chore(security): patch 6 Dependabot alerts (axios, protobufjs, fast-uri, uuid, postcss, gomarkdown)#3388
Merged
Merged
Conversation
…uri, uuid, postcss, gomarkdown - axios: 1.15.0 → 1.15.2 (9 CVEs: prototype pollution, header injection, XSRF, CRLF, SSRF) - protobufjs: 7.5.4 → 7.5.8 (critical: arbitrary code execution) - fast-uri: 3.1.0 → 3.1.2 (high: path traversal, host confusion) - uuid@11: 11.1.0 → 11.1.1 (medium: missing buffer bounds check) - postcss: 8.5.9 → 8.5.14 (medium: XSS via unescaped </style>) - gomarkdown/markdown: 20240729 → 20260411 (high: out-of-bounds read)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
laurakwhit
added a commit
that referenced
this pull request
May 21, 2026
Auto-generated version bump from 2.49.1 to 2.50.0 Bump type: minor Changes included: - [`29832bec`](29832be) Use initiatedEvent for startChildFailed event grouping (#3342) - [`91a01560`](91a0156) rm slash (#3343) - [`2e7b88d0`](2e7b88d) feat: Set Current Version action for worker deployment versions (#3319) - [`b2685f3b`](b2685f3) Add relative path prefix support to routeFor utilities (#3292) - [`9c888c0c`](9c888c0) fix: validate connection modal status, retry button, and copy nits (#3347) - [`38989c48`](38989c4) revert: restore original create worker deployment copy (#3348) - [`90e1fe58`](90e1fe5) Common Errors for Event History (#3306) - [`f479e4e2`](f479e4e) Show current duration for pending timeline events (#3346) - [`65a7ff0d`](65a7ff0) Add refresh button to workers list view (#3349) - [`219cfee4`](219cfee) Fix null conditionals in search attribute filter (#3351) - [`08bd2f01`](08bd2f0) Add support for adding caller Namespace even if it's not in list of allowed Namespace options for Nexus endpoint (#3167) - [`d424a78a`](d424a78) refactor(DT-3906): Add knip (#3350) - [`e828b14f`](e828b14) Remove icon (#3357) - [`252a755c`](252a755) Add Java to list of support versions for worker heartbeats (#3362) - [`0f446c7a`](0f446c7) refactor(DT-3906): Simple Svelte 5 migrations (#3359) - [`63db5b72`](63db5b7) feat(DT-3657): Support shift click for bulk selection in workflow table (#3344) - [`389d57bf`](389d57b) Enable Svelte 5 runes on files not using legacy features (#3363) - [`f4b87e1d`](f4b87e1) Update components/workflow to Svelte 5 syntax (#3361) - [`3e2cce43`](3e2cce4) refactor(DT-3906): More Svelte 5 Migrations (trivial ones) (#3364) - [`15adcd73`](15adcd7) refactor(DT-3906): UI svelte 5 migrate components/events (#3365) - [`031fb867`](031fb86) refactor(DT-3906): Migrate stories to Svelte 5 syntax (#3366) - [`4eac9d2a`](4eac9d2) Scope group hover to tooltip component only (#3379) - [`eeace5c3`](eeace5c) chore: upgrade TypeScript to v6.0.3 (#3371) - [`cb80efdd`](cb80efd) refactor(DT-3906): More trivial migrations (#3367) - [`6cc395bf`](6cc395b) refactor(DT-3906): migrate holocene primitives + layout components to Svelte 5 runes (#3377) - [`40a029ea`](40a029e) refactor(DT-3906): UI Svelte 5 Migrations medium (#3368) - [`7dc29ba6`](7dc29ba) refactor(DT-3906): Delete unused Svelte 4 scaffolding (carved from #3370 - Part 1) (#3372) - [`34a8547e`](34a8547) refactor(DT-3906): Migrate workflow client-action modals to runes (carved from #3370 - Part 4) (#3375) - [`61090d7e`](61090d7) refactor(DT-3906): Migrate schedule view components to runes (carved from #3370 - Part 