Skip to content

fix: bump protobufjs and follow-redirects to resolve dependabot alerts#598

Merged
jonathannorris merged 1 commit into
mainfrom
fix/dependabot-alerts-2
Apr 20, 2026
Merged

fix: bump protobufjs and follow-redirects to resolve dependabot alerts#598
jonathannorris merged 1 commit into
mainfrom
fix/dependabot-alerts-2

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

  • Resolved 4 open Dependabot security alerts by bumping vulnerable transitive dependencies via resolutions in package.json

Dependabot Alerts Resolved

Alert Package Severity Fix
#222 protobufjs critical Bumped to 7.5.5 via resolution in root package.json
#221 protobufjs critical Bumped to 7.5.5 via resolution in proxies/nodejs/package.json
#220 protobufjs critical Bumped to 7.5.5 via resolution in proxies/openfeature-nodejs/package.json
#219 follow-redirects medium Bumped to 1.16.0 via resolution in root package.json

- protobufjs 7.5.4 -> 7.5.5 (critical, alerts #220 #221 #222)
- follow-redirects 1.15.11 -> 1.16.0 (medium, alert #219)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 20, 2026 15:36
@jonathannorris jonathannorris requested a review from a team as a code owner April 20, 2026 15:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Yarn dependency resolutions/lockfiles to address Dependabot security alerts for vulnerable transitive packages in the root project and NodeJS proxy packages.

Changes:

  • Add/adjust resolutions to force protobufjs to 7.5.5 and follow-redirects to 1.16.0.
  • Update root and proxy yarn.lock files to reflect the bumped resolved versions.

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
package.json Adds root resolutions for protobufjs and follow-redirects.
yarn.lock Updates resolved versions/checksums for protobufjs and follow-redirects.
proxies/nodejs/package.json Adds protobufjs resolution for the nodejs proxy workspace.
proxies/nodejs/yarn.lock Updates resolved protobufjs version/checksum.
proxies/openfeature-nodejs/package.json Adds protobufjs resolution for the openfeature-nodejs proxy workspace.
proxies/openfeature-nodejs/yarn.lock Updates resolved protobufjs version/checksum.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
"lodash@^4.17.21": "^4.18.0",
"protobufjs@^7.2.5": "^7.5.5",
"protobufjs@^7.3.2": "^7.5.5",
"follow-redirects@^1.15.11": "^1.16.0"

Copilot AI Apr 20, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These resolutions selectors are very specific to current transitive ranges (e.g. protobufjs@^7.2.5, protobufjs@^7.3.2). If a dependent updates its semver range (still within major 7), the override may stop applying and the vulnerable version could reappear. Consider broadening the selector (e.g. protobufjs@^7 or just protobufjs) to ensure the security override remains effective across minor/patch range changes.

Suggested change
"follow-redirects@^1.15.11": "^1.16.0"
"follow-redirects@^1": "^1.16.0"

Copilot uses AI. Check for mistakes.
"diff@^4.0.1": "^4.0.4",
"lodash@^4.17.21": "^4.18.0"
"lodash@^4.17.21": "^4.18.0",
"protobufjs@^7.4.0": "^7.5.5"

Copilot AI Apr 20, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the root: this override targets only protobufjs@^7.4.0. If upstream dependencies change the protobufjs range (still within major 7), this resolution may stop matching. Consider using a broader selector (e.g. protobufjs@^7 or protobufjs) to keep the vulnerability fix from regressing on future dependency updates.

Suggested change
"protobufjs@^7.4.0": "^7.5.5"
"protobufjs@^7": "^7.5.5"

Copilot uses AI. Check for mistakes.
"qs@^6.5.2": "^6.14.2",
"lodash@^4.17.21": "^4.18.0"
"lodash@^4.17.21": "^4.18.0",
"protobufjs@^7.4.0": "^7.5.5"

Copilot AI Apr 20, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This resolutions entry targets only protobufjs@^7.4.0. If a transitive dependency later requests a different protobufjs minor/patch range within major 7, the override may no longer apply. Consider broadening the selector (e.g. protobufjs@^7 or protobufjs) to make the security fix more durable.

Suggested change
"protobufjs@^7.4.0": "^7.5.5"
"protobufjs@^7": "^7.5.5"

Copilot uses AI. Check for mistakes.
@jonathannorris jonathannorris merged commit 00f4ffb into main Apr 20, 2026
12 checks passed
@jonathannorris jonathannorris deleted the fix/dependabot-alerts-2 branch April 20, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants