fix: bump protobufjs and follow-redirects to resolve dependabot alerts#598
Conversation
There was a problem hiding this comment.
Pull request overview
Updates Yarn dependency resolutions/lockfiles to address Dependabot security alerts for vulnerable transitive packages in the root project and NodeJS proxy packages.
Changes:
- Add/adjust
resolutionsto forceprotobufjsto7.5.5andfollow-redirectsto1.16.0. - Update root and proxy
yarn.lockfiles to reflect the bumped resolved versions.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds root resolutions for protobufjs and follow-redirects. |
| yarn.lock | Updates resolved versions/checksums for protobufjs and follow-redirects. |
| proxies/nodejs/package.json | Adds protobufjs resolution for the nodejs proxy workspace. |
| proxies/nodejs/yarn.lock | Updates resolved protobufjs version/checksum. |
| proxies/openfeature-nodejs/package.json | Adds protobufjs resolution for the openfeature-nodejs proxy workspace. |
| proxies/openfeature-nodejs/yarn.lock | Updates resolved protobufjs version/checksum. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "lodash@^4.17.21": "^4.18.0", | ||
| "protobufjs@^7.2.5": "^7.5.5", | ||
| "protobufjs@^7.3.2": "^7.5.5", | ||
| "follow-redirects@^1.15.11": "^1.16.0" |
There was a problem hiding this comment.
These resolutions selectors are very specific to current transitive ranges (e.g. protobufjs@^7.2.5, protobufjs@^7.3.2). If a dependent updates its semver range (still within major 7), the override may stop applying and the vulnerable version could reappear. Consider broadening the selector (e.g. protobufjs@^7 or just protobufjs) to ensure the security override remains effective across minor/patch range changes.
| "follow-redirects@^1.15.11": "^1.16.0" | |
| "follow-redirects@^1": "^1.16.0" |
| "diff@^4.0.1": "^4.0.4", | ||
| "lodash@^4.17.21": "^4.18.0" | ||
| "lodash@^4.17.21": "^4.18.0", | ||
| "protobufjs@^7.4.0": "^7.5.5" |
There was a problem hiding this comment.
Similar to the root: this override targets only protobufjs@^7.4.0. If upstream dependencies change the protobufjs range (still within major 7), this resolution may stop matching. Consider using a broader selector (e.g. protobufjs@^7 or protobufjs) to keep the vulnerability fix from regressing on future dependency updates.
| "protobufjs@^7.4.0": "^7.5.5" | |
| "protobufjs@^7": "^7.5.5" |
| "qs@^6.5.2": "^6.14.2", | ||
| "lodash@^4.17.21": "^4.18.0" | ||
| "lodash@^4.17.21": "^4.18.0", | ||
| "protobufjs@^7.4.0": "^7.5.5" |
There was a problem hiding this comment.
This resolutions entry targets only protobufjs@^7.4.0. If a transitive dependency later requests a different protobufjs minor/patch range within major 7, the override may no longer apply. Consider broadening the selector (e.g. protobufjs@^7 or protobufjs) to make the security fix more durable.
| "protobufjs@^7.4.0": "^7.5.5" | |
| "protobufjs@^7": "^7.5.5" |
Summary
resolutionsinpackage.jsonDependabot Alerts Resolved
protobufjspackage.jsonprotobufjsproxies/nodejs/package.jsonprotobufjsproxies/openfeature-nodejs/package.jsonfollow-redirectspackage.json