fix remaining Dependabot security alerts#2923
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE VERY HIGH account-age scrutiny, mitigated by repository admin permission and substantive merged contributions; author/committer match, no known Gittensor association; codex/process-dependabot-alerts → staging. Static analysis found the manifest resolutions and lockfile changes consistent with the stated dependency-security upgrades. The PR modifies no runtime logic, workflows, trusted AI-review instructions, or Copilot instructions. FindingsNo findings. ConclusionThe narrowly scoped dependency updates show no malicious behavior or introduced security vulnerability. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 Gittensor association UNKNOWN; despite the account’s recent creation, the author is a repository admin with substantial subtensor contributions. The manifest resolutions and lockfiles consistently select the stated patched releases. No runtime logic is changed, and This PR is the better candidate than overlapping Dependabot PRs #2921 and #2922 because it consolidates both ecosystems, covers additional vulnerable packages, and documents broader validation. Recommend closing #2921 and #2922; the other lockfile overlaps are incidental to unrelated work. FindingsNo findings. ConclusionThe dependency remediation is coherent, narrowly scoped, and adequately validated. No blocking correctness, compatibility, or repository-policy issue was found. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
Landed in staging via #2927 (cherry-picked, one squashed commit per PR). |
Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
svgo,minimatch,js-yaml,postcss,@babel/runtime, andprismjsto patched releasestracing-subscriberandrpasswordto patched Rust releasesWhy
Dependabot previously opened separate pull requests per dependency and accumulated duplicate or non-reachable alerts. This PR processes the remaining actionable alerts as one reviewed change. The constrained Hickory alert is handled separately as documented tolerable risk because its fixed major/minor line is blocked by the pinned Polkadot SDK dependency graph.
Validation
yarn install --immutableyarn turbo run build --filter=@raofoundation/bittensor-website(TypeScript and all 1,884 static pages)SKIP_WASM_BUILD=1 cargo check -p node-subtensor --lockedSKIP_WASM_BUILD=1 cargo test -p pallet-subtensor --no-run --lockedgit diff --checkThe unskipped local node check reached the runtime WASM build and stopped because the installed Apple clang has no
wasm32-unknown-unknownbackend; CI should perform that platform-specific build.