Skip to content

fix: resolve open dependabot security alerts#22

Open
jonathannorris wants to merge 2 commits intomainfrom
fix/dependabot-alerts-new
Open

fix: resolve open dependabot security alerts#22
jonathannorris wants to merge 2 commits intomainfrom
fix/dependabot-alerts-new

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 22, 2026

Summary

Resolved 3 open Dependabot security alerts by bumping vulnerable transitive dependencies via npm overrides.

Dependabot Alerts Resolved

Alert Package Severity Fix
#113 picomatch medium Pinned to 4.0.4 via npm overrides
#111 lodash high Pinned to 4.18.1 via npm overrides
#110 lodash medium Pinned to 4.18.1 via npm overrides

@jonathannorris
fix: resolve open dependabot security alerts
3e79c36 
- picomatch -> 4.0.4 via npm overrides (medium, alert #113)
- lodash -> 4.18.1 via npm overrides (high/medium, alerts #111, #110)
Copilot AI review requested due to automatic review settings April 22, 2026 20:03
@jonathannorris jonathannorris requested a review from a team as a code owner April 22, 2026 20:03
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves open Dependabot alerts by forcing patched transitive dependency versions via npm overrides and updating the lockfile accordingly.

Changes:

  • Pin picomatch to 4.0.4 via overrides.
  • Pin lodash to 4.18.1 via overrides.
  • Regenerate package-lock.json to reflect the overridden dependency graph (including updated integrity/engines metadata).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds/updates overrides to force patched versions of vulnerable transitive dependencies.
package-lock.json Updates resolved versions and metadata for lodash/picomatch and dependents after applying overrides.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
@jonathannorris
fix: downgrade picomatch override from 4.0.4 to ^2.3.2
a2d6b88 
picomatch 4.x is a major version jump that can break micromatch which
expects the v2 API. The CVE is fixed in 2.3.2, so stay within v2.
@jonathannorris jonathannorris enabled auto-merge (squash) April 23, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris