Skip to content

chore: resolve open dependabot security alerts#578

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#578
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

Resolved 17 open Dependabot security alerts by bumping vulnerable dependencies via resolutions/overrides and direct dependency updates.

Dependabot Alerts Resolved

Alert Package Severity Fix
#251, #254 undici high Bumped resolution ^7.24.0 -> ^7.28.0
#252, #256 undici medium Bumped resolution ^7.24.0 -> ^7.28.0
#255, #258 undici low Bumped resolution ^7.24.0 -> ^7.28.0
#257 undici high Bumped resolution ^7.24.0 -> ^7.28.0
#259 tar medium Bumped resolution ^7.5.11 -> ^7.5.16
#248 hono high Bumped resolution ^4.12.18 -> ^4.12.25
#246, #247, #249, #250 hono medium Bumped resolution ^4.12.18 -> ^4.12.25
#253 form-data high Added resolution ^4.0.5 -> ^4.0.6
#262 js-yaml medium Added resolutions for ^3.x ranges -> ^3.15.0
#261 @babel/core low Bumped direct dep ^7.28.0 -> ^7.29.6
#243 esbuild low Added resolution 0.27.3 -> ^0.28.1

Note: Alert #263 (sigstore) was already resolved — yarn.lock shows sigstore@^4.0.0 locked at 4.1.1 (the patched version).

- undici ^7.24.0 -> ^7.28.0 (high/medium/low, alerts #251-#258)
- tar ^7.5.11 -> ^7.5.16 (medium, alert #259)
- hono ^4.12.18 -> ^4.12.25 (high/medium, alerts #246-#250)
- js-yaml 3.14.1 -> 3.15.0 via resolution (medium, alert #262)
- @babel/core ^7.28.0 -> ^7.29.6 (low, alert #261)
- form-data 4.0.5 -> 4.0.6 via resolution (high, alert #253)
- esbuild 0.27.3 -> 0.28.1 via resolution (low, alert #243)
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:41
Copilot AI review requested due to automatic review settings July 2, 2026 13:41
@jonathannorris jonathannorris enabled auto-merge (squash) July 2, 2026 13:41

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves multiple open Dependabot security alerts by updating vulnerable packages and enforcing patched versions via Yarn resolutions, keeping the CLI’s dependency tree on non-vulnerable versions without changing application logic.

Changes:

  • Bumped @babel/core to ^7.29.6 (and lockfile to 7.29.7).
  • Updated security-sensitive dependencies via resolutions (notably undici, tar, hono, plus added overrides for js-yaml, form-data, and esbuild).
  • Regenerated yarn.lock to reflect the new resolved versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Updates @babel/core and adjusts/adds Yarn resolutions to force patched dependency versions.
yarn.lock Updates the lockfile to reflect the new resolved dependency graph (Babel, esbuild, undici, tar, hono, js-yaml, form-data, etc.).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
devcycle-mcp-server 1cd1fae Jul 02 2026, 02:00 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants