Skip to content

chore: resolve open dependabot security alerts#980

Open
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-4
Open

chore: resolve open dependabot security alerts#980
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-4

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

  • Resolved 13 open Dependabot security alerts by adding yarn resolutions for vulnerable transitive dependencies

Dependabot Alerts Resolved

Alert Package Severity Fix
#206 ws high Pinned ws@^7.3.1 to ^7.5.11 via resolution
#211 form-data high Pinned to ^4.0.6 via resolution
#218 http-proxy-middleware medium Pinned to ^2.0.10 via resolution
#219 webpack-dev-server medium Pinned to ^5.2.5 via resolution
#220 js-yaml medium Pinned to ^4.2.0 via resolution (resolved 4.3.0)
#210 tar medium Pinned to ^7.5.16 via resolution (resolved 7.5.19)
#209 launch-editor medium Pinned to ^2.14.1 via resolution
#214 dompurify medium Pinned to ^3.4.11 via resolution (resolves #212, #214, #215, #216, #217)
#212 dompurify medium (covered by dompurify resolution above)
#217 dompurify medium (covered by dompurify resolution above)
#215 dompurify low (covered by dompurify resolution above)
#216 dompurify low (covered by dompurify resolution above)
#207 @babel/core low Pinned to ^7.29.6 via resolution (resolved 7.29.7)

- js-yaml 4.1.0 -> 4.3.0 (medium, alert #220)
- webpack-dev-server 5.2.4 -> 5.2.5 (medium, alert #219)
- http-proxy-middleware 2.0.9 -> 2.0.10 (medium, alert #218)
- dompurify 3.4.6 -> 3.4.11 (medium/low, alerts #217, #216, #215, #214, #212)
- form-data 4.0.5 -> 4.0.6 (high, alert #211)
- tar 7.5.11 -> 7.5.19 (medium, alert #210)
- launch-editor 2.13.1 -> 2.14.1 (medium, alert #209)
- @babel/core 7.28.3 -> 7.29.7 (low, alert #207)
- ws 7.5.10 -> 7.5.11 (high, alert #206)
Copilot AI review requested due to automatic review settings July 2, 2026 13:35
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying devcycle-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 04a5e5f
Status: ✅  Deploy successful!
Preview URL: https://5e08cae9.devcycle-docs.pages.dev
Branch Preview URL: https://chore-dependabot-alerts-4.devcycle-docs.pages.dev

View logs

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves multiple Dependabot security alerts in the docs site by pinning/overriding vulnerable transitive Node dependencies via Yarn resolutions and regenerating the lockfile accordingly.

Changes:

  • Added/expanded package.json resolutions entries to force patched versions of vulnerable transitive dependencies (e.g., ws, js-yaml, dompurify, tar, @babel/core, webpack-dev-server).
  • Updated yarn.lock to reflect the new resolved dependency graph and versions.
  • Ignored local .worktrees/ directories in .gitignore.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.

File Description
package.json Adds Yarn resolutions to pin patched versions for transitive-vulnerability remediation.
yarn.lock Regenerated lockfile reflecting the new resolution pins and updated transitive packages.
.gitignore Adds .worktrees/ to prevent committing local worktree artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants