Skip to content

fix remaining Dependabot security alerts#2923

Closed
UnArbosFive wants to merge 1 commit into
stagingfrom
codex/process-dependabot-alerts
Closed

fix remaining Dependabot security alerts#2923
UnArbosFive wants to merge 1 commit into
stagingfrom
codex/process-dependabot-alerts

Conversation

@UnArbosFive

Copy link
Copy Markdown
Contributor

Summary

Why

Dependabot previously opened separate pull requests per dependency and accumulated duplicate or non-reachable alerts. This PR processes the remaining actionable alerts as one reviewed change. The constrained Hickory alert is handled separately as documented tolerable risk because its fixed major/minor line is blocked by the pinned Polkadot SDK dependency graph.

Validation

  • yarn install --immutable
  • yarn turbo run build --filter=@raofoundation/bittensor-website (TypeScript and all 1,884 static pages)
  • SKIP_WASM_BUILD=1 cargo check -p node-subtensor --locked
  • SKIP_WASM_BUILD=1 cargo test -p pallet-subtensor --no-run --locked
  • git diff --check
  • local Skeptic security review: SAFE

The unskipped local node check reached the runtime WASM build and stopped because the installed Apple clang has no wasm32-unknown-unknown backend; CI should perform that platform-specific build.

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 15, 2026 7:48pm

Request Review

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

VERY HIGH account-age scrutiny, mitigated by repository admin permission and substantive merged contributions; author/committer match, no known Gittensor association; codex/process-dependabot-alerts → staging.

Static analysis found the manifest resolutions and lockfile changes consistent with the stated dependency-security upgrades. The PR modifies no runtime logic, workflows, trusted AI-review instructions, or Copilot instructions.

Findings

No findings.

Conclusion

The narrowly scoped dependency updates show no malicious behavior or introduced security vulnerability.


🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor association UNKNOWN; despite the account’s recent creation, the author is a repository admin with substantial subtensor contributions.

The manifest resolutions and lockfiles consistently select the stated patched releases. No runtime logic is changed, and staging has no spec-version check.

This PR is the better candidate than overlapping Dependabot PRs #2921 and #2922 because it consolidates both ecosystems, covers additional vulnerable packages, and documents broader validation. Recommend closing #2921 and #2922; the other lockfile overlaps are incidental to unrelated work.

Findings

No findings.

Conclusion

The dependency remediation is coherent, narrowly scoped, and adequately validated. No blocking correctness, compatibility, or repository-policy issue was found.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive
UnArbosFive marked this pull request as ready for review July 16, 2026 12:26
@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@unarbos

unarbos commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Landed in staging via #2927 (cherry-picked, one squashed commit per PR).

@unarbos unarbos closed this Jul 16, 2026
@unarbos
unarbos deleted the codex/process-dependabot-alerts branch July 16, 2026 14:46
loom-agent pushed a commit to loom-agent/subtensor that referenced this pull request Jul 16, 2026
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants