Skip to content

chore: resolve open dependabot security alerts#374

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#374
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

Resolved 9 open Dependabot security alerts by bumping vulnerable dependencies via yarn resolutions/overrides and direct dependency bumps.

Dependabot Alerts Resolved

Alert Package Severity Fix
#115 js-yaml medium Bumped direct dep to ^4.2.0, added resolution
#114 linkify-it high Added resolution ^5.0.1 (transitive via markdown-it)
#113 undici low Updated resolution from ^6.24.0 to ^6.27.0
#112 undici medium Updated resolution from ^6.24.0 to ^6.27.0
#111 undici low Updated resolution from ^6.24.0 to ^6.27.0
#110 undici high Updated resolution from ^6.24.0 to ^6.27.0
#109 tar medium Bumped direct dep to ^7.5.16, added resolution
#107 form-data high Added resolution ^4.0.6 (transitive via @vscode/vsce)
#106 markdown-it medium Added resolution ^14.2.0 (transitive via @vscode/vsce)

Resolved versions (yarn)

  • js-yaml → 4.3.0
  • linkify-it → 5.0.2
  • undici → 6.27.0
  • tar → 7.5.19
  • form-data → 4.0.6
  • markdown-it → 14.3.0

Test plan

  • yarn install completes without errors
  • yarn build:test (TypeScript compile) passes
  • yarn lint passes (pre-existing warnings only, no new errors)
  • yarn webpack production build compiles successfully

- js-yaml ^4.1.1 -> ^4.2.0 (medium, alert #115)
- linkify-it 5.0.0 -> ^5.0.1 (high, alert #114)
- undici resolution ^6.24.0 -> ^6.27.0 (low/medium/high, alerts #110-113)
- tar ^7.5.11 -> ^7.5.16 (medium, alert #109)
- form-data 4.0.4 -> ^4.0.6 (high, alert #107)
- markdown-it 14.1.1 -> ^14.2.0 (medium, alert #106)
Copilot AI review requested due to automatic review settings July 2, 2026 13:36
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:36
@jonathannorris jonathannorris enabled auto-merge (squash) July 2, 2026 13:37

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves open Dependabot security alerts by upgrading vulnerable Node dependencies and forcing safe transitive versions via Yarn resolutions, keeping the extension’s dependency tree on patched releases.

Changes:

  • Bumped direct dependencies: js-yaml to ^4.2.0 and tar to ^7.5.16.
  • Updated/added Yarn resolutions to enforce patched versions for undici, linkify-it, form-data, and markdown-it.
  • Regenerated yarn.lock to reflect the updated/pinned dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Updates direct dependencies and adds/updates resolutions to force patched versions for vulnerable transitive deps.
yarn.lock Locks the dependency tree to the resolved patched versions (e.g., undici@6.27.0, tar@7.5.19, js-yaml@4.3.0).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants