Skip to content

fix: resolve open dependabot security alerts#974

Open
jonathannorris wants to merge 4 commits intomainfrom
fix/dependabot-alerts
Open

fix: resolve open dependabot security alerts#974
jonathannorris wants to merge 4 commits intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 22, 2026

Summary

Resolved 3 open Dependabot security alerts by bumping vulnerable transitive dependencies via yarn resolutions.

Dependabot Alerts Resolved

Alert Package Severity Fix
#174 dompurify medium Pinned to 3.4.0 via yarn resolution
#175 dompurify medium Pinned to 3.4.0 via yarn resolution
#173 follow-redirects medium Pinned to 1.16.0 via yarn resolution

@jonathannorris
fix: resolve open dependabot security alerts
9ac7aa5 
- dompurify -> 3.4.0 via resolution (medium, alerts #174, #175)
- follow-redirects -> 1.16.0 via resolution (medium, alert #173)
Copilot AI review requested due to automatic review settings April 22, 2026 20:06
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies using Yarn resolutions.

Changes:

  • Add Yarn resolutions to pin dompurify to 3.4.0 and follow-redirects to 1.16.0.
  • Regenerate yarn.lock to reflect the new resolved versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds/updates resolutions entries to force patched dependency versions.
yarn.lock Updates locked versions/checksums for dompurify and follow-redirects based on the new resolutions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 22, 2026
edited
Loading

Deploying devcycle-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 940fab5
Status: ✅  Deploy successful!
Preview URL: https://baf1ef9d.devcycle-docs.pages.dev
Branch Preview URL: https://fix-dependabot-alerts-c2en.devcycle-docs.pages.dev

View logs

@jonathannorris
fix: add uuid 14.0.0 resolution to address remaining dependabot alert #…
97b23a6 
…178
@jonathannorris
fix: use ^ range style for uuid resolution
9a6ef58 
Match the version range style used by parent packages per dependency
resolution best practices.
Copilot AI review requested due to automatic review settings April 23, 2026 14:58
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
Comment on lines +94 to +96
"dompurify": "3.4.0",
"follow-redirects": "1.16.0",
"uuid": "^14.0.0"
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says only dompurify and follow-redirects are being pinned to resolve 3 Dependabot alerts, but this change also forces uuid to ^14.0.0 via resolutions (a major-version jump from the previously locked 8.3.2). That can be breaking for transitive consumers (e.g., sockjs in the current lockfile depends on uuid@^8.3.2). Please either remove this override or document/justify it and pin to the minimal non-vulnerable version that is compatible with downstream constraints.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris