breaking Changes - [ ] Yes - [ ] No <!-- If yes, describe what breaks and how to migrate: --> <!-- Example: Renamed prop `variant` → `type` in Button component --> --- Includes DRC change - [ ] Yes - [x] No If yes -> requires bump NPM version --- ## 🔍 Additional Notes <!-- Optional: other context, performance considerations, or follow-up work --> <!-- Example: - TODO: Migrate remaining components away from Sass - Known issue: minor layout flicker on mobile --> --- ## 📸 Screenshots / Demos <!-- Include before/after screenshots, GIFs, or video demos if the change affects UI. --> <!-- You can drag and drop images here directly in the PR. --> --- [ML-12108]: https://iguazio.atlassian.net/browse/ML-12108?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Description
dirparameter🛠️ Changes Made
✅ Checklist
🔗 References
🚨 Potentially Breaking Changes
Includes DRC change
If yes -> requires bump NPM version
🔍 Additional Notes
📸 Screenshots / Demos