Skip to content

Chore: Resolve vulnerabilities in transitive NPM dependencies#68

Merged
up1512001 merged 1 commit intodevelopfrom
chore/dependabot-issues
Mar 6, 2026
Merged

Chore: Resolve vulnerabilities in transitive NPM dependencies#68
up1512001 merged 1 commit intodevelopfrom
chore/dependabot-issues

Conversation

@imrraaj
Copy link
Copy Markdown
Collaborator

@imrraaj imrraaj commented Mar 5, 2026

What

This PR adds overrides in package.json to address security vulnerabilities reported by Dependabot and npm audit.

Why

Fixes dependabot alerts

How

Testing Instructions

Screenshots

Additional Info

Checklist

  • I have read the Contribution Guidelines.
  • I have read the Development Guidelines.
  • My code is tested to the best of my abilities.
  • My code passes all lints (ESLint etc.).
  • My code has detailed inline documentation.
  • I have updated the project documentation as needed.
  • I have added a changeset for this PR using npm run changeset.

Copilot AI review requested due to automatic review settings March 5, 2026 12:46
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses reported security vulnerabilities in transitive npm dependencies by adding npm overrides, updating the npm lockfile resolution accordingly, and bumping the plugin release metadata to 1.1.2.

Changes:

  • Added npm overrides to force patched versions of vulnerable transitive dependencies (e.g., minimatch, serialize-javascript, ajv).
  • Updated package-lock.json to reflect the new override-driven dependency graph.
  • Bumped plugin version/release metadata to 1.1.2 across WordPress readme, main plugin file, and changelog.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
readme.txt Updates WordPress “Stable tag” to 1.1.2.
package.json Adds npm overrides for vulnerable transitive dependencies.
package-lock.json Re-resolves dependency tree to apply overrides and related updates.
onemedia.php Updates plugin header version and ONEMEDIA_VERSION constant to 1.1.2.
CHANGELOG.md Adds 1.1.2 entry noting the security dependency resolution.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"webpack-dev-server@<=5.2.0": ">=5.2.1"
"webpack-dev-server@<=5.2.0": ">=5.2.1",
"minimatch": ">=10.2.1",
"serialize-javascript": ">=7.0.3",
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The override ranges using ">=" (e.g., webpack-dev-server, minimatch, serialize-javascript) allow future major versions to be selected the next time the lockfile is regenerated, which can introduce breaking changes unrelated to the vulnerability fix. Prefer pinning to a specific patched version (or at least constraining to the current major with a caret/tilde range) to keep dependency resolution predictable.

Suggested change
"serialize-javascript": ">=7.0.3",
"serialize-javascript": "^7.0.3",

Copilot uses AI. Check for mistakes.
@imrraaj imrraaj requested a review from up1512001 March 6, 2026 05:35
@up1512001 up1512001 merged commit fea4137 into develop Mar 6, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@up1512001 up1512001 up1512001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imrraaj @up1512001