2) (#3373) - [`988e0479`](988e047) refactor(DT-3906): Migrate filter and input components to runes (carved from #3370 - Part 3) (#3374) - [`d8b78496`](d8b7849) refactor(DT-3906): Migrate workflows-summary table + relationships to runes (carved from #3370 - Part 5) (#3376) - [`ff86c004`](ff86c00) fix(DT-3968): Make Workflow Table Tooltips render in portal (#3383) - [`5e02642a`](5e02642) fix(DT-3967): Visibly toggle the view children button even with a parent has 0 (#3382) - [`1f2b1031`](1f2b103) Remove capability guard from Set Current Version menu item (#3386) - [`0d54dcb4`](0d54dcb) fix: portal maximizable to body to escape stacking context (#3385) - [`abf45438`](abf4543) chore(security): patch Dependabot alerts for axios, protobufjs, fast-uri, uuid, postcss, gomarkdown (#3388) - [`4500f5ea`](4500f5e) Upgrade GitHub actions (#3389) - [`4a8c0c5b`](4a8c0c5) fix(timeline): stabilize child workflow timeline width with scrollbar-gutter (#3329) - [`ead14c61`](ead14c6) Move Create Schedule button to header row (#3390) - [`e8638a2b`](e8638a2) Add top margin (#3392) - [`ef03dfce`](ef03dfc) refactor: replace PayloadDecoder and MetadataDecoder with unified Payload component (#3299) - [`89b9eafa`](89b9eaf) add loading state to payload code block (#3397) - [`ee3ae138`](ee3ae13) Update Schedules search attributes filter (#3396) - [`41fd4f1f`](41fd4f1) DT-3751 - download external payloads (#3345) - [`e4fee0b6`](e4fee0b) Fix codec server request URL (#3400) - [`966b3d0a`](966b3d0) Make input from schedule result actually a string and update tests (#3403) - [`48a014db`](48a014d) feat(history): show Nexus operation name in compact view (#3394) - [`9127c768`](9127c76) Refactor status counts and refresh button (#3402) - [`747ec109`](747ec10) Fix double loader button (#3407) - [`6ae961fc`](6ae961f) Payload rendering and error optimizations (#3401) - [`32c74a48`](32c74a4) add codec server error banner back to workflow layout (#3408) - [`f73c7ec9`](f73c7ec) Nxs operation/kt (#3406) - [`672bb04a`](672bb04) Bump Go 1.26.2→1.26.3, x/net v0.54.0, remove curl from runtime image (#3409) - [`1ee09fe3`](1ee09fe) chore(deps-dev): bump svelte from 5.55.1 to 5.55.7 (#3395) - [`565bb071`](565bb07) VLN-1352: remediate missing-dependency-cooldown (#3398) - [`25794ed8`](25794ed) Bump devalue to 5.8.1 (#3410) - [`b18d0060`](b18d006) Set color-scheme explicitly (#3358) - [`e7995b81`](e7995b8) chore: ensure the empty app.html respects the user's ligh/dark settings (#3353) - [`01d64038`](01d6403) fix: enable external payload download button with namespace level codec endpoint (#3420) - [`4cc44311`](4cc4431) Fix publicPath URL duplication when prefix appears as substring (#3393) Co-authored-by: laurakwhit <15069288+laurakwhit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Surgical security patches addressing open Dependabot alerts. All fixes applied via
pnpm.overrides(consistent with existing pattern) to avoid broader dependency churn.Addressed alerts
protobufjsaxiosfast-urigomarkdown/markdownuuid@11bufis provided (scoped override — uuid@8 and uuid@9 untouched)postcss</style>in CSS stringify outputChanges
package.json— bumpedaxiosoverride; added overrides forprotobufjs,fast-uri,uuid@>=11 <12,postcsspnpm-lock.yaml— updated lock entriesserver/go.mod+server/go.sum— upgradedgomarkdown/markdown