Skip to content

Fix all Dependabot security vulnerabilities#33

Merged
pacu merged 11 commits into
mainfrom
fix-dependabot-alerts
Apr 20, 2026
Merged

Fix all Dependabot security vulnerabilities#33
pacu merged 11 commits into
mainfrom
fix-dependabot-alerts

Conversation

@pacu
Copy link
Copy Markdown
Contributor

@pacu pacu commented Apr 20, 2026

Summary

Resolves all 50+ open Dependabot security alerts by upgrading vulnerable dependencies.

  • Bumped next from 16.1.5 to ^16.2.3 (resolves to 16.2.4) — direct dependency
  • Pinned the following transitive dependencies via pnpm.overrides:
Package Previous Fixed
dompurify 3.2.5 3.4.0
picomatch 2.3.1 2.3.2
lodash-es 4.17.21 4.18.0
@xmldom/xmldom 0.9.8 0.9.9
yaml 2.7.1 2.8.3
tar 7.4.3 7.5.11
minimatch 10.0.3 10.2.3
@isaacs/brace-expansion 5.0.0 5.0.1
mdast-util-to-hast 13.2.0 13.2.1

Each fix is a separate commit for traceability.

Test plan

  • Verify CI/build passes
  • Confirm Dependabot alerts are dismissed after merge

🤖 Generated with Claude Code

pacu and others added 11 commits April 20, 2026 17:33
@pacu @claude
Fix CVE: bump next to 16.2.3 (security vulnerabilities)
a349299 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin dompurify to 3.4.0 via pnpm override
09d43d3 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin picomatch to 2.3.2 via pnpm override
e694c2b 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin lodash-es to 4.18.0 via pnpm override
be3d3f6 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin @xmldom/xmldom to 0.9.9 via pnpm override
5b97d3a 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin yaml to 2.8.3 via pnpm override
c7fec6f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin tar to 7.5.11 via pnpm override
2be114e 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin minimatch to 10.2.3 via pnpm override
24ae79f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin @isaacs/brace-expansion to 5.0.1 via pnpm override
a8ec241 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Fix CVE: pin mdast-util-to-hast to 13.2.1 via pnpm override
37d9a78 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu @claude
Update tsconfig.json for Next.js 16.2.4 compatibility
60c1f1f 
Next.js auto-applied mandatory changes on first run:
- jsx changed from "preserve" to "react-jsx" (React automatic runtime)
- Added ".next/dev/types/**/*.ts" to include paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacu pacu merged commit 10cf454 into main Apr 20, 2026
@pacu pacu mentioned this pull request Apr 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pacu