Skip to content

chore(deps): consolidate dependency updates and security patches#5302

Merged
marcoscaceres merged 1 commit into
mainfrom
chore/dep-updates-2026-05-14
May 14, 2026
Merged

chore(deps): consolidate dependency updates and security patches#5302
marcoscaceres merged 1 commit into
mainfrom
chore/dep-updates-2026-05-14

Conversation

@marcoscaceres
Copy link
Copy Markdown
Contributor

@marcoscaceres marcoscaceres commented May 14, 2026
edited
Loading

Consolidates open dependabot PRs (#5298, #5299, #5300, #5301) and fixes 4 transitive security advisories.

closes #5298
closes #5299,
closes #5300
closes #5301

Direct deps:

  • puppeteer 24.42.0 → 24.43.1 (minor, bug fixes + perf)
  • rollup 4.60.2 → 4.60.3 (patch)
  • vnu-jar 26.5.2 → 26.5.13 (patch — dependabot was offering stale 26.5.9)
  • lint-staged 16.4.0 → 17.0.4 (major — only drops Node 20 support; we require Node ≥24)

Security fixes (all transitive, all resolved via update or pnpm override):

  • basic-ftp 5.3.0 → 5.3.1 (high: client DoS via FTP)
  • ip-address 10.1.0 → 10.2.0 (medium: XSS in Address6 HTML-emitting methods)
  • fast-uri 3.1.0 → 3.1.2 (high: host confusion + path traversal)
  • follow-redirects 1.15.6 → 1.16.0 (medium: auth header leak on cross-domain redirects)

Bundle: 421,901 → 423,576 bytes (+1.6KB). No license changes. No new transitive deps. All 1096 integration tests + 56 unit tests pass locally. ESLint 9 → 10 held for a separate PR due to breaking changes.

@marcoscaceres marcoscaceres merged commit 54384fd into main May 14, 2026
10 checks passed
@marcoscaceres marcoscaceres deleted the chore/dep-updates-2026-05-14 branch May 14, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marcoscaceres