fix(deps): address Dependabot security alerts#3269
Merged
rossnelson merged 1 commit intomainfrom Apr 8, 2026
Merged
Conversation
- lodash: ^4.17.21 -> ^4.18.1 (CVE-2026-4800, CVE-2026-2950, CVE-2025-13465) - svelte: 5.53.3 -> 5.55.1 (CVE-2026-27902, CVE-2026-27901) - @sveltejs/kit: 2.53.0 -> 2.55.0 (DoS via form deserialization) - storybook: ^8.6.11 -> ^8.6.18 (CVE-2026-27148) - tar-fs: >=2.1.2 -> ^3.1.2 (CVE-2025-59343) Resolves Dependabot alerts #233, #232, #159, #204, #203, #194, #193, #207, #192, #127.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
laurakwhit
approved these changes
Apr 7, 2026
temporal-cicd bot
pushed a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294)
laurakwhit
added a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294) Co-authored-by: laurakwhit <15069288+laurakwhit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves 32 of 35 open Dependabot security alerts via direct dependency upgrades and pnpm overrides.
Note: The
go-jose/v4upgrade (CVE-2026-34986) was already merged in #3268 — not included here.Direct dependency upgrades
lodash:^4.17.21→^4.18.1— CVE-2026-4800 (CVSS 8.1), CVE-2026-2950, CVE-2025-13465svelte:5.53.3→5.55.1— CVE-2026-27902, CVE-2026-27901 (XSS in SSR)@sveltejs/kit:2.53.0→2.55.0— DoS via form deserializationstorybook+ all@storybook/*packages:^8.6.11→^8.6.18— CVE-2026-27148 (WebSocket hijacking)tar-fs:>=2.1.2→^3.1.2— CVE-2025-59343 (symlink validation bypass)pnpm overrides for transitive vulnerabilities
All are dev-only dependencies (not shipped to end users):
serialize-javascript:^7.0.5(RCE, CVSS 8.1)picomatch@>=4:^4.0.4(ReDoS, CVSS 7.5)rollup:^4.60.1(arbitrary file write)flatted:^3.4.2(prototype pollution)tar:^7.5.13(path traversal)minimatch(per-major): 3.x→3.1.5, 5.x→5.1.9, 8.x→8.0.7, 9.x→9.0.9, 10.x→10.2.5 (ReDoS, CVSS 7.5)koa:^3.2.0(host header injection, CVSS 7.5)effect:^3.21.0(AsyncLocalStorage context contamination, CVSS 7.4)devalue:5.6.4(prototype pollution)yaml:^2.8.3(stack overflow, CVSS 4.3)qs:^6.15.0(DoS, CVSS 3.7)Not addressed (2 alerts)
@tootallnate/once— deprecated, no fix publishedsvgo— fix requires v2→v4 major jump that would breakpostcss-svgoTest plan
pnpm install— cleanpnpm lint— 0 errorspnpm check— 0 errorspnpm test -- --run— 1724 passed, 0 failures