Skip to content

chore: resolve open dependabot security alerts#604

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#604
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

  • Resolved 36 open Dependabot security alerts by bumping vulnerable dependencies across npm, Ruby, and PHP ecosystems

Dependabot Alerts Resolved

Alert Package Severity Fix
#328 js-yaml medium Bumped to ^4.2.0 via root resolution
#327 @babel/core low Bumped to ^7.29.6 via root resolution
#309 tar medium Bumped to ^7.5.16 via root resolution
#307, #300 undici high Bumped to ^7.28.0 via root resolution
#308, #306, #305, #303, #301 undici medium/low Bumped to ^7.28.0 via root resolution
#302 form-data high Bumped to ^4.0.6 via root resolution
#298, #295 protobufjs high/medium Bumped to ^7.6.3 via root resolution (resolves to 7.6.4)
#297, #294 protobufjs high/medium Bumped to ^7.6.3 via proxies/nodejs resolution
#299, #296 protobufjs high/medium Bumped to ^7.6.3 via proxies/openfeature-nodejs resolution
#312-#323 oj high/medium Updated 3.17.0 -> 3.17.3 via bundle update in proxies/ruby
#324-#326 concurrent-ruby high/low Updated 1.3.6 -> 1.3.7 via bundle update in proxies/ruby
#311, #319 guzzlehttp/guzzle medium Updated 7.9.2 -> 7.13.1 via composer update in proxies/php
#292, #293, #310 guzzlehttp/psr7 medium Updated 2.7.0 -> 2.12.3 via composer update in proxies/php

Test plan

  • Unit tests pass (yarn test:unit)
  • TypeScript compiles (pre-existing koa type error unrelated to this change)
  • All lockfiles regenerated and verified against patched versions

- js-yaml ^4.1.0 -> ^4.2.0 via resolution (medium, alert #328)
- @babel/core ^7.x.x -> ^7.29.6 via resolution (low, alert #327)
- tar ^7.5.10 -> ^7.5.16 via resolution (medium, alert #309)
- undici ^7.24.6 -> ^7.28.0 via resolution (high/medium/low, alerts #300-#308)
- form-data ^4.0.5 -> ^4.0.6 via resolution (high, alert #302)
- protobufjs ^7.5.6 -> ^7.6.3 via resolution in root + nodejs + of-nodejs (high/medium, alerts #294-#299)
- oj 3.17.0 -> 3.17.3 via bundle update (high/medium, alerts #312-#323)
- concurrent-ruby 1.3.6 -> 1.3.7 via bundle update (high/low, alerts #324-#326)
- guzzlehttp/guzzle 7.9.2 -> 7.13.1 via composer update (medium, alerts #311 #319)
- guzzlehttp/psr7 2.7.0 -> 2.12.3 via composer update (medium, alerts #292 #293 #310)
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:45
Copilot AI review requested due to automatic review settings July 2, 2026 13:45
@jonathannorris jonathannorris enabled auto-merge (squash) July 2, 2026 13:46

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves a large set of Dependabot security alerts by updating/pinning vulnerable transitive dependencies across the repo’s Node/Yarn workspaces and the Ruby/PHP proxy lockfiles.

Changes:

  • Updated root Yarn dependency resolutions and regenerated yarn.lock to pull in patched versions (e.g., undici, tar, js-yaml, @babel/core, form-data, protobufjs).
  • Updated Node proxy workspaces (proxies/nodejs, proxies/openfeature-nodejs) resolutions/lockfiles to ensure patched protobufjs (and related deps) are used.
  • Regenerated Ruby and PHP proxy lockfiles to pick up patched gem/composer dependency versions.

Reviewed changes

Copilot reviewed 3 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
package.json Updates root resolutions to force patched versions for several vulnerable transitive dependencies.
yarn.lock Regenerated lockfile reflecting patched dependency graph (Babel, undici, tar, protobufjs, etc.).
proxies/nodejs/package.json Bumps workspace-level protobufjs resolution to a patched version.
proxies/nodejs/yarn.lock Regenerated Node proxy lockfile reflecting patched protobufjs and related deps.
proxies/openfeature-nodejs/package.json Bumps workspace-level protobufjs resolution to a patched version.
proxies/openfeature-nodejs/yarn.lock Regenerated OF Node proxy lockfile reflecting patched protobufjs and related deps.
proxies/ruby/Gemfile.lock Updates vulnerable Ruby gems (oj, concurrent-ruby) to patched versions.
proxies/php/php-proxy/composer.lock Updates vulnerable PHP packages (guzzlehttp/guzzle, guzzlehttp/psr7) and related composer-locked deps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants