Skip to content

chore: resolve open dependabot security alerts#25

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#25
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

  • Resolved 6 open Dependabot security alerts by upgrading npm (via override) to 11.18.0, which bundles patched versions of all affected transitive dependencies

Dependabot Alerts Resolved

Alert Package Severity Fix
#118 tar medium Bundled via npm@11.18.0 (7.5.13 -> 7.5.19)
#120 undici medium Bundled via npm@11.18.0 (6.25.0 -> 6.27.0)
#121 undici low Bundled via npm@11.18.0 (6.25.0 -> 6.27.0)
#122 undici low Bundled via npm@11.18.0 (6.25.0 -> 6.27.0)
#124 @sigstore/core medium Bundled via npm@11.18.0 (3.2.0 -> 3.2.1)
#125 @sigstore/verify medium Bundled via npm@11.18.0 (3.1.0 -> 3.1.1)

Notes

All 6 vulnerable packages were bundled inside npm@11.14.1 (which is a dependency of @semantic-release/npm@13.1.5). Standard overrides entries cannot reach into npm's bundled dependencies. Overriding npm itself to 11.18.0 causes npm to install a newer version of itself with all the patched bundled packages.

- npm 11.14.1 -> 11.18.0 (override) to pull in patched bundled deps
- @sigstore/core 3.2.0 -> 3.2.1 (medium, alert #124)
- @sigstore/verify 3.1.0 -> 3.1.1 (medium, alert #125)
- undici 6.25.0 -> 6.27.0 (low/medium, alerts #120, #121, #122)
- tar 7.5.13 -> 7.5.19 (medium, alert #118)
Copilot AI review requested due to automatic review settings July 2, 2026 13:39
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:39
@jonathannorris jonathannorris enabled auto-merge (squash) July 2, 2026 13:40

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to resolve multiple Dependabot security alerts by upgrading npm (via overrides) so that patched versions of vulnerable transitive/bundled dependencies are installed.

Changes:

  • Updated overrides to force npm@11.18.0 (to pick up patched bundled dependencies).
  • Added additional overrides for affected packages (@sigstore/*, undici, tar) and updated package-lock.json accordingly.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds/updates overrides to pin npm and related vulnerable transitive dependencies.
package-lock.json Reflects the updated npm version and associated bundled/transitive dependency updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines +43 to +47
"npm": "11.18.0",
"@sigstore/verify": "3.1.1",
"@sigstore/core": "3.2.1",
"undici": "6.27.0",
"tar": "7.5.16"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants