Skip to content

fix: resolve open Dependabot security alerts#38

Merged
jonathannorris merged 1 commit intomainfrom
fix/dependabot-alerts
Apr 28, 2026
Merged

fix: resolve open Dependabot security alerts#38
jonathannorris merged 1 commit intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 27, 2026

Summary

  • Resolved 37 open Dependabot security alerts through direct dependency upgrades (next, @openfeature/flagd-provider, @openfeature/ofrep-web-provider, jest, @testing-library/jest-dom, postcss) and npm overrides for transitive deps that can't be upgraded directly (protobufjs, minimatch, ajv, js-yaml, diff, yaml)
  • Updated route params to the Next.js 15 async Promise-based API and removed the deprecated experimental.instrumentationHook config option

@jonathannorris
fix: resolve open Dependabot security alerts
f75cf96 
Direct dependency upgrades:
- next 14.2.28 -> ^15.5.15
- @openfeature/flagd-provider ^0.13.3 -> ^0.15.0
- @openfeature/flagd-core ^1.0.0 -> ^3.0.0
- @openfeature/ofrep-web-provider ^0.3.2 -> ^0.3.6
- @grpc/grpc-js ^1.14.0 (new explicit dep, was flagd-provider peer)
- jest ^29.7.0 -> ^30.3.0, jest-environment-jsdom, @types/jest
- @testing-library/jest-dom ^6.6.3 -> ^6.9.1
- eslint-config-next ^14.2.12 -> ^15.5.15
- postcss ^8 -> ^8.5.10

npm overrides for remaining transitive vulnerabilities:
- protobufjs ^7.5.5 (via @grpc/proto-loader)
- minimatch ^3.1.3 (via eslint@8)
- ajv ^8.18.0 (via eslint@8)
- js-yaml ^4.1.1 (via @istanbuljs/load-nyc-config)
- diff ^5.2.0 (via ts-node)
- yaml ^2.8.3 (via tailwindcss/postcss-load-config)

Additional fixes for Next.js 15 compatibility:
- Update dynamic route params to Promise-based API in route.ts and page.tsx
- Remove deprecated experimental.instrumentationHook from next.config.mjs

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris requested a review from beeme1mr April 27, 2026 21:13
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request upgrades the project to Next.js 15, which involves updating API routes and page components to handle asynchronous parameters and removing the experimental instrumentation hook. It also updates OpenFeature dependencies and adds several package overrides. The review feedback highlights several critical issues, including the use of non-existent package versions in package.json, the requirement to upgrade React and its types to version 19 for Next.js 15 compatibility, and a suggestion to use a more modern TypeScript target in tsconfig.json.

Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread tsconfig.json
@jonathannorris jonathannorris added this pull request to the merge queue Apr 28, 2026
Merged via the queue into main with commit 42f2785 Apr 28, 2026
3 checks passed
@openfeaturebot openfeaturebot mentioned this pull request Apr 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@askpt askpt askpt approved these changes

@beeme1mr beeme1mr Awaiting requested review from beeme1mr

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris @askpt